TL;DR
We collect the minimum data needed to run forecasting, POs, and RMAs on your Shopify shop. We do not sell data, do not use it for advertising, and delete everything within 48 hours of uninstall. Questions? Email [email protected].1. Who we are
Skucast is operated by CARMOTIVE LLC, a Michigan limited liability company. Contact: [email protected].
2. Data we collect from the merchant (store owner)
- Shop identifiers: shop domain, store name, contact email, currency, time zone
- Authentication: Shopify OAuth access token (encrypted at rest in Cloudflare KV)
- Inventory operations data: purchase orders you create, suppliers you add, RMAs, forecasting settings, label templates, alert preferences
- Product + inventory metadata pulled from your store: SKUs, variants, inventory levels, vendor names, product types, prices, order line items (used to compute forecasts)
- Subscription status: Shopify billing charge ID, plan tier, trial dates
3. Data we access from your customers
The launch tier of Skucast (Skucast Inventory) does not request access to customer personal data. Optional add-on modules may, only with your explicit opt-in:
- SMS Review Requests add-on (off by default): customer first name + phone from completed orders. Used only to send opt-in transactional SMS asking for a Google review. Phone numbers are retained for opt-out flagging only. Customer data is never sold or shared with third parties.
If you enable an add-on that accesses customer data, you remain the data controller under GDPR/CCPA. We act as your data processor.
4. How we use data
- To run the features you install: forecasting, POs, RMAs, alerts, dashboards
- To send transactional emails to your supplier contacts (POs, magic-link acknowledgements) using your sender identity
- To compute reports (end-of-day, weekly recap)
- To process subscription billing through Shopify's billing API
- To respond to support requests you initiate
We do not sell merchant or customer data. We do not use it for advertising. We do not share it with third parties except as listed in Section 6.
5. Where data lives
All data is stored in Cloudflare Workers KV, primary region in the United States. Backups are retained for 30 days. Logs are retained for 7 days and contain only diagnostic metadata (request paths, response codes), not customer PII.
6. Third-party processors
- Shopify — store data source + billing
- Cloudflare — hosting, KV storage, edge compute
- Resend — transactional email delivery (PO send, alerts)
- Anthropic — AI question-answering (only when the AI Ask add-on is enabled; queries include redacted ops summaries, never raw customer PII)
- Twilio — SMS delivery (only when the SMS add-on is enabled)
7. Data retention + deletion
- App uninstall: within 48 hours of uninstall, Shopify sends a
shop/redactwebhook. We delete all data scoped to your shop, including KV records, access tokens, and any cached snapshots. A metadata-only compliance audit log (no PII) is retained for 1 year. - Customer data deletion request: Shopify forwards via
customers/redact. We purge any review-opt-out flags + SMS tracking keyed by that customer. - Customer data export request: Shopify forwards via
customers/data_request. You as merchant have 30 days to respond to the data subject. Email [email protected] if you need our help compiling the export.
8. Your rights (GDPR / CCPA / UK GDPR)
EU/UK/California residents (and their customers, where applicable) have the right to:
- Access the personal data we hold
- Request rectification of inaccurate data
- Request erasure (right to be forgotten)
- Object to or restrict processing
- Data portability (machine-readable export)
- Lodge a complaint with a supervisory authority
To exercise any of these rights, email [email protected]. We respond within 30 days.
9. Security
All data is transmitted over HTTPS. Webhook payloads are HMAC-verified against the shop's API secret. Access tokens are stored in Cloudflare KV encrypted at rest. Worker secrets (Shopify API key, Twilio credentials, Anthropic key) are stored in Cloudflare's secret store, never in source code or logs. We do not store passwords; merchant authentication uses Shopify OAuth or short-lived session JWTs (HttpOnly, Secure, SameSite=Lax, 30-day expiry).
10. Cookies + tracking
The Skucast app sets one cookie: skucast_session — a signed JWT identifying your logged-in session. HttpOnly, Secure, SameSite=Lax, 30-day expiry. The marketing site (skucast.app) sets no tracking cookies, no analytics pixels, and no third-party trackers.
11. Children
Skucast is a B2B tool intended for business use by store owners. We do not knowingly collect data from children under 16.
12. Changes to this policy
Material changes will be communicated to the merchant's contact email at least 14 days before taking effect.
13. Contact
Email [email protected] with any privacy questions, data subject requests, or security disclosures.
Skucast is operated by CARMOTIVE LLC, a Michigan-based software company.