AcostaLabsACOSTALABS

Privacy Policy — Auto Hide Out of Stock

Effective date: April 20, 2026 Last updated: April 20, 2026

This privacy policy covers Auto Hide Out of Stock (the "App"), a Shopify app developed and operated by Acosta Labs ("we," "us"). It describes what information the App collects, why it's collected, how it's stored, and the choices you have.

Who we are

  • App name: Auto Hide Out of Stock
  • Developer: Acosta Labs
  • Contact: [email protected]
  • App URL: https://inventory.acostalabs.com

Plain-language summary

The App helps Shopify merchants automatically change sold-out products to Draft status. It does not collect data about your customers. The only data we touch is:

  1. Your shop's domain name and Shopify OAuth credentials
  2. Information about your products — IDs, titles, SKUs, image URLs — strictly so we can deactivate and reactivate them
  3. Your app settings and subscription state
  4. Error traces when something breaks

We store this on a private server we operate directly. We don't sell it, don't share it for marketing, and we delete everything within 48 hours of you uninstalling the App.

What we collect

| Data | Source | Purpose | |---|---|---| | Shop domain (e.g. your-store.myshopify.com) | Shopify OAuth at install | Identify your store across sessions | | Shopify OAuth access token | Shopify OAuth at install | Make authorized API calls on your store's behalf | | Product IDs, titles, SKUs, featured image URLs | Shopify Admin API, at scan time | Show activity history and perform the deactivate/reactivate actions you configure | | App settings (scan frequency, days-inactive threshold, auto-reactivate toggle) | Your input in the App admin | Run the App on your schedule | | Subscription status and billing grace-period timestamps | Shopify Billing API webhooks | Determine whether your subscription is active | | Activity log entries (timestamp, product, SKU, action, method) | Generated by the App itself | Let you audit what the App has done | | Error traces (stack traces, shop domain tag) | Runtime errors in the App | Diagnose and fix bugs |

We do not collect:

  • Customer names, emails, addresses, or any other customer personal data
  • Order data
  • Payment data (Shopify handles billing; we only receive status signals)
  • Analytics or tracking cookies
  • Marketing identifiers

The App does not run on your storefront and cannot observe your customers.

Why we collect it

  • To operate the App. We need your shop domain, access token, and product data to do the one thing the App does: change product status based on inventory.
  • To bill you correctly. Shopify manages your subscription; we receive status webhooks (active, cancelled, expired, frozen) so we can gate access appropriately and honor free-tier exceptions.
  • To show you what happened. The activity log exists so you can audit every auto-deactivation and reactivation.
  • To fix bugs. When the App crashes, we capture a stack trace so we can reproduce and resolve the issue.

We do not use any of this data for marketing, profiling, training AI models, or any purpose unrelated to running the App.

Where it's stored

  • Primary database: PostgreSQL, running on an owner-operated private server behind Cloudflare's network. Not a third-party cloud database.
  • Error tracking: Sentry — we send stack traces and a shop domain tag so we can identify which store an error occurred on. No customer data is sent to Sentry.
  • Edge network: Cloudflare proxies traffic to the App. Cloudflare may log request metadata (IP, URL, timestamp) per its own privacy policy.
  • Shopify: your shop data lives in Shopify; we access it via their APIs and never sync it elsewhere.

Subprocessors

We use these third parties to operate the App. Each is listed with the data it processes and a link to their own privacy terms.

| Subprocessor | Purpose | Data shared | Their privacy policy | |---|---|---|---| | Shopify | Platform, billing, authentication | All App activity (they're the source) | https://www.shopify.com/legal/privacy | | Cloudflare | DNS, SSL, edge proxy | Request metadata (IP, URL) | https://www.cloudflare.com/privacypolicy/ | | Sentry | Error tracking | Stack traces, shop domain | https://sentry.io/privacy/ |

We do not add new subprocessors without updating this policy.

How long we keep it

  • While you have the App installed: we keep everything listed above.
  • When you uninstall: Shopify sends us an app/uninstalled webhook. Within 48 hours, we delete all your Session rows, Settings rows, and Activity Log rows from our database.
  • When you request customer data redaction (customers/redact): the App does not store customer data, so no action is needed — but we respond to confirm receipt.
  • When you request shop redaction (shop/redact): 48 hours after you uninstall, Shopify asks us to delete all shop data. We do, and confirm.
  • Sentry error traces: retained for up to 90 days, then automatically purged by Sentry.

Your rights

You can, at any time:

  • Export your data — email us at [email protected] and we'll send you your stored data within 30 days.
  • Delete your data — uninstall the App from your Shopify admin. All your data is deleted within 48 hours.
  • Request a copy of this policy in another format — email us.

If you're in the EU / UK (GDPR): you have rights to access, correct, erase, and port your data, and to object to or restrict processing. Contact us and we'll respond within 30 days.

If you're in California (CCPA): you have the right to know what data we collect, to delete it, and to opt out of any sale of personal information. We do not sell personal information.

Shopify's mandatory webhooks. Because we're a Shopify app, we respond to the following compliance webhooks automatically:

  • customers/data_request — we acknowledge receipt; there's no customer data to return.
  • customers/redact — we acknowledge receipt; there's no customer data to delete.
  • shop/redact — we delete all shop-scoped data (Sessions, Settings, Activity Logs).

Security

  • All traffic to and from the App is encrypted over HTTPS with certificates managed by Cloudflare.
  • The database is not exposed to the public internet; only the App itself can reach it, via an internal network.
  • Shopify access tokens are stored encrypted at rest and only loaded into memory when needed to make an API call.
  • The server is behind Cloudflare's edge network with Zero Trust routing; the underlying host has no open ports to the public internet.

International transfers

The App is operated from the United States. If you access it from outside the United States, you agree that your data may be transferred to and processed in the United States.

Children

The App is a business-to-business tool for Shopify merchants. It is not directed to children under 16 and we do not knowingly collect data about children.

Changes to this policy

If we change this policy, we'll update the "Last updated" date at the top. If the change is material (new subprocessor, new data category, change in purpose), we'll also email the contact address on your Shopify account at least 14 days before the change takes effect.

Contact

Questions, data requests, or complaints:

We respond within 5 business days.