Privacy Policy
Last updated July 7, 2026
BackBy ("we", "us") is a Shopify app built by 8th Origin LLC that captures back-in-stock email signups on sold-out product variants and gives the list to the installing merchant. We collect the minimum data needed to do that job, and only that data.
What we store
Merchant data (the installing Shopify shop):
- Shop domain (
*.myshopify.com) and the Shopify OAuth access token, stored server-side. - App settings you choose — button label, confirmation message, widget color, attribution preference, auto-flip flag.
- Lifetime captured count and subscription state (Shopify Billing subscription id + trial-end date, if subscribed).
Shopper data (visitors who submit the back-in-stock form on your storefront):
- The email address they type (lowercased and trimmed for de-duplication).
- The product id + variant id the email was captured against, a snapshot of the product title and handle at capture time, and the capture timestamp.
We do not store shopper names, IP addresses, payment details, browsing behavior, or device fingerprints, and we set no cookies on the storefront. Shopper emails are never sent to any third party other than the installing merchant.
What we read from Shopify
BackBy requests only the read_products scope: product titles, handles, images, status, and variant inventory state. We do not read orders, customers, checkout data, payment info, or any other Shopify resource, and we never read from or write to Shopify customer records.
What the merchant does with captured emails
BackBy gives you the list. You export it as CSV and send back-in-stock notifications through your own email provider. BackBy never sends email to captured shoppers on its own.
Sub-processors
We share the minimum necessary with the infrastructure that runs the app: Shopify (platform, OAuth, Billing API, webhooks), Vercel (application hosting), Neon (database hosting), and Sentry (server error monitoring — emails are never logged). Each processes data only to provide their service to us.
Retention & deletion
Data is kept while BackBy is installed; you can delete individual waitlist entries from the admin at any time. On uninstall, the app/uninstalled webhook wipes your shop's data immediately, and Shopify's shop/redact webhook (48h later) runs the same wipe again as a fail-safe. If a shopper exercises a redaction right, the customers/redact webhook deletes all waitlist rows matching the supplied email within 30 days.
Shopper rights (GDPR, CCPA)
A shopper who submitted their email via a BackBy form may request access to, or deletion of, the data we hold about them by emailing danny@8thorigin.com with the address used. We respond within 30 days. These rights are independent of the merchant's relationship with the shopper.
Security
Data in transit uses TLS; data at rest is encrypted by our database provider. Every webhook payload is HMAC-SHA256 verified and deduplicated against replay. Production database access is limited to the operator.
Incident response
If we become aware of a security incident affecting merchant or shopper data, we notify affected merchants at their store owner email within 72 hours — what happened, what data was involved, and what we are doing about it — and report it to Shopify through Partner support channels.
Changes
If this policy changes materially, we update the date above and surface the change to installed merchants. Cosmetic edits may go in silently.
Contact
8th Origin LLC — danny@8thorigin.com