Privacy Policy

1. Information We Collect

1.1 Personal Information

When you use Organizely, we may collect the following personal information:

• Name and contact information (email address, phone number)
• Account credentials and authentication information
• Company or organization information
• Billing and payment information (processed securely through Stripe)
• Profile information and preferences

1.2 Business Data

As a warehouse management system, we collect and process business data you provide:

• Inventory data (products, variants, stock levels)
• Warehouse configuration and layout information
• Order and transaction data
• Supplier and vendor information
• Integration data from connected platforms (Shopify, etc.)

1.3 Technical Information

We automatically collect certain technical information:

• IP addresses and device information
• Browser type and version
• Usage patterns and analytics data
• Log files and system performance data

1.4 Shopify Customer Data (Protected Customer Data)

When a Shopify merchant installs Organizely on their store, the app receives data about that store's shoppers (the merchant's customers) through the Shopify Admin API and webhooks. Shopify classifies this as protected customer data. We collect only the minimum fields required for the app to function as described to the merchant, and we use that data exclusively to operate the merchant's inventory and order workflows inside Organizely.

Specific Shopify customer fields we collect, why, and from where:

• Customer name (first / last) — collected from orders/create, orders/updated, orders/cancelled webhooks and the Admin API. Used to display the buyer on the merchant's order detail and packing slip views in Organizely.
• Customer email address — collected from order webhooks. Used to display contact info on the merchant's order detail view and to deduplicate repeat buyers in analytics. We do not email shoppers directly from Organizely.
• Shipping address — collected from order webhooks. Used to render the address on the merchant's packing slip and pick list, and to attribute orders to fulfillment locations.
• Billing address — collected from order webhooks. Used to display on the merchant's order detail view for tax and dispute reference.
• Customer phone number — collected from order webhooks. Used by the merchant to contact buyers about fulfillment exceptions through their own channels.

What we do NOT collect: shopper browsing behavior, cart events, marketing consent state, password hashes, payment card numbers, social profile data, or any data not directly tied to a placed order. We do not request access to the read_customers scope.

Data minimization commitment: we periodically review the protected customer data fields we receive and remove any field that is no longer required for the merchant-facing functionality described above.

No sale or sharing: we do not sell, rent, monetize, or share Shopify customer data with advertising networks, data brokers, AI training providers, or any third party other than the sub-processors listed in Section 3.1. Shopify customer data is never used to train machine learning models.

2. How We Use Your Information

We use the collected information for the following purposes:

• Providing and maintaining the Organizely service
• Processing transactions and managing billing
• Improving our service and developing new features
• Providing customer support and technical assistance
• Sending important service updates and notifications
• Ensuring security and preventing fraud
• Complying with legal obligations

3. Information Sharing and Disclosure

We do not sell, trade, or rent your personal information. We may share information in the following circumstances:

3.1 Sub-Processors

We work with the following trusted sub-processors. Each has a written data-protection agreement with Organizely. The “Customer PII” column indicates whether the sub-processor receives Shopify protected customer data (Section 1.4) or other end-user PII as part of operating Organizely.

• Supabase, Inc. (United States) — managed PostgreSQL database and authentication. Stores all Organizely account data and the merchant's synced Shopify data, including Shopify customer data covered by Section 1.4. Customer PII: yes.
• Stripe, Inc. (United States) — payment processing for Organizely subscriptions. Receives the merchant's billing contact and payment instrument; does not receive Shopify customer data. Customer PII: no.
• Vercel, Inc. (United States) — application hosting and edge runtime. Processes request payloads in transit for the duration of each HTTP request; does not retain Shopify customer data outside the request lifecycle. Customer PII: in transit only.
• Mailgun Technologies, Inc. (United States) — transactional email delivery to Organizely account holders (password resets, invoices, system notices). Does notreceive Shopify customer data. Customer PII: no.
• hCaptcha, Inc. (United States) — bot mitigation on sign-in and forgot-password forms. Receives the visitor's IP and user-agent only; does not receive Shopify customer data. Customer PII: no.
• Cloudinary Ltd. (United States / Israel) — image storage and delivery for product photography uploaded by the merchant. Does not receive Shopify customer data. Customer PII: no.

