Privacy Policy — CSV2Store

Effective date: 2026-05-30
Last updated: 2026-05-30

This Privacy Policy explains how CSV2Store (“we”, “us”, “our”) — operated by Nicoletta Furlani, Via Montegallo 142, 00138 Roma (RM), Italy — collects, uses, and protects information when you install and use the CSV2Store app for Shopify.

We act as a data processor on behalf of merchants (the Shopify store owner) for any data uploaded through the app, and as a data controller for account-level information about the merchant. Both roles are described below.

1. Who can use the app

CSV2Store is a B2B tool intended for Shopify store owners and their staff. We do not knowingly collect personal data of consumers, end customers, or people under 18.

2. What data we collect

2.1 Shop account data (controller)

When you install the app, Shopify provides us with the following information about your store, which we store on our servers:

• Shop domain (*.myshopify.com) — to identify your store across requests
• Owner email — for transactional emails (import completed/failed)
• Country, primary locale — locale-aware formatting + invoicing
• Shopify plan name — adapt rate limits to your plan tier
• Offline access token (via OAuth + Token Exchange) — to call the Shopify Admin API on your behalf
• Billing state — to track which CSV2Store plan you are on

The access token is stored encrypted at rest. We never share it.

2.2 Product files you upload (processor)

Each time you start an import, we temporarily store the uploaded file (CSV, TSV, XLSX, or JSON) in private, encrypted object storage. The file contains whatever you put in it — typically product titles, SKUs, prices, descriptions, image URLs, and inventory counts.

We do not require, expect, or look for customer personal data, order data, or payment information in these files. If you upload such data by mistake, contact us and we will erase the file on request (see §7).

2.3 Derived data we keep

For every import we persist a row in our database containing:

• File name, file size, detected format and encoding
• Number of rows parsed
• The AI-proposed column mapping and any user overrides
• Validation results (counts only; row contents are kept for the preview table — see §3 retention)
• Counts of products imported / skipped, timestamps
• LLM cost in USD (for our billing reconciliation)

2.4 Usage analytics (controller, opt-in)

If we have enabled analytics on the backend, we record anonymous product events: page views inside the embedded app, button clicks, and error events. These events are tagged with your shop id — not with personal identifiers of you or your customers.

You can opt out of analytics by emailing us; see §7.

2.5 Error monitoring (controller, opt-in)

If error monitoring is enabled, unhandled exceptions are reported to Sentry. Reports include the stack trace, request method/URL, the shop id, and request headers (sanitized of session tokens). They do not include file contents or merchant credentials.

2.6 Server logs (controller)

Like every web service, we log every request our backend handles. Logs contain timestamp, HTTP method, URL, status code, shop id, and (when relevant) import job id. File contents are never logged. Logs are retained for 30 days.

3. How long we keep your data

When Shopify sends us a shop/redact webhook (typically 48h after you uninstall the app), we cascade-delete everything tied to your shop within 24h.

4. What we send to AI providers

To propose a column mapping, we send to our AI providers (see §5):

• The column headers of your file (e.g. item-name, seller-sku)
• A sample of the first 20 rows for context

We do not send the full file. The AI provider's terms forbid training on our API traffic by default (Anthropic and OpenAI both honour this for business API customers; see their data usage policies).

Once a mapping is proposed and you confirm it, all subsequent rows are processed locally on our worker — never sent to any AI provider.

We cache the AI-proposed mapping per shop, keyed by a SHA-256 hash of the sorted, lowercased column headers. The next time you upload a file with the same headers, mapping is instant and no data is sent to any AI provider.

5. Sub-processors

We rely on the following sub-processors. All of them are bound by their own DPAs and process data exclusively to deliver their service to us.

We may update this list with at least 30 days' notice published at this URL.

6. International transfers

Some sub-processors (Anthropic, OpenAI, Vercel, Resend, Axiom) operate outside the European Economic Area. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission to safeguard these transfers, as referenced in each sub-processor's DPA.

7. Your GDPR rights

If you are in the EU, the UK, or another jurisdiction granting equivalent rights, you have the right to:

• Access the personal data we hold about you
• Rectify inaccurate data
• Erase your data (we comply automatically via the shop/redact webhook flow; you can also request manual erasure at any time)
• Restrict or object to processing
• Data portability — receive your data in a machine-readable format
• Lodge a complaint with your supervisory authority (in Italy, the Garante per la Protezione dei Dati Personali)

To exercise any of these rights, email us at devxxdevelop@gmail.com. We respond within 30 days.

8. End customers of your store

CSV2Store does not access, store, or process data about your customers, their orders, or their payment methods. Our app scopes are limited to:

• write_products
• write_inventory
• read_locations
• write_files

None of these grant access to the customers or orders resources of the Shopify Admin API.

When Shopify sends us customers/data_request or customers/redact webhooks (which Shopify is required to send to every app regardless of scope), our handlers log the request and respond 200 OK without taking any action, because we have no customer data to surface or erase.

9. Cookies and similar technologies

If product analytics are enabled (§2.4), PostHog sets a first-party analytics cookie inside the embedded app iframe. The cookie:

• Is scoped to app.csv2store.com only (not the merchant's storefront)
• Stores an anonymous, app-only identifier — not the merchant's personal data
• Expires after 1 year of inactivity

The app does not use third-party advertising cookies, retargeting pixels, or session replay.

10. Security

• All traffic to our backend is over TLS 1.2+.
• Supabase storage buckets are private; uploaded files are accessible only via short-lived (≤2h) presigned URLs.
• Access tokens are stored encrypted at rest.
• Webhook payloads from Shopify are HMAC-verified before any processing.
• Application secrets (API keys, signing secrets) are stored in encrypted environment variables on the hosting platform, not in source code.

We do not run a public bug bounty yet. Security disclosures are welcomed at devxxdevelop@gmail.com.

11. Children

CSV2Store is not intended for use by anyone under 18. We do not knowingly collect data from children.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced via:

• A banner inside the embedded app for 14 days
• An email to the registered owner email of each installed shop

The “Last updated” date at the top reflects the most recent change.

13. Contact

For privacy questions, requests, or complaints:

• Email: devxxdevelop@gmail.com
• Postal: Nicoletta Furlani, Via Montegallo 142, 00138 Roma (RM), Italy

Data Protection Officer (DPO) contact: devxxdevelop@gmail.com

Versione italiana · Terms of Service