insy
How it works Inbox Integrations
Sign in Get early access

Privacy Policy

Last updated: April 2026

1. Who we are

Insy8 ("we", "us", "our") provides a merchant operations platform that connects to Shopify and other services to help merchants manage their customers, orders, and inventory. This policy explains what data we collect, how we use it, and your rights.

2. Data we collect and why

From Shopify (on behalf of merchants)

When a merchant connects their Shopify store, we sync the following data to operate the platform:

  • Customer profiles: name, email address, phone number, billing/shipping address, marketing consent flags
  • Order data: order identifiers, line items, financial totals, fulfilment status, linked customer
  • Product and inventory data: product titles, variants, SKUs, stock levels, location data
  • Shop metadata: store name, currency, timezone, Shopify plan

This data is used solely to provide Insy8 features to the merchant and their team. We do not use it for advertising, profiling, or any purpose beyond operating the service.

From merchants and their team members

  • Account information: email address, password (hashed, never stored in plain text)
  • Workspace activity: notes, comments, workflow actions taken within Insy8

Automatically collected

  • Server logs: IP address, browser type, pages visited, timestamps — retained for up to 30 days for security and debugging

3. How we store and protect data

  • Application infrastructure runs on Amazon Web Services (AWS) in the eu-north-1 region (Stockholm, Sweden) within the EU/EEA
  • All data is stored in a managed PostgreSQL database (Supabase) with encryption at rest
  • All data in transit is encrypted via TLS/HTTPS
  • OAuth access tokens and API credentials are encrypted at the application layer before storage
  • Access to production data is restricted to authorised personnel only
  • Application secrets and credentials are stored in AWS Secrets Manager and are never exposed in source code or configuration files

4. Data sharing

We do not sell customer data. We share data only with:

  • Shopify — as the source of merchant and customer data via their API
  • Xero — if a merchant connects their Xero account, order and invoice data is exchanged
  • Amazon Web Services (AWS) — our hosting infrastructure provider (eu-north-1, Stockholm, Sweden)
  • Supabase — our managed database provider. Database infrastructure is currently located outside the EEA; transfers are governed by Standard Contractual Clauses (SCCs) as provided by Supabase
  • Redis Inc. — provides the message broker used for background job processing. No persistent personal data is stored in Redis

All sub-processors are bound by data protection agreements and process data only as instructed.

5. Data retention and deletion

We retain synced Shopify data (customer profiles, orders, products) for as long as a merchant's Insy8 account is active. We do not keep data beyond what is needed to operate the service for that merchant.

When a merchant uninstalls the Insy8 app from their Shopify store, we receive a deletion request from Shopify. We retain data for up to 30 days after uninstall to allow for reinstallation, after which it is permanently deleted. Merchants may also request immediate deletion by contacting us at the address below.

Individual Shopify customer data deletion requests (received via Shopify's customers/redact webhook) are processed within 30 days.

6. Automated processing

Insy8 does not make automated decisions about individuals that produce legal or similarly significant effects. Data synced from Shopify is used only to display and organise information within the merchant's workspace. If this changes, we will update this policy and provide an opt-out mechanism before any such processing begins.

7. Your rights

Depending on your location, you may have rights under GDPR, CCPA, or other applicable law, including the right to access, correct, or delete personal data we hold about you. Requests should be sent to privacy@insy8.com.

Note: for data that originated from a Shopify store, the merchant is the data controller. End customers should contact the merchant directly for data requests.

8. Changes to this policy

We will update this page when the policy changes and revise the date at the top. Material changes will be communicated to merchants via email.

9. Contact

For privacy questions or data requests: privacy@insy8.com