Privacy policy

Last updated: 2026-04-24.

Draft — pre-submission copy. This policy will have a legal review before the INT-060 Shopify App Review submission. The factual scope of data access below is accurate; wording will tighten.

Who we are

TrolleyRelay is operated by Stephen Mc Gowan (sole trader, Australia). We can be reached at support@trolleyrelay.com.

What we access

Shopify

When a merchant installs the TrolleyRelay Shopify app, we request access to:

Products, variants, and inventory — read and write, so we can mirror the ShopFront catalogue and keep stock levels in sync.
Metafields on variants — read and write, used to store pack-pricing metadata consumed by our Shopify Function.
Product media (images) — read and write, so product photos from ShopFront flow through to the storefront.
Discount Functions — we install a Function-backed automatic discount for pack pricing; we read/write the discount's configuration only.
Cart line data during function execution — read-only, inside Shopify's Function sandbox. Cart contents are not exfiltrated.
Orders (read-only) — to support future online-order routing to ShopFront. Customer personal details are not retained beyond what is needed to fulfil the order.

ShopFront

We access the ShopFront GraphQL API on the merchant's behalf using OAuth credentials they provide. Scope: product catalogue, inventory, and webhook receipts (BULK_INVENTORY_UPDATED, PRODUCT_UPDATED).

What we store

A cross-reference between ShopFront products and their Shopify counterparts, to enable deterministic updates.
Encrypted-at-rest credentials for both platforms (one set per merchant).
Structured audit logs of every sync action, retained for operational debugging and regulatory requirements.

Each merchant's data lives in a dedicated container with an isolated SQLite database. Data is never co-mingled with other merchants.

What we do not store

Customer personal information beyond what is already inside Shopify or ShopFront.
Payment details. TrolleyRelay never touches payment card data.
Cart contents or session state outside a Function execution window.

Shopify mandatory data-subject webhooks

We implement the Shopify customers/data_request, customers/redact, and shop/redact webhooks. A shop/redact triggers deletion of the merchant's entire dedicated instance (container, database, and backups) within the Shopify-mandated window.

Sub-processors

Fly.io — tenant container hosting (Sydney region for AU data residency).
Cloudflare — DNS, CDN, and R2 object storage for database replication.
Shopify — Shopify-managed platform data.

Contact

Privacy requests: support@trolleyrelay.com. We reply within 5 business days.