Privacy Policy

Last updated: June 5, 2026

This Privacy Policy explains what information the Upload Native app (“the app”, “we”) processes when a merchant installs it on their Shopify store, and how we handle it. The app lets a store’s customers upload files; those files are stored in the merchant’s Shopify Files, not on our own infrastructure.

What we collect

• From Shopify (Admin API): the shop domain, an app access token (to act on the store’s behalf), and the merchant’s subscription/plan.
• From the merchant: the app’s configuration (button text, allowed file types, size limits, required/optional).
• From customers (uploads): the file the customer chooses to upload, plus its filename, MIME type, and size. The file itself is uploaded directly to the merchant’s Shopify Files.

What we store — and what we never store

In our own database we store only file metadata: the shop domain, the Shopify File identifier and URL, the filename, MIME type, file size, the upload timestamp, and an opaque order/cart reference id generated by Shopify.

We do not store any customer personal information — no name, email, phone number, address, IP address, or payment data — anywhere in our systems. To see the customer associated with an order, the merchant follows the order reference into Shopify Admin, where that information already lives.

How we use it

We use the data solely to operate the app: to create the file in Shopify Files, to show the merchant a list of uploads, to enforce the plan’s monthly upload limit, and (on Shopify Plus) to fire a Shopify Flow trigger the merchant can automate against.

Retention

File metadata is retained for as long as the app is installed. When a store is removed or requests redaction, we delete that store’s metadata. The uploaded files themselves live in the merchant’s Shopify Files and are controlled by the merchant.

Data location and transfers

App requests and file metadata are processed on globally distributed cloud infrastructure. Where data is transferred across regions (including from the EU/EEA), it is handled under appropriate safeguards. The uploaded files reside in Shopify’s infrastructure.

GDPR and Shopify compliance webhooks

Because we store no customer personal data, customer data-request and customer-redaction webhooks have nothing to return or purge on our side. On a shop-redaction request we delete that shop’s stored metadata.

Sub-processors

• Shopify — hosting of uploaded files (Shopify Files) and the order/customer system of record.
• Cloud infrastructure provider — runs the app logic and stores the file metadata + app configuration.

Contact

For privacy questions or data requests, email [email protected] or visit our Support page.