Privacy Policy
Last updated: May 29, 2026
This Privacy Policy describes how Craft Lab, S.L.U. ("we", "us", "our"), a company registered in Spain, collects, uses, and shares information through the StockForge application (the "App"), available on the Shopify App Store. StockForge is a real-time inventory synchronization tool that Shopify merchants ("Merchants") install to keep stock levels consistent across products that share a SKU, across Shopify locations, and across product bundles and kits.
By installing or using StockForge, you agree to the practices described in this policy. For data we process from a Merchant's store on the Merchant's behalf, the Merchant is the data controller and we act as a data processor.
1. Information We Collect
When a Merchant installs StockForge, we collect:
- Shopify store information: store domain, store name, contact email, plan, country, currency, locale, and a Shopify access token (used to communicate with the Shopify Admin API on the Merchant's behalf).
- Account and billing information: subscription plan and billing status (managed through the Shopify Billing API).
- Configuration data: SKU group definitions, bundle and kit component mappings, location settings, low-stock thresholds, exclusion rules, alert preferences, and other settings you configure in the App.
To synchronize inventory, the App reads and writes the following data via the Shopify API:
- Product and inventory data: product and variant IDs and titles, SKUs, barcodes, inventory item IDs, inventory levels, and Shopify locations.
- Order and refund data: received via the
read_ordersscope and the orders and refunds webhooks. We use the line items, variants/SKUs, and quantities to adjust stock when sales and refunds occur. Order payloads delivered by Shopify may contain End Customer personal data (such as name, email, or address); StockForge only uses the line-item and quantity fields needed to adjust inventory and does not use End Customer personal data for marketing, advertising, or profiling.
We also collect limited operational data:
- Usage data: features used and actions taken within the embedded App, plus sync logs (what changed, when, and why).
- Technical data: IP address, browser and device information, and timestamps, used to operate and secure the service.
- Session data: a strictly necessary session identifier to maintain authenticated sessions within the Shopify admin iframe.
2. Permissions (OAuth Scopes) We Request
StockForge requests only the scopes required to synchronize inventory:
read_inventory,write_inventory— read and update inventory levels across locations.read_products,write_products— read products and variants and update inventory-related fields.read_locations— identify your Shopify locations for multi-location sync.read_orders— detect sales and refunds so stock stays accurate.
3. How We Use Information
| Purpose | Data Used |
|---|---|
| Synchronize inventory across SKU groups, locations, and bundle/kit components | Product, variant, SKU, inventory, and location data |
| Adjust stock automatically when orders and refunds occur, to help prevent overselling | Order line items, variants/SKUs, and quantities |
| Generate configurable low-stock alerts | Inventory levels, thresholds, and alert recipients |
| Provide inventory analytics and reporting to Merchants | Aggregated inventory and sync data |
| Process the Merchant's subscription and billing | Plan and subscription status (via Shopify Billing) |
| Maintain, secure, and improve the App | Usage data, sync logs, and technical data |
We process personal data only to provide and improve the services described above. We do not sell personal data. We do not use personal data for advertising, profiling, or automated decision-making with legal or similarly significant effects, and we do not use Merchant or End Customer data to train artificial intelligence or machine-learning models.
4. How We Share Information
We share data only with the service providers that help us operate the App, under data processing agreements and solely for the purposes below:
| Recipient | Data Shared | Purpose |
|---|---|---|
| Shopify, Inc. | Store, product, inventory, order, and billing data | The platform the App runs on, and our billing provider |
| Railway | Application data (hosting infrastructure) | Application hosting and database storage |
| Resend | Recipient email and notification content | Deliver service and low-stock notification emails |
We do not sell, rent, or trade personal data. We may also disclose information if required by law, regulation, legal process, or a governmental request, or in connection with a corporate transaction (with continued protection of your data).
5. Data Retention and Deletion
- Active accounts: we retain store, product, inventory, and configuration data for as long as the Merchant's StockForge subscription is active.
- After uninstallation: when a Merchant uninstalls StockForge, Shopify sends a
shop/redactwebhook approximately 48 hours later. Upon receipt, we delete or anonymize all data associated with that shop within 30 days. - Customer data requests: upon a
customers/data_requestwebhook, we provide any data we hold for the requested customer within 30 days. - Customer data deletion: upon a
customers/redactwebhook, we delete or anonymize any personal data for the requested customer within 30 days. - Logs: sync and diagnostic logs are retained for a limited period for security and troubleshooting and then deleted.
You may request earlier deletion at any time by emailing privacy@appwarp.io.
6. Data Security
We implement appropriate technical and organizational measures to protect data, including:
- Encryption of data in transit (TLS/HTTPS) and encryption of sensitive data, including access tokens, at rest.
- Shopify webhook HMAC signature verification with timing-safe comparison to prevent tampering.
- Server-side session handling backed by a secure PostgreSQL database (no sensitive data in client-side storage).
- Rate limiting on public-facing endpoints to prevent abuse.
- Least-privilege access controls, with access to store data restricted to authorized personnel.
- Security incident response procedures, including notifying Shopify within 24 hours of a suspected data breach.
7. International Data Transfers
Craft Lab, S.L.U. is based in Spain (European Union). Our infrastructure is hosted on Railway, which may process data in data centers located outside the European Economic Area (EEA). Where personal data is transferred outside the EEA, we rely on appropriate safeguards, such as the European Commission's Standard Contractual Clauses or adequacy decisions, in compliance with the GDPR.
8. Your Rights
You may access, update, or delete your data at any time within the App, or by contacting us at privacy@appwarp.io. Uninstalling StockForge triggers deletion of your store's data as described above.
If you are an End Customer of a Merchant using StockForge, the Merchant is the data controller for your personal data, and your primary point of contact is that Merchant; we act as a data processor on their behalf and will assist the Merchant in responding to your request. Under applicable laws (including the GDPR and Spanish Organic Law 3/2018), you may have the following rights:
- Right of access: request a copy of the personal data we hold about you.
- Right to rectification: request correction of inaccurate data.
- Right to erasure: request deletion of your personal data.
- Right to restriction: request that we limit how we process your data.
- Right to data portability: receive your data in a machine-readable format.
- Right to object: object to the processing of your personal data.
- Right to non-discrimination: we will not discriminate against you for exercising these rights.
We respond to valid requests within 30 days.
9. Cookies
StockForge uses a single, strictly necessary session cookie to maintain Merchant authentication within the Shopify admin iframe. This cookie does not track End Customers across websites, does not contain personal information, and is not used for advertising or analytics. It is required for the App to function. We do not use third-party tracking cookies or pixels.
10. Children's Privacy
StockForge is a business-to-business application intended for use by Shopify Merchants. We do not knowingly collect personal information from children under the age of 16. If we learn that we have collected such data, we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify Merchants of material changes by updating the "Last updated" date above and, where appropriate, within the App. Continued use of the App after changes constitutes acceptance of the updated policy.
12. Contact Us
If you have questions about this Privacy Policy or wish to exercise your privacy rights, contact us at:
- Craft Lab, S.L.U.
- NIF: B42627893 | VAT: ESB42627893
- Calle Leonardo Da Vinci 12A, Nave 8, 03203 Elche, Alicante, Spain
- Privacy: privacy@appwarp.io
- Support: support@appwarp.io
If you are located in the EU and are not satisfied with our response, you may lodge a complaint with your local Data Protection Authority. In Spain this is the Agencia Española de Protección de Datos (AEPD) at www.aepd.es.