Privacy Policy
Effective date: 2026-05-12 · Publisher: Defyn Digital (Australia) · App: Defyn SAM for Shopify
This document describes what data the Defyn SAM Shopify app (the App, we, us) collects when installed on a Shopify store (Merchant, you), what we do with it, and your rights.
1. What we collect
We collect only the minimum data required to operate the integration between your Shopify store and your SAM (Stories Art and Money) tenant. We do not collect or store customer personal information at rest - see Section 3 for the one exception (transient passthrough during order push).
1.1 Shop-level data we store
- Shopify shop domain (e.g.
your-store.myshopify.com). - Shopify OAuth access tokens - issued by Shopify when you install the App. Used to call the Shopify Admin API on your behalf. Stored encrypted at rest.
- SAM API credentials - your SAM username, password, and/or manual API token (provided by you in the App's Settings tab), stored encrypted at rest using AES-256-GCM.
- SAM access + refresh tokens - cached short-lived JWTs issued by SAM. Refreshed automatically and re-sealed on every refresh.
- SAM Art Centre ID - your tenant identifier on the SAM side.
- Webhook secret + URL slug - used to authenticate inbound webhooks from SAM via HMAC-SHA256. Secret is stored encrypted at rest.
- App settings - sandbox mode flag, sync cadence preference, category-fallback IDs, store-staff ID, etc.
1.2 Operational data we store
- Sync run audit trail - for each sync invocation we keep a row with the run kind, status, timestamps, and a JSON summary of per-entity outcomes (created / updated / unchanged / failed counts). Used for support diagnostics and surfaced in your App admin UI.
- Idempotency mapping tables - pairings of SAM-side IDs (categories, artists, artworks, products, product variations, images, discounts) to the Shopify GIDs the App created or updated for them. These tables contain no customer or personally identifiable information.
- Order push idempotency record - for each Shopify order we have pushed (or attempted to push) to SAM, we keep the Shopify order GID, the SAM sales-order ID returned by SAM, attempt counter, timestamps, and the last error message if any. We do not store the order's customer name, email, billing address, shipping address, or line-item personal details after the push completes.
1.3 Encryption at rest
All credentials and secrets are stored using AES-256-GCM authenticated encryption, keyed by a master encryption key held only in our hosting environment's secret store. Sealed values use a versioned envelope (v1:<nonce>:<ciphertext>) to allow safe key rotation.
2. What we do not collect
- We do not persist your customers' names, email addresses, phone numbers, billing addresses, or shipping addresses.
- We do not store payment information (Shopify processes payments; we never receive card data).
- We do not collect data from your Shopify store beyond what the App's declared OAuth scopes authorise.
- We do not sell, rent, or share your data with any party other than the sub-processors listed in Section 4.
3. Customer data passthrough at order-push time
When a Shopify order is placed and the order-push integration is enabled, the App transmits the following fields to SAM as part of the sales record:
- Buyer first name, last name, email, and phone number
- Billing or shipping address (street, city, state, country, postcode)
- Order number, currency, line-item SKUs + descriptions + prices + tax breakdowns, discount code (if any), and shipping cost
This data passes through the App on its way to SAM. It is not stored on our side after the transmission completes. The only persistent record we keep is the Shopify order GID paired with the SAM sales-order ID returned by SAM - neither of which is personally identifiable.
4. Sub-processors
The App relies on the following third-party services to function. Each operates under its own privacy policy and is GDPR-compliant according to its own public documentation.
| Sub-processor | Purpose | Region |
|---|
| Shopify | Hosting platform, OAuth, billing | Global |
| SAM (Stories Art and Money) | The integration target - your art-centre's ERP | Australia |
| Vercel | Serverless hosting for the App's backend routes | Global (Sydney region by configuration) |
| Neon | Managed Postgres for the App's encrypted-at-rest data store | Configurable region |
| Inngest | Background job scheduling (nightly sync, order-push retries) | Global |
We do not currently rely on any analytics, advertising, or tracking sub-processors.
5. Data retention
- Active install - data is retained for the lifetime of your install.
- App uninstall - your Shopify session row is cleared immediately when Shopify delivers the
app/uninstalled webhook. - Full wipe - approximately 48 hours after uninstall, Shopify delivers the
shop/redact webhook. We then delete, in a single database transaction, every row associated with your shop across every table the App maintains. - GDPR
customers/data_request - we acknowledge the request within the required 30-day window. Because we do not store customer personal information at rest (see Sections 1 and 3), there is no customer-level data to provide. If your compliance team requires a written attestation, contact us via the email in Section 8. - GDPR
customers/redact - same reasoning; we have no customer-level data to delete.
6. Your rights (Merchants in the EEA / UK / California)
You have the right to:
- access the data we hold about your shop;
- request correction or deletion of that data;
- restrict or object to processing;
- data portability - receive a copy in a machine-readable format;
- lodge a complaint with your local data-protection authority.
To exercise any of these rights, email us using the address in Section 8. We respond within 30 days.
7. Security
- Credentials and secrets are encrypted at rest with AES-256-GCM.
- All inbound webhooks from SAM are authenticated with HMAC-SHA256 over
{timestamp}.{body} and a 5-minute replay window. - All inbound webhooks from Shopify are authenticated using Shopify's standard HMAC mechanism.
- All in-transit traffic uses HTTPS / TLS 1.2 or higher.
- Our hosting providers (Vercel, Neon) maintain SOC 2 Type II and ISO 27001 certifications as published in their own documentation.
If you believe you have discovered a security vulnerability in the App, please report it to the address in Section 8 rather than disclosing publicly. We will respond within 5 business days.
8. Contact
Questions, requests, or complaints relating to this policy:
9. Changes to this policy
We may revise this policy from time to time. Material changes will be announced via the App's Settings page and via email to the contact on file for each registered shop at least 14 days before the revised policy takes effect.
The current version is always available at samplugin.com/privacy.
10. Governing law
This policy is governed by the laws of Australia. Disputes that cannot be resolved via the contact channels in Section 8 will be referred to the courts of New South Wales, Australia.