We update this list when we onboard, remove, or replace a sub-processor. The “Last updated” date at the top of this page reflects the most recent change.

3.2 Legal Requirements

We may disclose information when required by law or to protect our rights, property, or safety.

3.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.

4. Data Security

We implement appropriate technical and organizational measures to protect your information:

• Encryption in transit: all traffic between clients, Organizely, Shopify, and our sub-processors is protected with TLS 1.2 or higher. Webhook payloads from Shopify are additionally verified with HMAC-SHA256 signatures.
• Encryption at rest: our managed PostgreSQL database (Supabase) uses AES-256 encryption at rest. Shopify customer fields covered by Section 1.4 are stored only in this encrypted database.
• Access controls: production database access is restricted to a small set of authorized employees, requires multi-factor authentication, and is audit-logged. Application access is gated by authenticated sessions with row-level scoping by organization.
• Network isolation: our backend services accept traffic only from approved origins; admin endpoints are not publicly addressable.
• Regular security assessments and updates
• Employee training on data protection

5. Data Retention

5.1 Account Data

We retain your Organizely account data for as long as your account is active. When you delete your account, we delete or anonymize your personal information within 30 days, except where we are required to retain it for legal or regulatory purposes (e.g. tax records).

5.2 Shopify Customer Data — Standard Retention

Shopify customer data covered by Section 1.4 is retained for as long as the merchant has Organizely installed on their Shopify store, plus a 30-day grace period after uninstall. After the grace period, we automatically purge all Shopify customer fields associated with that store from our database. The grace period exists so a merchant who reinstalls within 30 days can resume their workflows without re-importing.

5.3 Shopify Mandatory GDPR Webhooks

We honor the privacy webhooks Shopify requires of all apps:

• customers/data_request — on receipt, we compile all data we hold about the identified customer and deliver it to the merchant within 30 days.
• customers/redact — on receipt, we permanently erase all stored data about the identified customer within 48 hours, unless retention is required by law.
• shop/redact — on receipt (typically 48 hours after a merchant uninstalls), we permanently erase all data associated with the shop, including all Shopify customer data, within 48 hours.

All three webhook endpoints verify the request signature against our app's secret before any deletion or export work is performed.

6. Your Rights

6.1 Rights for All Users

Depending on your location, you may have the following rights:

• Access to your personal information
• Correction of inaccurate information
• Deletion of your personal information
• Data portability
• Restriction of processing
• Objection to processing

To exercise these rights, please contact us at [email protected]. We respond to verifiable rights requests within 30 days.

6.2 Shoppers of Shopify Stores Using Organizely

If you are a customer of a Shopify store that uses Organizely and you wish to access or delete your data held by Organizely, the fastest path is to contact the merchant directly — their dashboard provides one-click handling that triggers the Shopify customers/data_request or customers/redact webhook. We respond to those webhooks within the timeframes described in Section 5.3 (30 days and 48 hours respectively). You can also email us directly at [email protected]with your name, email, and the storefront domain so we can locate your data.

6.3 California Residents (CCPA / CPRA)

California residents have additional rights under the California Consumer Privacy Act, including the right to know what personal information we collect, the right to delete personal information, the right to correct inaccurate information, and the right to opt-out of the “sale” or “sharing” of personal information. We do not sell or share personal information as those terms are defined under California law. Submit requests to [email protected].

7. Cookies and Tracking

We use cookies and similar technologies to enhance your experience and collect analytics data. You can control cookie preferences through your browser settings.

8. International Transfers

Your information may be processed and stored in countries other than your own. We ensure appropriate safeguards are in place for international transfers.

9. Children's Privacy

Organizely is a B2B service intended for use by businesses and is not directed to children. We do not knowingly collect personal information from anyone under 16 years of age(the GDPR threshold), or under 13 years of age(the COPPA threshold) where GDPR does not apply. If we become aware that we have collected such information, we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the “Last updated” date.

11. Contact Us

If you have questions about this Privacy Policy, please contact us:

• Email: [email protected]
• Address: New Jersey, United States