Shipfreak Privacy Policy
This policy covers the Shopify apps Shipfreak — AI bundle checkout and Shipfreak — Upload POD ("the Apps"). It explains what data we access, what we store, what we send to third parties, and how to exercise your rights.
Who we are
The Apps are built and operated by Legacy Bridge / KiddieSketch LLC (New Jersey, USA). Contact: supportteam@shipfreak.com.
What data the Apps access in your Shopify store
When you install an App, you authorize a specific set of Shopify scopes. The Apps read and write only the data covered by those scopes. The current scopes per App:
| App | Reads | Writes |
|---|---|---|
| Shipfreak — AI bundle checkout | Products, orders, customers, discounts, themes, files, metaobjects, metaobject definitions | Discounts (automatic + product-level), order tags, theme app extension blocks, metaobjects (bundle definitions + offer state), metafields |
| Shipfreak — Upload POD | Orders, customers, products, inventory, locations, theme files | Order tags, order notes, order metafields, app metaobjects (suppliers + settings) |
What we store outside Shopify
- AI bundle suggestions and approval history (Bundle checkout): retained as long as the suggestion appears in your store's admin approval queue. When you approve, reject, or archive a suggestion, the underlying generation context is discarded.
- Offer publishing logs (Bundle checkout): minimal audit trail of when an offer was suggested, approved, and published. Retained for 90 days for support diagnostics, then deleted.
- AI generation prompts (Upload POD only): prompts are sent to Cloudflare Workers AI (primary) or Pollinations.ai (fallback when the free quota is exhausted). We do not retain prompts after the generation completes. Generated images are edge-cached on Cloudflare for 30 days under a non-personally-identifying URL.
What we do not store
- Customer payment information (Shopify handles this; we never see it)
- Personally identifying information beyond the order details Shopify shows you
- Customer browsing or device data outside what Shopify exposes
- Aggregated cross-merchant data for AI training (we never train models on your data)
Subprocessors
We share the minimum data necessary with these third parties to deliver the Apps' functionality. Each operates under their own privacy policy:
- Shopify — primary data home. Shopify Privacy Policy
- Cloudflare — Workers AI image generation + Pages hosting + edge cache. Cloudflare Privacy Policy
- Pollinations.ai (Upload POD only, fallback) — AI image generation when Cloudflare quota is exhausted. Pollinations.ai
- Make.com — workflow automation. Make.com Privacy Policy
- Supabase — encrypted backend storage for offer state and audit logs. Supabase Privacy Policy
GDPR + CCPA requests
To exercise your right to access, correct, delete, or port your data, email supportteam@shipfreak.com. We respond within 30 days.
Shopify also automates GDPR webhooks on our behalf. When a merchant uninstalls an App, or when a customer or shop initiates a redaction request via Shopify, our app receives the webhook and:
- customers/redact — we hold no customer-personal data outside Shopify, so the response is immediate confirmation
- shop/redact — we delete any persistent state tied to the shop (offer history, audit logs, cached prompts) and confirm
- customers/data_request — we return any customer data we hold (typically empty since storage is short-lived)
Data retention
| Data type | Retention period |
|---|---|
| Bundle suggestion queue (Shopify metaobjects) | Until approved / rejected / explicitly archived by the merchant |
| Offer publishing audit log (Supabase) | 90 days, then deleted |
| AI generation prompts (in transit only) | Not retained by us; provider terms govern their side |
| Generated images (Cloudflare edge cache) | 30 days, keyed by prompt |
| Order metafields (Shopify) | Until the merchant uninstalls the App or manually clears them |
| App-level settings (Shopify metafields) | Until the App is uninstalled |
Children's data
The Apps are merchant-facing tools. They do not knowingly collect data from children under 13. The Upload POD App's customer-uploaded sketches are processed under the merchant's privacy policy, not ours — merchants are responsible for compliance with COPPA and equivalent laws when their end customers may be children.
Security
All data transmitted to and from Shopify uses HTTPS. Shopify API tokens are stored in encrypted form on Shopify's side (we never see plaintext tokens). Our Make.com automation workflows store credentials in Make.com's encrypted connection vault. Supabase data is encrypted at rest. We do not back up Shopify data to our own servers.
International transfers
The Apps' backend infrastructure runs on Cloudflare's global edge network and Make.com (us2 zone by default). Image generations and edge-cached results may transit through United States data centers. By installing the Apps, you acknowledge these transfers.
Changes to this policy
We will update this policy when our data practices change. Material changes will be announced in the App's admin UI and via email to the merchant contact on file.
Contact
Privacy questions and GDPR / CCPA requests: supportteam@shipfreak.com
Partner / integration inquiries: bundle@shipfreak.com