HiFromShop

Privacy Policy

Last updated: May 2026

HiFromShop (“the App”, “we”, “us”) is a Shopify app that enables merchants to upload and deliver personalized video messages and QR-code PDFs to their customers. This Privacy Policy explains what data we collect, how we use it, and your rights.

Data We Collect

Store Data (Required for Operation)

Shop domain (e.g. mystore.myshopify.com) — used to identify your store
Encrypted Shopify access token — used to call the Shopify Admin API on your behalf; encrypted at rest with AES-256-GCM
OAuth scopes granted — the permissions you approved during installation
Installation and uninstallation timestamps

Session Data

Session identifiers (random UUID v4) — used to authenticate API requests from your client application
Session creation and expiry timestamps
Sessions are automatically deleted after expiry (24 hours) or when you disconnect.

Content You Create

Video files (.mp4) — uploaded by you, transcoded to a web-friendly format and stored in secure object storage
Video metadata — the order ID, S3 object key, and a random viewing secret
PDF records — which orders you have linked to a PDF
PDF design templates — page dimensions, colors, fonts, text, and QR code layout you configure
Custom orders — order ID, customer name, and product description you manually enter

Data We Transiently Access (Not Stored)

Shopify order data (order name, creation date, pricing, fulfillment status, customer first/last name, line items) — fetched on demand when you view your orders and returned to your client; we do not store this data server-side
Shopify shop identity (shop ID, name, domain) — accessed only to validate your access token

Data We Do NOT Collect

Customer email addresses, phone numbers, or physical addresses
Payment information of any kind
Browser fingerprints, cookies, or tracking data
Analytics or telemetry about your usage of the App

How We Use Your Data

To authenticate your store and make Shopify Admin API calls on your behalf
To store and serve the videos and PDFs you upload
To merge Shopify order data with your locally stored content for display

We do not sell, share, or use your data for advertising, profiling, or any purpose beyond operating the App.

Data Storage and Security

Access tokens are encrypted at rest using AES-256-GCM with a 256-bit key
Videos are stored in AWS S3 object storage
All other data is stored in a database
All API communication is done over HTTPS
Security headers (HSTS, CSP, X-Frame-Options, etc.) are applied to all responses

Data Retention and Deletion

Data Type	Retention
OAuth state nonces	Auto-deleted after 10 minutes
Session exchange codes	Auto-deleted after 60 seconds or first use
Sessions	Auto-deleted after 24 hours (or 7 days in review mode)
All store data	Deleted immediately when you manually disconnect, or 48 hours after uninstallation via Shopify’s shop/redact webhook

When a store is deleted, all associated data is permanently removed: store credentials, sessions, OAuth states, exchange codes, video files, video metadata, PDF records, PDF templates, and custom orders.

Shopify GDPR Webhooks

We handle all mandatory Shopify GDPR webhooks:

customers/data_request — We do not store customer PII; we acknowledge the request
customers/redact — We do not store customer PII; nothing to redact
shop/redact — All data for the shop is permanently deleted

Your Rights

As a merchant using HiFromShop, you can:

Disconnect your store at any time (immediate deletion of all data)
Request information about stored data by contacting us
Uninstall the app to trigger the 48-hour deletion process

Third-Party Services

Your data is processed through:

Shopify — OAuth token exchange and GraphQL Admin API calls
AWS S3 — Video file storage
Redis — Background job queue (stores shop domain only in task payloads)

Contact

For privacy-related inquiries, please contact us at the support email listed on our Support page.

Changes

We may update this policy from time to time. The latest version will always be available at this URL.