How it works Inbox Integrations Pricing
Sign in Get started

Privacy Policy

Last updated: May 2026

1. Who we are

Insy8 ("we", "us", "our") provides a merchant operations platform that connects to Shopify and other services to help merchants manage their customers, orders, and inventory. This policy explains what data we collect, how we use it, and your rights.

2. Data we collect and why

From Shopify (on behalf of merchants)

When a merchant connects their Shopify store, we sync the following data to operate the platform:

  • Customer profiles: name, email address, phone number, billing/shipping address, marketing consent flags
  • Order data: order identifiers, line items, financial totals, fulfilment status, linked customer
  • Product and inventory data: product titles, variants, SKUs, stock levels, location data
  • Shop metadata: store name, currency, timezone, Shopify plan

This data is used solely to provide Insy8 features to the merchant and their team. We do not use it for advertising, profiling, or any purpose beyond operating the service.

From merchants and their team members

  • Account information: email address, password (hashed, never stored in plain text)
  • Workspace activity: notes, comments, workflow actions taken within Insy8

Automatically collected

  • Operational logs: request metadata such as IP address, browser type, pages visited, and timestamps may appear in short-lived runtime logs for security and debugging. These logs are rotated during deployments and are not used as a persistent customer data store.

3. How we store and protect data

  • Application infrastructure runs on Amazon Web Services (AWS) in the eu-north-1 region (Stockholm, Sweden) within the EU/EEA
  • Primary application data is stored in Supabase PostgreSQL in eu-north-1 (Stockholm, Sweden), with encryption at rest
  • Background job data is processed through Redis Cloud in eu-north-1 (Stockholm, Sweden)
  • Privacy data exports (produced in response to customers/data_request webhooks) are stored as encrypted private artifacts in AWS S3 (eu-north-1, AES-256 server-side encryption). Exports expire automatically after 30 days and are deleted as part of processing a customers/redact or shop/redact webhook
  • All data in transit is encrypted via TLS/HTTPS
  • OAuth access tokens and API credentials are encrypted at the application layer before storage
  • Access to production data is restricted to authorised personnel only
  • Application secrets and credentials are stored in AWS Secrets Manager and are never exposed in source code or configuration files

4. Data sharing

We do not sell customer data. We share data only with:

  • Shopify — as the source of merchant and customer data via their API
  • Xero — if a merchant connects their Xero account, order and invoice data is exchanged
  • Amazon Web Services (AWS) — application hosting, secrets management, email delivery, and private artifact storage (eu-north-1, Stockholm, Sweden)
  • Supabase — our managed PostgreSQL database provider. Database infrastructure is located in eu-north-1 (Stockholm, Sweden), within the EU/EEA
  • Redis Inc. — provides the message broker used for background job processing in eu-north-1 (Stockholm, Sweden). No persistent customer profile store is maintained in Redis

All sub-processors are bound by data protection agreements and process data only as instructed.

5. Data retention and deletion

We retain synced Shopify data (customer profiles, orders, products) for as long as a merchant's Insy8 account is active. We do not keep data beyond what is needed to operate the service for that merchant.

When a merchant uninstalls the Insy8 app from their Shopify store, we receive a deletion request from Shopify. Shopify-origin data is removed from our systems in response to that request. A limited exception applies where we are required to retain records for legal or accounting obligations (for example, invoice records required under financial regulations); in those cases, customer-identifying fields are stripped and only the minimum financial record is preserved.

Individual Shopify customer data deletion requests (received via Shopify's customers/redact webhook) are processed within 30 days. All locally held copies of that customer's data — including CRM records, order links, SMS logs, and any private export artifacts — are permanently deleted or anonymised as part of that process.

Merchants may also request immediate deletion by contacting us at the address below.

6. Data access requests

When we receive a customers/data_request webhook from Shopify, we compile a machine-readable export of all data we hold for that customer and store it as a private, encrypted artifact. The export is delivered to the merchant through a short-lived secure download link (valid for 15 minutes) and is not transmitted via email body or stored in support logs. Exports expire automatically after 30 days.

7. Automated processing

Insy8 does not make automated decisions about individuals that produce legal or similarly significant effects. Data synced from Shopify is used only to display and organise information within the merchant's workspace. If this changes, we will update this policy and provide an opt-out mechanism before any such processing begins.

8. Your rights

Depending on your location, you may have rights under GDPR, CCPA, or other applicable law, including the right to access, correct, or delete personal data we hold about you. Requests should be sent to info@insy8.com.

Note: for data that originated from a Shopify store, the merchant is the data controller. End customers should contact the merchant directly for data requests.

9. Changes to this policy

We will update this page when the policy changes and revise the date at the top. Material changes will be communicated to merchants via email.

10. Contact

For privacy questions or data requests: info@insy8.com