API SHIP Privacy Policy
API SHIP — Privacy Policy
Effective Date: March 16, 2026
This Privacy Policy explains how WS24 ("we," "us," or "our") collects, uses, stores, and protects information when you install and use the API SHIP application ("App") available on the Shopify App Store. This policy applies specifically to data processed through the App and Shopify APIs.
Data Controller: WS24, Luka Asatiani 61, 6010 Batumi, Georgia
Contact: [email protected]
1. Data We Collect
When you install API SHIP, the App requests specific Shopify API permissions (OAuth scopes) to function. We collect only the data necessary to provide the service.
1.1 Data from Shopify APIs
| Data Category | Specific Data | Purpose |
|---|---|---|
| Shop Data | Shop name, domain, email, plan, timezone, currency | Account management, connector configuration |
| Order Data | Order ID, line items, quantities, prices, financial status, fulfillment status | Execution of connector workflows (e.g., shipping label creation) |
| Customer Data | Customer name, email, phone, shipping address | Passed to third-party APIs as configured by you (e.g., courier services for delivery) |
| Product Data | Product title, SKU, weight, dimensions | Used in connector logic (e.g., rate calculation, inventory sync) |
| Webhook Events | Order creation/update, fulfillment events, app uninstall | Trigger automated connector executions |
1.2 Data You Provide Directly
- API Credentials: API keys and tokens for third-party services you connect (stored encrypted).
- API Documentation: URLs or text you submit for AI-powered connector generation.
- Connector Configuration: Field mappings, logic rules, and scheduling settings.
1.3 Automatically Collected Data
- Execution Logs: Request/response data from connector runs (PII is masked in logs).
- Usage Metrics: Number of executions, error rates, response times.
2. How We Use Your Data
- Connector Execution: Sending order and customer data to third-party APIs you have configured (e.g., courier services, ERP systems, CRMs).
- AI Connector Generation: Processing API documentation you provide through Google Gemini AI to automatically build connector templates.
- Self-Healing: Analyzing execution errors to suggest automatic fixes to your connector configuration.
- Billing: Tracking usage to apply subscription plan limits via Shopify Billing API.
- Support & Debugging: Using masked execution logs to diagnose issues you report.
We do not use your data for advertising, profiling, or any purpose unrelated to providing the App's functionality.
3. Third-Party Data Sharing
We share data only as necessary to operate the App. We do not sell or rent your data.
| Recipient | Data Shared | Purpose |
|---|---|---|
| External APIs (configured by you) | Order data, customer shipping addresses, product details — as defined in your connector mapping | Executing the integrations you set up (shipping, ERP, CRM, etc.) |
| Google Gemini AI | API documentation text you provide | AI-powered connector generation. No customer PII is sent to the AI model. |
| DigitalOcean | All App data (encrypted at rest) | Cloud infrastructure hosting (Frankfurt, EU region) |
| Shopify | Billing and subscription data | Payment processing via Shopify Billing API |
Important: You, the merchant, control which external APIs receive your data through connector configuration. We act as a data processor executing your instructions.
4. Data Security
- Encryption in Transit: All data transmitted via TLS 1.2+ (HTTPS).
- Encryption at Rest: API credentials and tokens stored using AES-256 encryption.
- PII Masking: Personally identifiable information is automatically masked in execution logs.
- Access Control: Database access restricted to application service accounts only. No shared credentials.
- Security Headers: Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options, Content-Security-Policy enforced.
- Webhook Verification: All incoming Shopify webhooks are verified using HMAC signature validation.
5. Data Retention
| Data Type | Retention Period | Deletion Trigger |
|---|---|---|
| Execution Logs | 90 days | Auto-purged after retention period |
| Connector Configurations | Until deleted by merchant | Manual deletion or app uninstall |
| API Credentials (encrypted) | Until deleted by merchant | Manual deletion or app uninstall |
| Shop Data | Duration of app installation | Deleted within 48 hours of app uninstall (shop/redact) |
| Customer PII | Not stored persistently | Passed through to external APIs in real-time; masked in logs |
6. GDPR Compliance & Data Subject Rights
We comply with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and applicable data protection laws. The App implements mandatory Shopify compliance webhooks:
6.1 Shopify Compliance Webhooks
| Webhook | Action | Timeline |
|---|---|---|
| customers/data_request | We compile and return all stored data associated with the specified customer | Within 30 days |
| customers/redact | We permanently delete all stored data associated with the specified customer | Within 30 days |
| shop/redact | We permanently delete all shop data, connectors, credentials, and execution logs | Within 48 hours |
6.2 Your Rights
- Right of Access: Request a copy of all personal data we hold about you.
- Right to Rectification: Request correction of inaccurate data.
- Right to Erasure: Request deletion of your data. We will comply within 30 days.
- Right to Data Portability: Request your data in a machine-readable format (JSON).
- Right to Restrict Processing: Request that we limit how we use your data.
- Right to Object: Object to data processing based on legitimate interest.
To exercise any of these rights, contact [email protected]. We will respond within 30 days.
7. AI Data Processing
API SHIP uses Google Gemini AI to analyze API documentation you provide and generate connector configurations. Only the API documentation text is sent to the AI model — no customer PII, order data, or merchant credentials are ever transmitted to the AI service. AI-generated connector templates are stored in our database and can be deleted at any time by removing the connector.
8. Data Breach Notification
In the event of a data breach that affects your personal data, we will notify you via email within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33. We will also notify the relevant supervisory authority where required.
9. Cookies
The App operates as an embedded Shopify application and does not set its own cookies. Session management is handled through Shopify's App Bridge and session tokens. No third-party tracking cookies are used within the App.
10. Children's Privacy
The App is intended for use by Shopify merchants (business users) and is not directed at individuals under the age of 16. We do not knowingly collect personal data from children.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Effective Date" above. Continued use of the App after changes constitutes acceptance of the revised policy.
12. Contact Us
Privacy inquiries: [email protected]
General support: [email protected]
Address: WS24, Luka Asatiani 61, 6010 Batumi, Georgia