Privacy Policy

Last updated: April 2026

Stashback ("we", "us", or "our") provides a backup and restore service for Shopify merchants. This Privacy Policy explains what data we collect, how we use it, and your rights in relation to it.

1. Who we are

Stashback is operated by Stashback Ltd. Our service is accessible at mystashback.com and through the Shopify App Store. For privacy enquiries, contact us at our contact page.

2. Data we collect

2a. Store data (backup content)

When you run a backup, we retrieve data from your Shopify store via the Shopify Admin API and store it as an encrypted archive. Depending on your plan, this may include:

• Products, collections, inventory, and pricing
• Orders and order line items
• Customer names, email addresses, and shipping addresses
• Theme files and store assets
• Pages, blogs, articles, and navigation menus
• Discount codes and price rules
• Metaobjects and metafields
• Shipping profiles, locations, and store policies

This data is yours. We access it solely to perform the backup and restore services you request.

2b. Account and operational data

• Shop domain — used to identify your store and associate backup records
• Shopify access token — stored to allow the app to access your store on your behalf
• Subscription plan and status — used to enforce plan limits and process billing via Shopify
• Notification email — if you provide one, used only to send backup failure alerts
• Backup job records — metadata about each backup (size, status, timestamp); not the backup content itself

2c. Contact form

If you contact us via our website form, we collect your name, email address, and message. This data is used solely to respond to your enquiry.

3. How we use your data

• To create, store, and serve backups of your store
• To restore your store data when you request it
• To send backup failure notifications to your chosen email address
• To enforce plan limits and process billing through Shopify
• To maintain audit logs for security and compliance purposes

We do not sell your data. We do not use your store data for advertising or analytics.

4. Data storage and security

Backup archives are stored in Cloudflare R2 object storage. Pro plan merchants have their backups stored in both US and EU regions simultaneously. Operational data (subscription records, job metadata) is stored in a PostgreSQL database hosted on Heroku.

Access to stored data is restricted to authenticated requests. Shopify access tokens are stored encrypted at rest.

5. Data retention

Backup archives are retained according to your plan's history limit (e.g. 30, 90, or 365 days). Older backups are automatically deleted when a new backup would exceed your plan's storage cap.

When you uninstall Stashback, your session data is immediately deleted. All remaining data — backup archives and account records — is permanently deleted 48 hours after uninstall, in accordance with Shopify's GDPR requirements.

6. Your rights

Under GDPR and applicable data protection law, you have the right to:

• Access the personal data we hold about you
• Request correction or deletion of your data
• Object to processing of your data
• Data portability — you can download any backup archive from within the app at any time

To exercise any of these rights, contact us via our contact page.

7. Customer data within backups

Your backup archives contain personal data belonging to your customers (names, email addresses, order history). You are the data controller for this information; we process it as a data processor acting on your behalf.

When Shopify notifies us of a customer data deletion request (customers/redact), we log the request. Note that backup archives are point-in-time snapshots stored as binary files — individual customer records cannot be selectively redacted from an existing archive. If a customer requests complete erasure, we recommend deleting all backup archives that may contain their data from within the app.

8. Third-party services

• Shopify — we access your store via the Shopify Admin API under your authorisation. Shopify's privacy policy governs the Shopify platform.
• Cloudflare R2 — used to store backup archives. Cloudflare's privacy policy applies.
• Heroku (Salesforce) — used to host the application and database. Heroku's privacy policy applies.
• SendGrid (Twilio) — used to send backup failure notification emails if you configure an email address. SendGrid's privacy policy applies.

9. Cookies

The Stashback web app (embedded in Shopify admin) uses a session cookie to maintain your authenticated session. Our marketing website (mystashback.com) does not use tracking or analytics cookies.

10. Changes to this policy

We may update this policy from time to time. Material changes will be notified via the app or by email. Continued use of the service after changes constitutes acceptance of the updated policy.

11. Contact

For any privacy-related questions or requests, please use our contact form.