Skip to content

Privacy Policy

Effective date: 1 May 2026 App: Parts Diagram for Shopify (Papathemes) Operator: Papathemes — support@papathemes.com

This policy explains what data the Parts Diagram app collects, how we use it, how it is stored, and how merchants and shoppers can request its deletion. The app is distributed via the Shopify App Store and is bound by Shopify's Partner Program Agreement and the Shopify API Terms of Service.

1. Data we collect

From the merchant's Shopify store, with the merchant's explicit OAuth consent at install time, we read:

  • Shop domain (my-shop.myshopify.com) and shop ID — used to scope all data we store.
  • Public product catalogue data: product title, handle, variants, prices, compare-at prices, SKU, primary image URL — used to render hotspot product cards on the storefront and the admin editor's product picker.
  • Theme metadata (theme id and template list) — used to insert the Theme App Extension block into the active theme.

From the merchant's input in the admin UI:

  • Diagram images the merchant uploads (stored in our private S3 bucket).
  • Hotspot coordinates, labels, and product mappings the merchant draws.
  • Settings the merchant configures (display options, parts list visibility).

From storefront shoppers, when they interact with a diagram on a product page, we collect:

  • Anonymous interaction events: diagram view, hotspot hover, hotspot click, add-to-cart click. Each event records the diagram id, the hotspot id, and a timestamp. No personal information about the shopper is collected — no name, email, IP address, cookies, or device fingerprint.

We do not collect, store, or transmit:

  • Customer personal information (name, email, address, phone).
  • Payment information.
  • Shopper IP addresses.
  • Tracking cookies or persistent device identifiers.
  • Order data or checkout data.

2. How we use the data

  • Product snapshots — title, price, image, variants — are cached server-side so the storefront renders without a per-request Shopify Admin API call. The cache is refreshed when the merchant saves the diagram in the admin.
  • Storefront events are aggregated into anonymous daily counters (views, clicks, add-to-carts per diagram) shown to the merchant in the admin Dashboard's Analytics card.
  • Diagram images are served from our CDN to render the storefront block.

3. Where the data lives

  • DynamoDB (AWS, us-east-1) — encrypted at rest with AWS-managed keys (AES-256). Stores Shop rows, Diagram rows, Assignment rows, Settings, Billing events, Webhook events, Analytics events.
  • S3 (AWS, us-east-1) — encrypted at rest. Stores uploaded diagram images. Bucket is private; objects are served via signed CloudFront URLs.
  • OAuth access tokens are encrypted with AES-256-GCM using a per-environment key before being written to DynamoDB.

4. Sharing

We do not sell or share merchant or shopper data with third parties. The only data egress is:

  • To Shopify, via the Admin GraphQL API the app installs against, scoped strictly to the OAuth scopes the merchant approved (read_products, write_products, read_themes, write_themes).
  • To the merchant's storefront via the App Proxy, returning only the diagram + hotspot data the merchant authored for that store.

5. Retention

While the app is installed: data is retained for the lifetime of the shop's installation.

When the app is uninstalled: Shopify fires the app/uninstalled webhook. We immediately revoke the OAuth token. 48 hours later, Shopify fires shop/redact — at that point we cascade-delete every row associated with the shop: Shops, Diagrams, Assignments, Settings, Billing events, Webhook events, Analytics. No residual data is retained.

6. GDPR & privacy-law compliance

The app implements all three of Shopify's mandatory privacy webhooks:

Topic What we do
customers/data_request We do not store personal customer data. The handler logs the request and returns a structural empty response within 200 ms.
customers/redact We do not store personal customer data. The handler logs the request and returns 200. If a future feature ever stores per-shopper PII, this handler will cascade-delete it.
shop/redact Cascade-deletes every row associated with the shop, as described in §5 Retention.

7. Security

  • All app traffic is HTTPS-only with TLS 1.2+.
  • OAuth tokens are encrypted at rest (AES-256-GCM) with per-environment keys.
  • HMAC verification on every Shopify webhook before any handler executes.
  • Idempotency guards via x-shopify-webhook-id dedupe so retried webhooks never run a side-effect twice.
  • App Proxy requests are validated by the Shopify-signed signature query parameter before any data is returned.
  • Direct Admin GraphQL access is limited to the four scopes listed in §4 Sharing.
  • Vulnerability reports: please email security@papathemes.com privately rather than disclosing publicly. We acknowledge within 24 hours.

8. Contact & data requests

  • General support — support@papathemes.com
  • Security — security@papathemes.com
  • Data subject access requests — submit via the merchant's Shopify admin (Shopify forwards them to us as a customers/data_request webhook). We respond within Shopify's mandated 30-day window.

9. Changes to this policy

If we update this policy, we will publish the new version at this URL and bump the effective date at the top. Material changes (new data collection, new third-party processors) will be announced in the admin's Dashboard and via the Shopify changelog feed.