Privacy Policy — Simple Request a Quote

1. Who We Are

Simple Request a Quote ("the App") is a Shopify app developed and operated by Texvion ("we," "us," or "our"). The App is distributed through the Shopify App Store and is installed by Shopify store owners ("Merchants") into their Shopify stores.

This policy explains what personal information the App processes, why, and how you can exercise your rights. It covers data about Merchants who install the App and data about Shoppers who submit quote requests through Merchant storefronts.

2. Data We Collect from Merchants

When a Merchant installs the App, Shopify shares standard store data with us so the App can function. We store:

• Shop identifier & access token: your myshopify.com domain and an OAuth access token, used to authenticate API calls back to Shopify on your behalf. The access token is encrypted at rest using AES-256-GCM.
• App settings: your configured success message, quote-number sequence, notification preferences, form field configuration, and conditional display rules (Pro plan).
• Billing state: your current plan (Free or Pro), subscription status, and the subscription ID returned by Shopify Billing. We do not receive or store payment card data — Shopify handles billing directly.
• Notification email (Pro plan): the email address you choose to receive new quote alerts at.

3. Data We Collect from Shoppers

When a Shopper submits a quote request through a Merchant's storefront, the App receives and stores the following on the Merchant's behalf:

• Contact details: name, email address, and phone number.
• Shipping address (Pro plan, optional): street, city, state/province, postal code, country, and any address notes — only collected when the Merchant enables the address field.
• Custom form fields (Pro plan): responses to any additional fields the Merchant has configured (e.g., company name, order quantity).
• Quote content: the list of products and variants added to the quote, their quantities, prices as displayed at the time of request, and the storefront currency.
• Optional message: any free-text note the Shopper adds to the request.

This data is classified as Protected Customer Data under Shopify's app policies. We only process it for the purposes described below, we never sell it, and we never use it to train machine learning models.

4. How We Use Data

We use the data listed above strictly to:

• Render the quote request popup on the Merchant's storefront.
• Deliver quote requests to the Merchant's admin inbox.
• Send optional notification emails to the Merchant when a new quote arrives (Pro plan).
• Send an optional branded confirmation email to the Shopper when the Merchant has the customer auto-reply enabled (Pro plan).
• Convert a quote into a Shopify draft order when the Merchant clicks "Convert to draft order," passing the line items, contact details, shipping address, and currency to Shopify.
• Enforce plan quotas (for example, the 10 quotes/month limit on the Free plan).
• Comply with legal obligations, respond to Shopify compliance webhooks, and prevent fraud or abuse.

We do not use quote data for marketing, analytics profiling, or resale.

5. Sub-processors

We rely on a small number of carefully selected sub-processors to run the App. Each is bound by a data processing agreement and provides comparable protections to those required by applicable law.

• Shopify Inc. — the platform the App runs on. All requests originate from or are destined for Shopify APIs.
• Supabase (AWS-hosted PostgreSQL): managed database that stores Merchant settings, quote records, and encrypted access tokens.
• Amazon Web Services (AWS SES): transactional email delivery for Merchant notifications and Shopper auto-reply emails (Pro plan only).
• Vercel: serverless hosting and edge delivery of the App's admin UI and webhook endpoints.

We will update this list when we add or remove sub-processors. Material changes are reflected in the "Last updated" date above.

6. Data Retention & Deletion

• While the App is installed: Merchant settings and quote records are retained for as long as the Merchant keeps the App installed, so that past quotes remain accessible in the admin.
• On uninstall: Shopify sends the App an app/uninstalled webhook. We immediately delete the Merchant's store record, which cascades to all quote records, form-field configuration, and session data.
• GDPR compliance webhooks: we honor Shopify's mandatory GDPR webhooks within 30 days of receipt:
  • customers/data_request — we return a copy of all quote data the App holds for the specified Shopper.
  • customers/redact — we permanently delete or irreversibly anonymize the specified Shopper's quote records.
  • shop/redact — we permanently delete all data associated with the specified store, 48 hours after Shopify confirms the store is closed.
• Backups: database backups may temporarily retain deleted records for up to 30 days before rotation.

7. Security

We apply the following technical controls:

• TLS 1.2+ for all data in transit.
• AES-256-GCM encryption of Shopify access tokens before they are written to the database.
• Database access limited to the App's serverless functions.
• HMAC verification on every Shopify webhook to reject forged requests.
• Least-privilege Shopify OAuth scopes (only what the App needs).
• Cross-site scripting protection: Shopper-provided input is HTML-escaped before it is rendered in Merchant email notifications.

No system is perfectly secure. If we become aware of a breach that affects your data, we will notify the Merchant promptly and, where required by law, notify affected Shoppers and regulators within the statutory timeframe.

8. International Transfers

The App and its sub-processors operate infrastructure in the United States and the European Union. Where personal data is transferred outside the EEA or UK, we rely on the European Commission's Standard Contractual Clauses and, where applicable, the UK International Data Transfer Addendum.

9. Your Rights

9.1 Merchants

You can access, correct, or delete most of your App settings directly from the App admin. You can uninstall the App at any time to trigger deletion of all associated data.

9.2 Shoppers

Under GDPR, CCPA/CPRA, and similar privacy laws, you have the right to: access the personal data held about you, request correction or deletion, object to certain processing, and lodge a complaint with your local supervisory authority. Because the App processes Shopper data on behalf of the Merchant (the data controller), we recommend contacting the Merchant directly first. If you cannot reach the Merchant, or need to escalate, contact us at privacy@texvion.com and we will assist within 30 days.

10. Children

The App is not directed to children under 16. We do not knowingly collect data from children. If you believe a child has submitted a quote request, contact the Merchant or us and we will delete the record.

11. Changes to This Policy

We may update this policy as the App evolves. The "Last updated" date at the top of this page will reflect any changes. If a change materially reduces your rights, we will notify the Merchant in-app or by email before it takes effect.