Privacy Policy
Last updated: May 28, 2026
This Privacy Policy describes how Plomly ("we", "us", "our") collects, uses, and shares information when you use the Plomly app for Shopify ("the App"). We are committed to honest, minimal data collection — we only gather what we genuinely need to make the App work, and we never sell your data or your shoppers' data to anyone.
1. Who we are
Plomly is operated as an independent SaaS based in Madrid, Spain. Legal entity disclosure is available on request via the contact email below. The App provides a measurement calculator and AI shopping assistant for Shopify merchants selling construction and renovation materials.
Data controller for merchant data: Plomly (us). Data controller for shopper data on a merchant's store: the merchant themselves — we act as a data processor on their behalf.
2. What we collect
From the merchant (you, the Shopify store owner)
- Shopify account info: shop domain (e.g. yourstore.myshopify.com), shop owner email, primary locale, currency, country code. Obtained from Shopify's Admin API when you install the App.
- Access token: a credential issued by Shopify when you authorize the App. We store it encrypted and use it only to read your products and manage subscriptions.
- Product catalog: variant titles, SKUs, prices, product types. Used to configure the calculator for each product.
- Subscription status: which plan you are on (Free, Pro, Premium), billing period, trial end date. Obtained from Shopify Billing API.
From your shoppers (anonymous)
- Calculation events: when a shopper uses the calculator on a product page, we log: variant ID, area entered, quantity calculated, whether they added to cart, anonymous session ID, timestamp. No personally identifiable information.
- AI chat messages: when a shopper types a question into the AI assistant, the message is sent to Anthropic (our AI provider) to generate a response. The message and reply are logged in our database for usage accounting (token counts) but are not used for any other purpose and are not shared with third parties beyond Anthropic.
What we do NOT collect
- Shopper names, emails, phone numbers, or addresses
- Payment information (Shopify handles all payments — we never see card data)
- Cookies for advertising or tracking purposes
- Data about products outside your catalog
3. Why we collect it
We collect the above strictly to:
- Provide the calculator functionality on your product pages
- Run the AI assistant feature you opted into
- Bill you correctly through Shopify's subscription system
- Send you transactional emails (welcome, activation reminders) — no marketing emails
- Generate aggregated analytics so you can see how the calculator performs on your store
We do not use your data to train AI models, build competitive products, or sell to any third party.
4. Third-party processors
We use the following third parties to deliver the service. Each handles a specific function and is contractually bound to data protection standards:
| Processor | Purpose | Location |
|---|---|---|
| Shopify Inc. | App hosting platform, billing, OAuth | Canada / US (varies) |
| Anthropic PBC | AI model (Claude) for product classification and shopper chat | US |
| Resend | Transactional email delivery (welcome, reminders) | EU (Ireland) |
| IONOS | Server hosting | EU (Madrid, Spain) |
Data transferred to processors outside the EU (Shopify, Anthropic) is covered by Standard Contractual Clauses (SCCs) as required by GDPR.
5. How long we keep it
- While your subscription is active: we retain all merchant data necessary to operate the App.
- After you uninstall the App: Shopify sends us an
app/uninstalledwebhook. We schedule deletion of all your store's data within 48 hours, in line with Shopify's GDPR requirements. - Calculation events (anonymous analytics): retained for up to 12 months for analytics, then deleted.
- AI usage logs: retained for the current billing month + 1 month for billing reconciliation, then deleted.
6. Your rights (GDPR / Shopify shopper data)
If you are an EU resident, you have the right to:
- Access the data we hold about you or your store
- Request correction of inaccurate data
- Request deletion (right to be forgotten)
- Export your data in a portable format
- Object to processing or withdraw consent
- Lodge a complaint with the Spanish Data Protection Agency (AEPD)
Shopify also forwards GDPR data requests to us via webhook (customers/data_request, customers/redact, shop/redact). We process these within 30 days.
To exercise any right, email contact@plomly.com.
7. Security
- All data in transit is encrypted via TLS 1.2+ (HTTPS).
- Shopify access tokens are stored encrypted at rest.
- Server access is restricted via SSH keys (no password authentication).
- We follow the principle of least privilege: services only access data they need.
- We do not store credit card or payment information at any point.
If you discover a security issue, please email contact@plomly.com — we treat reports seriously and will respond within 48 hours.
8. Changes to this policy
We may update this policy as the App evolves. Material changes will be announced via email to active merchants at least 14 days before taking effect. The "Last updated" date at the top of this page reflects the current version.
9. Contact
For any privacy question, request, or complaint:
Email: contact@plomly.com
Operator: Plomly (independent SaaS)
Data processing location: Madrid, Spain
Legal entity: Disclosed on request