DeadStock AI — Privacy Policy

Last updated: May 19, 2026

## 1. Who we are

DeadStock AI ("we", "us") is a software service that helps Shopify merchants identify and recover capital trapped in slow-moving inventory. The service is delivered as an embedded Shopify app installed on the merchant's store ("you", "the Merchant").

For privacy-related correspondence: brioodev@gmail.com.

2. What data we read from Shopify

When you install DeadStock AI, you grant us scoped access to your Shopify store via OAuth. We read the following resources via the Shopify Admin API:

Products — title, description, price, inventory levels, product type, variants, tags, images, collections.
Orders — order line items, subtotal, currency, timestamp. We DO NOT read customer addresses, phone numbers, or payment method data.
Shop metadata — domain, currency, time zone, contact email (used as the default digest recipient until you change it).
Inventory levels — quantity on hand, per location.

We DO NOT read or store:

Customer PII (names, addresses, phone numbers, emails of buyers).
Payment method details.
Themes, page content, blog content.
Discount codes you created outside DeadStock AI.

3. What we write back to Shopify

When you explicitly apply a recovery action through the dashboard, we may write to your Shopify store on your behalf:

Product updates — modified title, description, status (e.g. for hold-for-season).
Variant updates — modified prices (for one-click discount apply).
Automatic discounts — created via discountAutomaticBasicCreate.
Products — newly created bundle SKUs.
Tags + metafields — clearance tag, deadstock.no_restock metafield (for clearance flow).
Collections — adding/removing bundle products.

Every write is initiated by an explicit merchant action in the dashboard and is reversible for 24 hours via the Action Ledger.

4. What we store on our servers

Data we read from Shopify is stored in a PostgreSQL database hosted on Neon (Singapore region). The categories of data we persist:

Product mirror — title, description, price, inventory, tags, scoring history, dead-stock score, diagnostic hypotheses.
Order summaries — order id, line-item product references, subtotal, currency, timestamp (for sales velocity computation).
Recovery events — every action you applied, the pre-action snapshot, and whether/when it was undone.
Aggregated metrics — daily cash-trapped totals, recovery attribution.
Engagement signals — last-login timestamp, action counts, churn risk tier.
Communication logs — Resend message id + open/click status for the weekly digest.
Subscription state — plan, status, trial end date (mirrored from Shopify Billing).

We DO NOT persist:

Raw customer PII from your orders.
Order-level customer references beyond the anonymous Shopify customer id (we use it only to compute repeat-purchase counts; we never display it).

5. How long we keep your data

While installed: for the lifetime of the install plus 30 days of buffer (so reinstalls within a month restore your history).
After uninstall: we mark your shop as uninstalled, retain the data for 30 days for re-install recovery, then purge it. You can request immediate purge by emailing brioodev@gmail.com.
Uninstall feedback survey responses: retained indefinitely in aggregated, anonymised form (we don't tie them to your shop after the 30-day window).

6. GDPR + Shopify-mandated webhooks

We comply with Shopify's mandatory GDPR webhooks:

`customers/data_request` — when a customer asks for their data, we return the same data we report to the merchant (which excludes PII).
`customers/redact` — when Shopify asks us to redact a customer's data, we remove any anonymous customer-id references we may have stored. There are no customer-level PII rows to delete on our side.
`shop/redact` — fires 48 hours after a merchant uninstalls. We fully purge the shop's product / order / recovery / engagement / subscription rows and any associated Resend message metadata.

These webhooks are implemented in app/routes/webhooks.customers.data_request.tsx, app/routes/webhooks.customers.redact.tsx, and app/routes/webhooks.shop.redact.tsx.

7. Sub-processors

We use the following third-party services to operate DeadStock AI:

Service	Purpose	Data shared
Neon	PostgreSQL database (Singapore)	All persisted shop data
Vercel	App hosting (Singapore edge)	Request payloads + logs
Inngest	Background job orchestration	Job payloads (shop ids, action ids)
Resend	Weekly digest + uninstall feedback emails	Recipient email + email body
Google Gemini	AI rewrite generation + embeddings	Product title + description text (no PII)
OpenAI	Premium rewrite tier (optional, Pro only)	Product title + description text (no PII)
Sentry	Error monitoring	Stack traces + request metadata (PII-scrubbed)
PostHog	Product analytics	Pageview events, action counts (no PII)

We do NOT sell or share your data with marketing or advertising platforms.

8. How we protect your data

HTTPS everywhere. The app is served exclusively over TLS 1.2+.
OAuth tokens stored encrypted at rest by Shopify's Prisma session storage.
Resend uses TLS + signed DKIM domains.
Sentry data is PII-scrubbed before submission via a beforeSend hook.
Database credentials rotated quarterly.

9. Your rights

You can at any time:

Export the data we hold about your shop — email brioodev@gmail.com.
Request immediate purge of your shop's data — email brioodev@gmail.com.
Adjust which email address receives the weekly digest, from the Settings page.
Cancel your subscription — go to the Billing page and click "Downgrade to Free", or remove the app entirely from your Shopify admin.

10. Children's data

DeadStock AI is a B2B SaaS for Shopify merchants. We do not knowingly process data of anyone under 16.

11. Changes to this policy

We will post material changes here with an updated "Last updated" date and email a notice to the dashboard's marketing email at least 14 days before the change takes effect.

12. Contact

brioodev@gmail.com — we read every message.

Questions? brioodev@gmail.com