Effective date: May 21, 2026 Last updated: May 21, 2026
This Privacy Policy explains how Digital Project Design ("DPD", "we", "us", "our") handles information in connection with the Professional List Manager application (the "App") for Shopify. It applies to merchants who install the App ("Merchants") and to the merchant's customers and store visitors whose information the App processes ("Customers").
The App is a B2B list-management tool: it lets a Merchant's sales representatives and a Merchant's logged-in business buyers create and manage saved product lists ("Lists") for reordering.
Our role. For data about a Merchant's Customers, DPD acts as a data processor on behalf of the Merchant, who is the data controller. Each Merchant is responsible for its own privacy notice to its Customers and for any consent it is required to obtain. This policy describes what the App does so Merchants can make those disclosures accurately.
Contents
- 1. Information we process
- 2. How we use information, and purpose limitation
- 3. Automated decision-making
- 4. How information is shared
- 5. Data retention and deletion
- 6. Security
- 7. International data transfers
- 8. Your rights
- 9. Children's privacy
- 10. Changes to this policy
- 11. Contact
1. Information we process
a. Merchant and staff information
-
Store identifiers and configuration: your
myshopify.comshop domain, app settings, and merchant-authored display/locale customizations. - Authentication credentials: OAuth access tokens issued by Shopify so the App can call the Shopify APIs on your behalf.
- Staff user details (online sessions): when a sales representative uses the embedded admin tools, Shopify provides that staff user's identifier, and may provide their first name, last name, and email, which are stored as part of the Shopify session so the App can attribute actions and greet the signed-in user. This is data about your staff, not your Customers.
b. Customer information
The App processes the minimum Customer information needed to provide its functionality:
- A Customer identifier — the Shopify Customer ID (a numeric/GID identifier) of a logged-in buyer, used to associate that buyer with their Lists and to record who created or changed a List item.
- Business (Company) association — for B2B buyers, the Shopify Company ID the buyer belongs to, used to scope shared company Lists and to show the correct B2B catalog pricing. We read the Company's business name transiently to resolve this association; we do not store it.
- List content the buyer creates — List names (text the buyer or representative types), the products and variants added to a List, quantities, and timestamps.
We do not collect or store Customer names, email addresses, phone numbers, or postal addresses. The App is configured for Shopify "Protected customer data" at the base level and does not request access to those protected fields. (Where Shopify sends a Customer's email or phone to us inside a mandatory compliance webhook — for example a data-deletion request — we process those identifiers only to fulfil that request and do not retain them.)
c. Catalog information (not personal data)
To render Lists, the App fetches product, variant, price, and image information from Shopify in real time. This is store catalog data, not personal data.
d. Information we do not process
We do not collect Customer browsing/behavioral analytics, marketing/tracking data, payment card details, or order history beyond what is described above.
2. How we use information, and purpose limitation
We use the information above solely to:
- provide and operate the App's list-management functionality (create, view, edit, and reorder Lists);
- show B2B buyers the correct catalog and pricing for their Company location;
- attribute List actions for audit and to fulfil data-subject requests;
- authenticate sessions and bill the Merchant for the App.
We limit our use of personal data to these purposes. We do not use Customer personal data for advertising, marketing, profiling, or analytics, and we do not sell or rent personal data to anyone.
3. Automated decision-making
The App does not perform automated decision-making or profiling that produces legal or similarly significant effects for any individual.
4. How information is shared
We share information only with the infrastructure providers that run the App, acting as our sub-processors:
| Sub-processor | Purpose | Data location |
|---|---|---|
| Shopify | Platform the App runs on; source of all store/customer data | Per Shopify |
| Cloudflare | Application hosting (Cloudflare Workers) and database storage (Cloudflare D1) | Cloudflare global network |
We do not sell personal data, and we do not share personal data for cross-context behavioral advertising. We may disclose information if required by law.
5. Data retention and deletion
We retain data only as long as needed to provide the App:
- While the App is installed, we retain a Merchant's settings and the Lists created in that store.
-
Customer deletion requests — when Shopify sends a
customers/redactrequest, we delete the Lists owned by that Customer (and their items), delete items that Customer added to shared company Lists, and anonymize any remaining audit references to that Customer. -
Customer data requests — when Shopify sends a
customers/data_request, we compile the List data we hold that references that Customer so the Merchant can respond within Shopify's required timeframe. -
Uninstall — when the App is uninstalled, Shopify sends a
shop/redactrequest approximately 48 hours later, at which point we delete that store's entire dedicated database and remove its records from our systems.
These retention periods ensure personal data is not kept longer than needed for the purposes above.
6. Security
- Encryption in transit: all communication between the App, Shopify, buyers, and our infrastructure uses HTTPS/TLS.
- Encryption at rest: data stored in Cloudflare D1 (and the App's session/configuration store) is encrypted at rest by Cloudflare.
- Tenant isolation: each Merchant's List data lives in its own dedicated, per-store database, so one Merchant's data is never co-mingled with another's.
- Least-privilege access: the App requests only the Shopify API scopes it needs to function.
No method of transmission or storage is completely secure, but we take reasonable measures to protect the information we process.
7. International data transfers
The App runs on Cloudflare's global network and on Shopify's infrastructure, so information may be processed in countries other than where the Customer or Merchant is located. We rely on our sub-processors' safeguards for such transfers.
8. Your rights
Depending on where you live, you (or, for Customer data, the Merchant on a Customer's behalf) may have rights to access, correct, delete, or restrict the processing of personal data, and to object to certain processing.
- Customers: please direct requests to the Merchant whose store you use; the Merchant is the controller of your data. The App provides the Merchant with the tools described in Section 5 to honor deletion and access requests through Shopify.
- Merchants: contact us using the details in Section 11.
9. Children's privacy
The App is a business tool and is not directed to children. We do not knowingly process the personal data of children.
10. Changes to this policy
We may update this policy from time to time. When we do, we will revise the "Last updated" date above and post the new version at the published URL. Material changes will be communicated as required by applicable law.
11. Contact
Digital Project Design (DPD)
Digital Project Design LLC
10441 Chaney Ave, Downey, CA 90241, USA
Privacy/support email: plm@digitalprojectdesign.com
Website: https://www.digitalprojectdesign.com