Privacy Policy
Last updated: June 14, 2026
1. Who we are
PresellHQ ("we", "us", "our") is a Shopify application that helps merchants recover lost sales through back-in-stock alerts and preorder selling plans. PresellHQ is operated by Nanban LLC. You can reach us at support@presellhq.com.
This policy explains what data we collect, why we collect it, how we use it, and your rights regarding that data. It applies to merchants who install PresellHQ ("Merchants") and to end customers of those merchants ("Customers") whose information passes through our systems.
2. Data we collect
2.1 Merchant data
When a Merchant installs PresellHQ via the Shopify App Store, we collect:
- Shopify store domain (e.g.
yourstore.myshopify.com) - Shopify access token: used to call the Shopify API on the merchant's behalf (read inventory, manage selling plans, look up variant names)
- Plan and billing status: maintained by Shopify's Billing API; we store the plan name and limits in our database
We do not collect merchant payment information. All billing is handled directly by Shopify.
2.2 Customer data (back-in-stock subscribers)
When a Customer submits a back-in-stock signup form on a Merchant's storefront, we collect:
- Email address: required to send the restock notification
- Phone number: optional, collected only if the Merchant has SMS notifications enabled
- The Shopify product variant ID and product ID they subscribed to
- Signup timestamp
If the Merchant has enabled GDPR double opt-in, Customers receive a confirmation email before being added to the active waitlist. We store the opt-in confirmation timestamp.
2.3 Preorder data
When a Customer places a preorder, Shopify processes and owns the order. We receive and store:
- Shopify order ID: used to track deposit preorders and trigger remaining balance collection when items ship
We do not store Customer payment information, shipping addresses, or full order line-item details.
2.4 Technical and usage data
- Server-side logs including request timestamps, route accessed, and HTTP status codes
- No client-side tracking pixels, third-party analytics scripts, or cookies beyond what is necessary for Shopify session authentication
3. Why we collect it and our legal basis
| Data | Purpose | Legal basis (GDPR) |
|---|---|---|
| Store domain + access token | Authenticate API calls to Shopify | Contract (app installation agreement) |
| Customer email address | Send back-in-stock notification when inventory is restocked | Legitimate interest (requested by Customer); or consent where double opt-in is enabled |
| Customer phone number | Send SMS back-in-stock notification | Consent (Customer explicitly opts in to SMS) |
| Order ID | Track deposit preorders for automated balance collection | Contract (app service agreement) |
| Server logs | Security monitoring, debugging, abuse prevention | Legitimate interest |
4. How we use the data
We use the data we collect solely to provide the PresellHQ service:
- Sending automated back-in-stock notification emails and SMS messages when a Merchant restocks a product
- Sending preorder confirmation emails after a Customer places a preorder
- Displaying subscriber counts, notification history, and analytics to Merchants in the app dashboard
We do not sell Customer data. We do not use Customer data for advertising, profiling, or any purpose other than providing the service described above.
5. Data retention
- Active subscriber data: retained while the Merchant's store is installed and the subscriber has not unsubscribed
- After unsubscribe: email and phone are cleared; a tombstone record (no PII) is kept for analytics accuracy
- After Merchant uninstall: all Customer PII (email, phone) associated with the Merchant's store is permanently deleted within 48 hours of receiving Shopify's
shop/redactwebhook - Individual redaction requests: when Shopify sends a
customers/redactwebhook, the Customer's email, phone, and push tokens are immediately nulled and the subscriber is marked unsubscribed - Server logs: retained for up to 30 days then automatically rotated
- Order IDs from deposit preorders: retained until balance collection is complete or the order is cancelled
6. Data sharing and third parties
We share data only with the following processors, and only to the extent necessary:
| Processor | Purpose | Data shared |
|---|---|---|
| Shopify Inc. | App hosting, OAuth, billing, and webhook delivery | Store domain, access tokens, order data |
| Amazon Web Services (AWS SES) | Email delivery | Customer email address, email content |
| Twilio Inc. | SMS delivery (if enabled by Merchant) | Customer phone number, SMS message content |
| AWS (RDS / Amplify) | Database and application hosting | All app data, stored within the AWS US-East region |
All processors are bound by data processing agreements. Data is stored in the United States. For EEA/UK merchants and customers, we rely on the EU-US Data Privacy Framework and standard contractual clauses for international data transfers where applicable.
7. Security
- All data in transit is encrypted via TLS 1.2 or higher
- Database connections are encrypted at rest (AWS RDS encryption)
- Access to production data is limited to authorised engineers with strong authentication
- Shopify access tokens are stored encrypted in our database
- We maintain a security incident response procedure; in the event of a data breach affecting personal data, we will notify affected Merchants within 72 hours
8. Your rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
- Access: request a copy of the data we hold about you
- Rectification: ask us to correct inaccurate data
- Erasure: ask us to delete your data ("right to be forgotten")
- Restriction: ask us to limit how we process your data
- Portability: receive your data in a machine-readable format
- Objection: object to processing based on legitimate interest
- Withdraw consent: unsubscribe at any time via the unsubscribe link in any notification email, or by contacting us
For Customers: Back-in-stock notification emails include an unsubscribe link that immediately removes you from the waitlist. For data access or deletion requests, contact the Merchant whose store you signed up through, or contact us directly and we will assist.
For Merchants: You can export or delete your subscriber data from within the PresellHQ dashboard at any time. Uninstalling the app triggers deletion of all Customer PII within 48 hours.
To exercise any of these rights, email us at support@presellhq.com. We will respond within 30 days.
9. Cookies
The PresellHQ admin application (embedded within the Shopify admin) uses a single session cookie (__admin_session) for authentication of the internal admin portal. This cookie is httpOnly, secure, and expires after 8 hours.
The Shopify-embedded app interface uses session tokens issued by Shopify App Bridge for authentication. No third-party tracking cookies are set on merchant or customer browsers.
The PresellHQ storefront widget (the "Notify me" form embedded in a Merchant's store) does not set any cookies.
10. Children's privacy
PresellHQ is not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.
11. Changes to this policy
We may update this privacy policy from time to time. Material changes will be notified to Merchants via email or via a banner in the PresellHQ dashboard at least 30 days before they take effect. The "Last updated" date at the top of this page reflects when it was last revised.
12. Contact
For any privacy-related questions, requests, or complaints:
Email: support@presellhq.com
If you are located in the EEA and feel your rights have not been respected, you have the right to lodge a complaint with your local data protection authority.