Suplio Privacy Policy

Effective date: June 11, 2026

This privacy policy describes how Veltrio Labs LLC ("Veltrio Labs", "we", "us") collects, uses, and protects data when you install and use Suplio, our analytics and guard-alerts app for Shopify Collective suppliers (the "App"). It applies to the App specifically; our website is covered by the separate website privacy policy.

Controller and processor roles

For data exchanged through the Shopify Admin API on behalf of your store, Suplio acts as a data processor. You, the merchant who installs the App, remain the data controller.

Data we store

Suplio requests read-only access scopes (read_orders, read_products, read_inventory, read_locations) and writes nothing back to your store. When you install and use the App, we store:

  • Shopify session and shop information — session records (offline access token, scope, shop domain), shop name, currency, timezone, and the active billing subscription. We use these to identify your store and provide the App.
  • Order data — for orders tagged Shopify Collective only: order ID and number, tags, financial status, currency, totals and discount amounts, line items (variant, SKU, title, quantity, price), the linked retailer order reference and shipping cost from order attributes, and timestamps. Orders without the Collective tag are discarded after evaluation.
  • Product and inventory data — product/variant IDs, titles, SKUs, inventory policy, unit costs when set, and available inventory levels for products observed in Collective orders.
  • Derived data we generate — retailer records discovered from order tags, daily per-retailer rollups, guard alert events, activity logs, email logs for digests we send you, and short-lived webhook deduplication records.

We do not collect or store personal data of your storefront customers. The App does not request customer scopes and does not store customer names, emails, addresses, or any other buyer-identifying fields from order payloads. There is no payment instrument data, no storefront tracking, and no pixels or SDKs on your storefront.

How we use the data

  • To provide the App's functionality: per-retailer analytics, payout aging, margin-leak detection, guard alerts, and email digests.
  • To provide customer support when you contact us.
  • To monitor errors and keep the App reliable and secure.
  • To bill for the App through Shopify's billing system.

We do not sell or rent your data, and we do not use it for advertising.

Shopify GDPR webhooks

The App subscribes to and honors Shopify's mandatory privacy webhooks:

  • customers/data_request — because the App does not store storefront customer personal data, we respond confirming that no customer data is held.
  • customers/redact — likewise, there is no storefront customer data to redact; the request is acknowledged and logged.
  • shop/redact — when Shopify sends this webhook after you uninstall the App, any remaining data associated with your shop is permanently deleted from our systems.

Data location and retention

App data is stored in a PostgreSQL database hosted on Neon; the application itself runs on Fly.io. Data is retained while the App is installed, subject to the history window of your plan. On uninstall, all shop data is hard-deleted when the app/uninstalled webhook is received, and again on the shop/redact compliance webhook 48 hours later. Limited records may be retained longer where required for legal, accounting, or fraud-prevention purposes.

Subprocessors

We use the following service providers to operate the App:

Subprocessor Purpose
Fly.io Application hosting
Neon Database
Resend Transactional email (merchant digests and alerts)
Sentry Error monitoring (error context with identifiers stripped)

Your rights

As a merchant, you can:

  • request a copy of the data we hold about your shop;
  • request correction of inaccurate data;
  • request deletion of your data (uninstalling the App also triggers deletion, as described above);
  • ask questions about how your data is processed.

To exercise any of these rights, contact us at privacy@veltriolabs.com. We respond to verified requests within 30 days.

Security

Data is encrypted in transit (TLS) and at rest by our hosting and database providers. Access to production systems is limited to authorized personnel and protected by authentication.

Changes to this policy

We may update this policy as the App evolves. Material changes will be reflected by an updated effective date on this page, and we will notify you of significant changes through the App or by email.

Contact

For privacy questions or requests, email privacy@veltriolabs.com. You can also use the in-app "Contact support" link in the footer of any Suplio page.

Veltrio Labs LLC, a Wyoming limited liability company.