Privacy Policy
Effective date: June 26, 2026
This Privacy Policy explains how ArvoPeak (“we”, “us”) collects, uses, stores, and protects information when a merchant installs and uses Product Customization Forms (the “App”) on their Shopify store, and when that store’s customers interact with customization forms the App renders. By installing the App you agree to this Policy.
1. Information we collect
a. Merchant & store data (from Shopify)
- Your store domain (e.g.
your-store.myshopify.com) and store ID. - An access token issued by Shopify so the App can call the Shopify API on your behalf, limited to the scopes you approve (
read_products, write_products, read_publications, write_publications, write_cart_transforms). - Product information needed to attach forms, and details of an automatically created “Customization fee” product used to charge add-ons.
- Your subscription / plan status for billing managed by Shopify.
b. End-customer data (collected on your storefront)
- The answers customers enter into your customization forms. Because you design the forms, these may include a customer’s name, a personalization message, selected options, or other text you choose to ask for.
- Files customers upload (e.g. images or artwork) where you enable file-upload fields.
- A reference that links a submission to the resulting order line item, plus aggregate, non-identifying analytics (e.g. how often a field is filled).
read_orders scope or broad
customer/Protected Customer Data access. Customer answers travel with the order as native Shopify
line item properties; we only store the submission content you collect through your forms.2. How we use information
- To provide the App’s core function — rendering forms, validating input, storing uploads, and attaching answers to the cart and order.
- To create and publish the add-on “Customization fee” product so optional charges can be added to the cart.
- To link submissions to orders and produce aggregate analytics for the merchant.
- To enforce plan limits, provide support, prevent abuse, and meet legal obligations.
We do not sell personal data, and we do not use customer answers or uploads for advertising or for training models.
3. Storage, location & security
- Data is stored in a MySQL database on our dedicated server at
prd.arvopeak.com. - Uploaded customer files are stored encrypted at rest on the server disk and served over HTTPS.
- All traffic is encrypted in transit via TLS. Admin requests are authenticated with short-lived Shopify session tokens; the App sets no third-party tracking cookies.
- Access is restricted to authorized personnel on a need-to-know basis.
4. Sub-processors & sharing
We share data only with infrastructure providers strictly necessary to run the App:
| Provider | Purpose |
|---|---|
| Shopify Inc. | Hosting your store, OAuth, billing, and order data exchange |
| Server / hosting provider | Compute, database, and file storage for prd.arvopeak.com |
| Cloudflare, Inc. | CDN, TLS, and DDoS protection in front of our server |
We may disclose information if required by law or to protect our legal rights.
5. Data retention & deletion
- We retain submission data and uploads for as long as the App is installed, so they remain available alongside your orders.
- When you uninstall the App, we stop processing and delete or anonymize your store’s access token and data within 30 days.
- We honor Shopify’s mandatory GDPR compliance webhooks —
customers/data_request,customers/redact, andshop/redact— and respond within the required timeframe (within 30 days). Oncustomers/redactwe delete that customer’s submission content and uploaded files; onshop/redactwe erase the store’s data.
6. Your rights
Depending on your location (e.g. the EEA/UK under GDPR, or California under CCPA/CPRA), you or your customers may have rights to access, correct, export, or delete personal data, and to object to or restrict processing. Merchants can trigger deletion by uninstalling the App or by emailing us. A store’s customers should contact the merchant (the data controller); we act as the merchant’s processor and will assist with any verified request. Email [email protected] to exercise a right.
7. Children
The App is for use by merchants and is not directed to children. We do not knowingly collect data from children under 16.
8. International transfers
Your data may be processed in countries other than your own. Where required, we rely on appropriate safeguards (such as Standard Contractual Clauses) for such transfers.
9. Changes to this Policy
We may update this Policy from time to time. Material changes will be reflected by a new effective date on this page, and where appropriate we will notify merchants.
10. Contact us
ArvoPeak — [email protected]
Privacy policy URL: https://prd.arvopeak.com/privacy