Privacy Policy

Last updated: May 8, 2026

Pluck ("we", "us", "our") provides a Shopify application that imports product data from Amazon (title, description, images, variants, ratings, reviews) into your Shopify store and keeps stock and price in sync. This policy explains what data we collect when a merchant installs and uses the app, how we use it, and how it can be deleted.

1. Data we collect

When you install Pluck, we collect the minimum information required to operate the service:

• Shop identifier (myshopify.com domain) and OAuth tokens scoped to the permissions you approved during installation.
• Product, variant, location and inventory data from your store, fetched on demand via the Shopify Admin GraphQL API.
• Order metadata (created_at, line items, quantities) limited to imported products, used to surface basic sales counts on the dashboard. We do not store customer names, emails, addresses, or payment information.
• Product data scraped from Amazon for ASINs you ask us to import: title, brand, description, bullets, images, variants, specs, public review snippets, ratings.
• Affiliate tag preferences per region you configure (used to construct outbound Amazon links).
• Operational logs: request IDs, error traces, and webhook acknowledgements (no PII).

2. Customer (shopper) data

Pluck does not store any personally identifiable information about your customers (shoppers). We only read aggregated order metadata to compute basic sales totals on imported products. As a result:

• customers/data_request webhook: we acknowledge receipt and verify the HMAC signature, then return 200. There is no shopper data to export because we never stored any.
• customers/redact webhook: we acknowledge receipt and verify the HMAC signature, then return 200.

3. Shop data deletion

When you uninstall Pluck or delete your Shopify store, we handle the app/uninstalled and shop/redact webhooks and erase all data associated with your shop within 48 hours, including:

• OAuth session tokens
• License records
• Imported products, variants, price history, and Amazon-side review snippets
• Import sessions, onboarding state, and activity audit log
• Shop settings (affiliate tags, scraper / AI keys, etc.)
• Webhook audit logs older than 30 days

4. Sub-processors

We rely on the following sub-processors to operate the service:

• Fly.io — application hosting (EU region).
• Neon (or equivalent Postgres provider) — primary database (EU region).
• Resend — transactional email delivery (alerts, quota warnings, kill-switch notifications).
• Anthropic (Claude) and/or OpenAI — AI rewrite of product titles and descriptions. We send only the Amazon product data and the rewrite request; no shopper data is sent. Merchants can use their own API key (BYOK) or our managed quota.
• Amazon — public source of all product, variant, and review data being imported. Imports respect Amazon's robots and rate-limit guidance and use officially-supported affiliate tags where applicable.
• ScraperAPI — managed scraping provider used by the app for Amazon and eBay. Pluck operates this service; merchants do not bring their own key.
• Shopify — destination of all imported product and inventory data.

A Data Processing Addendum (DPA) is available on request from the email below.

5. Retention

We retain merchant data for as long as the app is installed. After uninstall, all merchant business data is deleted within 48 hours. Webhook logs are kept for 30 days for audit and security purposes, then deleted.

6. Security

All traffic is served over HTTPS. OAuth access tokens and merchant BYOK API keys (scraper / AI provider) are stored encrypted at rest. We follow Shopify's app security requirements and OWASP top-10 guidelines.

7. International transfers

Data is processed in the European Union. If you are located outside the EU/EEA and use the app, your data is transferred to and processed in the EU under appropriate safeguards (Standard Contractual Clauses).

8. Your rights

You may request access, rectification, or deletion of your data at any time by emailing support@pluck.app or by uninstalling the app, which automatically triggers deletion.

9. Amazon Associates compliance

Pluck does not affiliate-tag links on your behalf without configuration. Outbound Amazon links use only the affiliate tag(s) you provide in Settings, scoped to the matching region. You are responsible for ensuring those tags are valid for the regions in which they are used. Pluck will refuse to inject a tag into a region where you have not configured one.

10. Changes to this policy

We may update this policy as the app evolves. The "Last updated" date at the top of this page reflects the most recent change.

11. Contact

For privacy questions, email support@pluck.app.