Privacy Policy

Who we are

Lambda House is the publisher of StoreBack. Contact: support@lambdahouse.cc.

StoreBack is a Shopify app that captures point-in-time backups of your shop's catalog and non-PII order metadata, restores catalog state from a chosen backup, and exports backups into portable formats. The Backup feature is currently rolling out free of charge; Restore and Export are in beta.

What data StoreBack processes

We capture the structural content of an installed Shopify shop into immutable point-in-time snapshots:

• Products (variants, media references, metafields, options, SEO, taxonomy, publication scope).
• Collections (manual and smart/rule-based).
• Pages, blogs, articles.
• Metaobject definitions and instances.
• Files from the Shopify admin Files section.
• Theme settings JSON (settings only — not theme code).
• Locations and per-location inventory levels.
• Translations and locales.
• Publications, markets, legal policies, delivery profiles, discounts.
• Order metadata (no PII): line items, quantities, totals, taxes, discounts, fulfillment status, financial status, timestamps, currency, tags, order number. Last 60 days only. No customer link, billing/shipping address, contact email, or contact phone.

We also store, encrypted at rest, the Shopify Admin API access token your shop issued at install time. Access tokens are encrypted with AES-256-GCM. The encryption key never travels with the database — it is held in a separate Kubernetes secret rotated on operator action.

If you connect Google Drive (free, optional), we also store the OAuth refresh token your Google account issues to us. Refresh tokens are encrypted at rest with the same AES-256-GCM scheme and the same key separation. We request the drive.file scope only — we can read and write only the files we create; we cannot read or modify any other file in your Drive.

What data we do NOT process

StoreBack does not request and does not store:

• Customers (no read_customers scope).
• Order PII fields: customer link, billing address, shipping address, email, phone. The GraphQL queries we run for orders explicitly omit these fields.
• Orders older than 60 days (no read_all_orders scope).
• Draft orders, abandoned checkouts, returns, gift cards, payments, payouts.

The OAuth scopes we request reflect the app's actual processing scope. If we ever need to expand scope we will require explicit re-consent via reinstall and update this policy first.

Where the data lives

Server-side (Lambda House infrastructure)

Snapshots and encrypted credentials are stored in our PostgreSQL database hosted on Hetzner Online GmbH (EU — Falkenstein, Germany).

Snapshot bodies — 30-minute server-side retention. When you click "Back up now", StoreBack captures the snapshot and holds the body in our database for 30 minutes only. After that window the body is deleted by an automatic sweeper. We do not configure per-merchant retention — the 30-minute TTL is hardcoded and uniform across all installations.

Long-term retention is the merchant's responsibility. If you want long-term archives, connect Google Drive (free): each scheduled or ad-hoc backup uploads its entities and media into a folder we create inside your Drive. We never read, copy back, or modify those files after upload. They live in your Drive under your control; you can delete them at any time.

Concurrency cap: at most 1 in-flight backup per shop, with the 3 most-recent snapshots retained in server-side storage during the 30-minute window. Excess attempts are rejected with a friendly merchant message; nothing is silently dropped.

Drive-side (your Google Drive)

Drive content is governed by Google's terms and your own Drive retention. We can only access the files we create (the drive.file scope guarantees this at the API level). We do not replicate Drive content back into our database.

Email notifications

If you connect Google Drive, you can opt into email notifications about backup outcomes. We use the email address associated with your Shopify shop owner account (or one you explicitly enter in the embedded shell) for these messages. Categories:

• Backup succeeded — sent when a scheduled backup completes successfully.
• Backup failed — sent when a scheduled backup fails after retries.
• Drive reauth needed — sent when our refresh token is revoked or expires.

Each category is independently opt-out from the embedded shell. There is also an "unsubscribe all" link at the bottom of every notification email and a master toggle in the embedded shell. Operational messages (e.g. "your account is being deleted at your request") bypass these toggles. We do not use your email for marketing.

Sub-processors

The following entities process your data on our behalf:

• Hetzner Online GmbH — primary hosting infrastructure (EU, Germany). Stores snapshots, encrypted credentials, application logs.
• Cloudflare, Inc. — DNS, edge TLS termination, CDN for the marketing site.
• Resend (Resend, Inc.) — transactional email delivery for the notifications described above. Sender domain lambdahouse.cc. Resend stores delivery metadata (recipient, subject, status); message bodies are not retained beyond their delivery purpose.
• Shopify Inc. — counterparty platform; outbound only. We call Shopify's Admin API on your behalf, using the access token you issued at install.
• Google LLC (Google Drive) — only if you connect Drive. We upload snapshot entities and media into a folder we create in your Drive.

We do not transfer Shopify shop data to any other third party. We do not load analytics SDKs, advertising pixels, error trackers, or third-party cookies into the embedded shell.

GDPR webhooks (Shopify-mandatory)

StoreBack registers all three Shopify-mandatory privacy compliance webhooks. Each handler verifies the X-Shopify-Hmac-Sha256 signature on the raw request body before any state change.

• customers/data_request — Logged + acknowledged. We have no customer PII and no customer-keyed records (orders are stored without customer link). Substantive response: "no data on record".
• customers/redact — Logged + acknowledged. True no-op — nothing customer-keyed to redact.
• shop/redact — We cascade-delete every snapshot for that shop and scrub the encrypted access token + Drive refresh token. Performed inline, typically within seconds (not the 30-day SLA). Snapshots already uploaded to your Drive are not deleted by us — that's your Drive, under your control.

StoreBack also handles app/uninstalled: we mark the shop's record as uninstalled and immediately scrub the encrypted access token. Snapshot history (already deleted by the 30-minute sweeper) is not retained. If you reinstall, you start fresh.

Your rights (data subjects)

If you're a merchant whose shop has StoreBack installed, you have:

• Right of access. Email support@lambdahouse.cc with your shop domain; we'll send back the snapshot manifest list (most snapshots are gone after 30 min, but pending-completion ones we can describe) and the encrypted credential's metadata (not the plaintext — that's never recoverable in-band).
• Right to deletion. Same email channel — or send a shop/redact via Shopify's data-subject-request flow. We delete within hours; the 30-day SLA is the upper bound.
• Right of portability. Snapshot contents are downloadable for the 30-minute window from the embedded shell, or available indefinitely from your Drive folder if you connected Drive.
• Right of rectification. StoreBack does not store personal data about you (the merchant) personally — only your shop's structural content. If something is incorrect in a snapshot, take a fresh one; we don't edit snapshots in place.

Cookies + tracking

• The embedded shell uses no cookies of its own (Shopify's session-token JWT is the entire auth model — short-lived, ~1 minute, not a cookie).
• The operator backoffice uses Pomerium's session cookie for SSO. Operators are Lambda House staff; their use is governed by our internal policies.
• No analytics, advertising, or third-party tracking.

Security

• All in-transit traffic is HTTPS via Shopify's redirect on one side and a managed Let's Encrypt certificate on ours.
• Access tokens (Shopify + Drive refresh) are encrypted at rest using AES-256-GCM with key separation between the encryption key (held by the application runtime, sourced from a Kubernetes secret) and the database (PostgreSQL).
• Database backups are encrypted at rest by the storage layer.
• We do not log access tokens, request bodies, or response bodies in plain text. Audit logs include shop domain + operation id only.
• Penetration testing: not formally scheduled at this stage of the prototype; planned before the family graduates to a paid tier.

Lawful basis

StoreBack operates on the controller / processor model. The merchant is the data controller for any data captured into a snapshot; we are the processor. The contractual basis is the merchant's acceptance of the installation flow on Shopify (the OAuth consent + scope grant constitutes the processing instruction).

Changes to this policy

Material changes are version-controlled in the source-of-truth document at listing-bridge/PRIVACY.md with the policy "last updated" date refreshed.

Contact

support@lambdahouse.cc — for any privacy-related question, data subject request, or security report. See also our support page for general support, and the StoreBack home page for the product overview.