PartyKit Uploads — privacy policy

Last updated: 2026-05-21

Operator: Tumbly Haus Creative (Maker Growth Hub)

Contact: see SUPPORT.md

This is the plain-language version. The substance applies whether you install the app from the Shopify App Store or as a custom Maker Growth Hub member install.

Roles

• Merchant (you). You install PartyKit Uploads on your Shopify store. Under GDPR / CCPA you are the data controller for files customers upload through your products.
• PartyKit Uploads (us). We process the files on your behalf as a data processor. We don't sell your data, we don't sell your customers' data, and we don't use it to train AI models.
• Customer. Your customer who uploads a file on your storefront. We never have a direct relationship with them — only with you.

What we collect

When a merchant installs the app:

• Shop info — your *.myshopify.com domain, install timestamp, the OAuth access token Shopify issues us. Stored in our Neon Postgres database.
• App configuration — per-product upload rules, fee rules, storage backend selection, moderation thresholds. Stored in our Neon Postgres database.
• OAuth credentials for any third-party storage backend you connect (Google Drive, Dropbox). Encrypted at rest using PARTYKIT_ENCRYPTION_KEY.

When a customer uploads a file:

• The file itself — its bytes, filename, MIME type, dimensions (for images), and SHA hash. Goes to whichever storage backend you've configured (Shopify Files by default, or your S3 / R2 / Drive / Dropbox).
• Upload metadata — cart token, eventually order GID + line item GID, upload timestamp. Stored in our Neon Postgres database so you can see the file in our admin browser and tie it back to an order.
• Moderation results — if AI moderation is enabled, the NSFW classification scores. Computed in the customer's browser and stored alongside the upload record.

We do not collect:

• Customer name, email, IP address, or any other identifier from the upload flow. Files are tied to a cart token (and later an order), not to a person directly.
• File contents for any analytical purpose. We never look inside customer files. AI moderation runs in the customer's browser before the file leaves their device.

Where it goes

• Database: Neon Postgres (US-East, AWS). Encrypted in transit (TLS) and at rest (Neon platform default).
• Storage backends: wherever the merchant configures —

- Default: Shopify Files (lives in your Shopify account, not ours).

- Optional: your AWS S3 bucket, Cloudflare R2 bucket, Google Drive account, or Dropbox app folder. Files are written with your credentials; we don't get a copy.

• App-server logs: Vercel hosts the app. Standard request logs (URL, status code, IP) are retained per Vercel's default policy (~30 days). We don't log file contents or customer identifiers.

Retention

• App configuration + upload metadata is retained while you have the app installed.
• On uninstall the app/uninstalled webhook cascade-deletes your Shop row and all related data immediately.
• 48 hours after uninstall Shopify fires shop/redact. We do a belt-and-suspenders sweep, deleting any remaining rows AND best-effort deleting the underlying files from Shopify Files / your S3 / R2 / Drive / Dropbox.
• Customer redaction (customers/redact) fires when a customer or merchant invokes the right to erasure. We delete the index rows and the underlying files for that customer's orders within 10 days (Shopify's prescribed window).
• Data request (customers/data_request) — we log the request and the upload list. You fulfill the request to the customer through your normal channel within 30 days.

Sub-processors

• Vercel — application hosting.
• Neon — Postgres database hosting.
• Shopify — auth, app proxy, theme extension delivery, Files API.
• Anthropic — used only in the dev pipeline (Claude Code), never in the runtime data path.
• OpenAI / Cloudflare AI — only if a Studio-tier merchant brings their own API key for custom moderation rules. We never proxy keys; the merchant's browser calls the model directly.

Security

• TLS everywhere.
• OAuth tokens for storage backends encrypted at rest with a 256-bit AES key (PARTYKIT_ENCRYPTION_KEY).
• HMAC validation on all Shopify webhooks and App Proxy requests.
• No long-lived credentials in the client — storefront block only sees configuration, never tokens.
• 2FA enforced on all team members with production access.

Your customers' rights (GDPR / CCPA)

Customers can ask you (the merchant) to:

1. Access their data — you produce the file + metadata from our admin browser.
2. Erase their data — you trigger Shopify's customers/redact flow for the order; we process automatically.
3. Object to processing — you can simply disable the upload block on the relevant product; we'll never receive new uploads.

If you (the merchant) want to leave entirely, uninstall the app — your data is hard-deleted within 48 hours.

Children

PartyKit Uploads is not designed for collecting data from users under 13. If you operate a store that targets children, talk to us before installing — your DPA may need additional terms.

Changes

We'll update the "Last updated" date at the top and notify installed merchants by email + in-app banner at least 30 days before any material change.

Contact

Questions or requests: see SUPPORT.md.