StorekeptBack to home

Privacy Policy — Storekept

Last updated: May 18, 2026

Effective date: May 18, 2026

1. Introduction

This Privacy Policy explains how Abdusamadbek Akhmadjonov, an individual based in Uzbekistan ("we", "us", "our", or the "Provider"), collects, uses, stores, shares, and protects information in connection with Storekept (the "App"), an embedded application available on the Shopify App Store.

The App automatically creates daily backups of a Shopify merchant's store and allows the merchant to restore that data with one click. To provide this service, the App necessarily processes data belonging to the merchant's Shopify store, which may include personal data of the merchant's own customers.

By installing or using the App, you ("Merchant" or "you") agree to the practices described in this Privacy Policy. If you do not agree, do not install or use the App.

2. Roles: Controller and Processor

  • For Merchant account data (your name, email, billing details, store domain): we act as a data controller.
  • For Shopify store data that the App backs up on your behalf — including any personal data of your customers — we act as a data processor. You, the Merchant, are the data controller of that store data. We process it solely on your documented instructions and solely to provide the backup and restore service.

Where required, a separate Data Processing Agreement (DPA) governs our processing of store data on your behalf. See Section 12.

3. Information We Collect

3.1 Merchant account data (we are controller)

  • Shopify store domain (*.myshopify.com) and store ID.
  • Merchant contact name and email address.
  • Billing and subscription status (subscription is processed through Shopify Billing; we do not store full payment card numbers).
  • App configuration and preferences (backup schedule, retention settings, plan tier).
  • Authentication tokens (OAuth access tokens issued by Shopify), stored encrypted.

3.2 Shopify store data backed up by the App (we are processor)

To deliver the backup and restore service, the App accesses and stores encrypted snapshots of the following store resources:

  • Products, variants, and collections
  • Customers — including customer names, email addresses, phone numbers, and physical addresses ("Protected Customer Data")
  • Themes and theme files
  • Pages, blogs, and articles
  • Navigation menus
  • Metafields and metaobjects
  • Files and media
  • Discounts and markets
  • Delivery profiles
  • Orders — export-only; see Section 5

We process customer personal data only as needed to create a faithful backup of your store and to restore that data at your request. We do not use it for any other purpose.

3.3 Technical and diagnostic data

  • Application logs, error reports, and stack traces.
  • Uptime and availability metrics (collected via UptimeRobot).
  • Job execution metadata for background backup/restore tasks.

We make reasonable efforts to minimize personal data in diagnostic data; logs are scoped to operational information rather than store content.

4. How and Why We Use Information

PurposeData usedLegal basis (where GDPR applies)
Create and store daily backup snapshotsShopify store dataPerformance of contract / controller's instructions
Restore store data on requestShopify store dataPerformance of contract / controller's instructions
Authenticate and operate the AppMerchant account data, OAuth tokensPerformance of contract
Billing and subscription managementMerchant account dataPerformance of contract
Error tracking and reliabilityTechnical/diagnostic dataLegitimate interest
Security, fraud prevention, abuse detectionAccount and technical dataLegitimate interest / legal obligation
Service-related communicationsMerchant contact dataPerformance of contract

We do not sell personal data. We do not use store data or customer personal data for advertising, profiling, or training machine-learning models.

5. Order Data Limitation

Orders can be exported as part of a backup, but cannot be restored into a Shopify store. Shopify's API does not permit recreating orders. Exported order data is included in snapshots so that you retain a copy, but a restore operation will never write orders back into your store.

6. Sub-Processors

We use the following third-party sub-processors to operate the App. Each processes data only as needed to deliver its function and is bound by contractual data-protection obligations.

Sub-processorFunctionData processedPrimary region
netcupVPS hosting — runs the application, the PostgreSQL database (app metadata), and Redis (job queue)App processing and transient store data in memory; merchant account data, configuration, audit logs; background job metadataEuropean Union
CloudflareEncrypted backup snapshot storage (R2) and CDNEncrypted store data snapshotsEuropean Union
ResendTransactional email delivery — backup-failure and restore-completed notificationsMerchant email address; notification message contentUnited States
UptimeRobotUptime monitoringAvailability metrics, endpoint URLsUnited States

We will provide reasonable prior notice of any new or replacement sub-processor so you may object. The table above is the current list of sub-processors; we update it here when it changes.

7. Data Storage and Geographic Location

  • The application is hosted on a netcup VPS running Dokploy, an open-source self-hosted application platform, located in the European Union.
  • App metadata is stored in a PostgreSQL database running as a container on that VPS.
  • Encrypted backup snapshots are stored in Cloudflare R2.
  • All data is encrypted in transit (TLS) and encrypted at rest.

Depending on sub-processor configuration, data may be processed or stored outside your country of residence — in particular, transactional email is handled by a sub-processor in the United States. Where personal data is transferred internationally, we rely on appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms. This Policy is governed by the laws of Uzbekistan.

8. Data Retention

  • Backup snapshots are retained according to your plan tier (see our Data Retention Policy).
  • Merchant account data is retained for the duration of your subscription.
  • After the App is uninstalled, store data and backup snapshots are permanently deleted within 48 hours, in line with Shopify's shop/redact webhook.
  • Audit logs are retained for the period stated in our Data Retention Policy.

Full details are in our Data Retention Policy.

9. Shopify Mandatory Privacy Webhooks

The App implements the three mandatory Shopify privacy webhooks. We honor them as follows:

  • customers/data_request — When a customer of your store requests their data, Shopify notifies the App. We compile any personal data of that customer held in backup snapshots and make it available to you so you can respond to the data-subject request.
  • customers/redact — When a customer requests erasure, Shopify notifies the App. We delete or irreversibly redact that customer's personal data from our stored backup snapshots within the timeframe required by Shopify.
  • shop/redact — When a store uninstalls the App or requests redaction (typically ~48 hours after uninstall), we permanently delete all store data, backup snapshots, and associated metadata for that store.

10. Your Rights

Depending on your jurisdiction (e.g., GDPR, UK GDPR, CCPA/CPRA), you may have rights to access, correct, delete, restrict, or port your personal data, and to object to certain processing.

  • For Merchant account data (where we are controller), submit requests to team@storekept.relayt.uz.
  • For customer personal data within store backups (where we are processor), the data subject should contact the Merchant; the Merchant uses the App's tools and the Shopify webhooks above to fulfill the request.

We will respond within the timeframe required by applicable law. You may also lodge a complaint with your local supervisory authority.

11. Security

We protect data through encryption in transit and at rest, access controls, separated test and production environments, audit logging, and monitored infrastructure. A fuller description is in our Security Overview. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

12. Data Processing Agreement

For Merchants subject to GDPR or similar laws, a Data Processing Agreement is incorporated by reference and forms part of the agreement between you and us. Request a copy at team@storekept.relayt.uz.

13. Children's Data

The App is intended for use by businesses and is not directed to children. We do not knowingly collect personal data from children.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated through the App or by email. The "Last updated" date reflects the most recent revision. Continued use of the App after changes take effect constitutes acceptance.

15. Contact

  • Operator: Abdusamadbek Akhmadjonov, an individual based in Uzbekistan.
  • Privacy contact: team@storekept.relayt.uz — for privacy questions, data-subject requests, and a postal address on request.
  • Data Protection Officer: none appointed; privacy questions are handled at the contact email above.