Privacy Policy

Last updated: April 21, 2026

Easy Alerts ("the App", "we", "us") is a Shopify app operated by DevCloud Software LLC. This policy explains what data we access, why, and how we handle it.

1. Data we receive

When a merchant installs Easy Alerts, Shopify grants us an OAuth access token and sends us webhook events we've subscribed to:

• Order events — orders/create, updated, cancelled, fulfilled, paid, refunds/create
• Product & inventory events — products/create, products/update, inventory_levels/update
• Customer events — customers/create, customers/update
• App lifecycle — app/uninstalled, app_subscriptions/update
• GDPR compliance — customers/redact, customers/data_request, shop/redact

Each webhook payload contains data about the event (e.g. an order ID, line items, total, customer name/email on an order). We evaluate that payload against the merchant's configured rules and, when a rule matches, render a notification message.

2. What we store

We store the minimum required to operate the service:

• Shop identity — myshopify domain, shop name, plan tier, encrypted access token.
• Rules & channels — configurations the merchant created inside Easy Alerts.
• Webhook dedup keys — short-lived identifiers used to prevent duplicate deliveries. Cleaned up automatically.
• Alert history — a short record of deliveries (rule name, entity ID, success/failure, timestamp). Does not contain full order or customer payloads. Auto-deleted after 90 days.

We do not persist end-customer email addresses, addresses, payment details, or full order payloads beyond the transient processing of a single webhook.

3. What we share

We transmit notification messages to the channels the merchant configured (Slack, email, Microsoft Teams, Discord, SMS via Twilio, WhatsApp via Twilio, or the merchant's own webhook URL). The content is the message template the merchant authored, populated with variables from the triggering event.

We do not sell, rent, or otherwise disclose data to third parties beyond these operational sub-processors:

• Shopify — source of truth for events and billing.
• SendGrid — transactional email delivery.
• Twilio — SMS and WhatsApp delivery.
• DigitalOcean — application hosting (US region).
• Sentry — error tracing (scrubs PII before storage).

4. GDPR & data deletion

Easy Alerts honors Shopify's mandatory GDPR webhooks:

• customers/data_request — we reply with a confirmation that no customer PII is retained beyond transient webhook processing and auto-cleaned alert history.
• customers/redact — no action required; no per-customer data is stored.
• shop/redact — 48 hours after uninstall, we remove all shop-scoped data (rules, channels, history, tokens).

To request data export or deletion outside these automated flows, email support@devcloudsoftware.com with your myshopify domain.

5. Security

• All traffic is encrypted in transit via TLS 1.2+.
• Shopify access tokens are encrypted at rest.
• Webhook payloads are verified with HMAC-SHA256 before any processing.
• We rate-limit inbound API calls per shop and validate outbound channel URLs against SSRF targets (localhost, private IP ranges, cloud metadata endpoints).

6. Retention

Alert history auto-deletes after 90 days. Webhook dedup keys expire in minutes to hours. Shop configuration (rules, channels) is retained while the app is installed and deleted on uninstall grace period expiry.

7. Changes

We may update this policy as the product evolves. Material changes will be communicated in-app at least 14 days before taking effect.

8. Contact

DevCloud Software LLC
Email: support@devcloudsoftware.com