Privacy Policy

This Privacy Policy explains how Galaxy Web Links ("we", "us", or "our") collects, uses, stores, and protects personal and business data when you install or use the Import/Export Data Manager application (the "App") on a Shopify store.

Last updated: June 1, 2026

1. Introduction

Import/Export Data Manager helps Shopify merchants bulk import and export store data, including B2B companies and locations, product collections, discount codes, and custom metaobjects. The App operates within the Shopify admin and uses Shopify's APIs to read and write data on behalf of merchants who authorize the App.

We are committed to protecting the privacy of merchants and any individuals whose data merchants choose to import through the App. This policy is designed to meet Shopify App Store requirements and to help you understand our data practices in accordance with applicable privacy laws, including the General Data Protection Regulation (GDPR), UK GDPR, and other regional privacy regulations.

This page is provided for informational purposes and does not constitute legal advice. If you have questions about how privacy laws apply to your business, please consult a qualified legal professional.

2. Who This Policy Applies To

  • Merchants who install and use the App in the Shopify admin.
  • Merchant staff who access the App through a Shopify user account.
  • Business contacts and company representatives whose information merchants import or manage through the App's company import and export features (for example, B2B contact names, email addresses, phone numbers, and business addresses).

The App is a merchant-facing administrative tool. It does not display widgets on storefronts and does not directly collect data from general store visitors or consumers browsing a merchant's website.

3. Information We Collect Through Shopify APIs

When a merchant installs the App, we access certain data from the merchant's Shopify store through Shopify's APIs, only as needed to provide the App's functionality and within the permissions granted during installation. This may include:

  • Store domain, shop identifier, and app installation details
  • B2B company and company location data (such as company names, external IDs, contact details, shipping and billing addresses, catalogs, payment terms, and tax settings)
  • Customer records required to create or link B2B company contacts in Shopify
  • Product collection data (such as titles, handles, descriptions, collection types, rule sets, product associations, and images)
  • Discount data (such as discount titles, codes, types, values, eligibility rules, usage limits, and scheduling)
  • Product information needed to associate collections or discounts with products
  • Metaobject definitions and metaobject entries selected for import or export
  • Files uploaded to Shopify when collection images are processed during import
  • App authentication, authorization, and session information required to operate the App

We do not request access to payment card data, checkout transactions, or other Shopify data beyond what is required for the App's import and export features.

4. Information We Collect Directly From Merchants

When merchants use the App, we may collect and store:

  • Shopify staff account details provided during authentication (such as name, email address, user ID, account role, and locale), where available through Shopify's online session
  • CSV or structured data files uploaded by merchants for import operations, processed to create or update records in Shopify
  • Import and export activity metadata (such as job progress, success and error counts, and operational logs) needed to run and troubleshoot imports
  • Technical logs related to app performance, errors, API rate limits, and security events

5. Information Processed From Merchant-Provided Import Files

When merchants upload CSV or similar files, the App may process business and personal data contained in those files on the merchant's instructions. Depending on the import type, this may include:

  • Company and location names
  • Contact first and last names
  • Email addresses and phone numbers
  • Shipping and billing street addresses, cities, states, postal codes, and countries
  • Tax identifiers and business configuration settings
  • Collection, discount, and metaobject field values supplied by the merchant

Merchants are responsible for ensuring they have a lawful basis to import this data into Shopify and to use the App for that purpose. We process import file data solely to perform the import or export operations requested by the merchant.

Import files are processed in the course of providing the service. We do not use import file contents for unrelated marketing or profiling purposes.

6. How We Use Information

We use the information we collect solely to:

  • Provide, operate, maintain, and improve the App's import and export features
  • Create, update, and synchronize companies, collections, discounts, and metaobjects in Shopify
  • Generate CSV exports of merchant data from Shopify
  • Track import job progress and report results to the merchant
  • Authenticate merchants and enforce app access requirements
  • Respond to merchant support requests and legal or regulatory obligations
  • Monitor app security, prevent abuse, and troubleshoot technical issues

We do not sell personal data. We do not use merchant or imported personal data for unrelated marketing purposes.

7. Where Data Is Stored

Most operational data created or updated through the App is stored in the merchant's Shopify store (including Shopify company records, collections, discounts, and app-specific metaobjects used to track import history and configuration).

We also store limited app infrastructure data needed to operate the service, such as:

  • Shopify app session and authentication records
  • Temporary in-memory import job state while an import is running
  • Technical and security logs on our hosting infrastructure

8. Legal Basis for Processing (EEA/UK)

Where applicable privacy laws require a legal basis, we rely on:

  • Performance of a contract — to provide the App to merchants who install and use it
  • Legitimate interests — to secure, maintain, and improve the App, prevent fraud, and support merchants
  • Legal obligations — to comply with applicable laws and respond to valid requests
  • Merchant instructions — when merchants upload data for import into their Shopify store

9. Data Sharing and Processors

We may share personal data only with service providers that help us operate the App, such as hosting, database, and infrastructure providers. These providers process data on our instructions and are required to protect it appropriately.

We may also disclose information if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of Galaxy Web Links, merchants, or others.

Shopify acts as an independent platform provider. Data accessed through Shopify APIs is also subject to Shopify's own privacy practices and merchant agreements with Shopify.

10. International Data Transfers

Galaxy Web Links may process and store data in countries outside the country where you or individuals whose data you import are located, including outside the European Economic Area (EEA) and the United Kingdom.

Where required, we implement appropriate safeguards for international transfers, such as standard contractual clauses or equivalent protections recognized under applicable data protection laws.

11. Data Retention

We retain personal data only for as long as necessary to provide the App, fulfill the purposes described in this policy, comply with legal obligations, resolve disputes, and enforce our agreements.

  • Merchant session and authentication data is retained while the App remains installed and as needed for secure operation
  • Data written to Shopify (including metaobjects, companies, collections, and discounts) remains in the merchant's store until deleted by the merchant or removed through a privacy or uninstall process
  • Temporary import job data in application memory is discarded after the job completes or the application restarts
  • Technical logs are retained for a limited period needed for security and operations, then deleted or anonymized

12. Data Subject Rights and GDPR Webhooks

Depending on your location, individuals may have rights to access, correct, delete, restrict, or object to certain processing of their personal data, and to request data portability.

The App supports Shopify's mandatory compliance webhooks, including:

  • customers/data_request — to identify customer or company contact data associated with a data subject access request processed through the App
  • customers/redact — to remove or anonymize customer and company contact data stored by the App when a customer erasure request is received
  • shop/redact — to delete merchant-related app data after app uninstallation, in accordance with Shopify's data protection requirements

Merchants are responsible for responding to privacy requests for their stores and for ensuring imported data is handled lawfully. If you need assistance with a request related to data processed by the App, contact us using the details below.

13. Security

We use administrative, technical, and organizational measures designed to protect personal data against unauthorized access, loss, misuse, alteration, or disclosure. These measures include access controls, encrypted connections (HTTPS), and secure application infrastructure.

No method of transmission or storage is completely secure. While we work to protect personal data, we cannot guarantee absolute security.

14. Children's Privacy

The App is intended for use by merchants operating Shopify stores and is not directed at children. We do not knowingly collect personal data from children. If you believe a child has provided personal data through the App, please contact us so we can take appropriate action.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the App, or legal requirements. When we make material changes, we will update the "Last updated" date at the top of this page. Continued use of the App after an update constitutes acceptance of the revised policy.

16. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact: