Uploads A-Plenty

Privacy Policy

Last updated: February 28, 2026

App: Uploads A-Plenty
Developer: RAVENCI Solutions
Contact: hello@uploads-a-plenty.com

1. What We Collect

From Merchants (App Users)

  • Shop information: Shopify domain, shop name, and email address (provided during app installation via Shopify OAuth)
  • Authentication data: OAuth access tokens (encrypted at rest using AES-256-GCM)
  • Billing information: Managed entirely by Shopify. We never see or store payment card details.
  • Usage data: Storage usage, feature usage stats, and error logs for app operation and support

From End Customers (Shoppers)

  • Uploaded photos: Original and cropped versions of photos customers upload for their orders
  • Order information: Shopify order ID and line item details (received via webhook from Shopify)
  • Technical data: Browser type and device type for widget compatibility

What We Do NOT Collect

  • Customer names or physical addresses (directly)
  • Payment or credit card information
  • Browsing history or tracking data
  • Data from third-party cookies

2. How We Store Data

  • Photos are stored in Cloudflare R2 (S3-compatible object storage), encrypted in transit via TLS/HTTPS, and isolated by merchant using shop-specific folder prefixes. Access is controlled via time-limited signed URLs.
  • Application data is stored in Supabase (hosted PostgreSQL) with encrypted connections and regular backups.

3. File Retention

Photos are automatically deleted based on the merchant's subscription plan:

  • Free: 30 days
  • Starter: 90 days
  • Professional: 180 days
  • Business: 365 days

Merchants can manually delete photos at any time. After retention expiry, cropped photos are automatically removed by our cleanup process.

4. Security Measures

  • AES-256-GCM encryption for stored access tokens
  • TLS/HTTPS for all data in transit
  • Rate limiting on all API endpoints
  • Input validation and sanitization
  • Magic byte validation for file uploads
  • HMAC verification for all Shopify webhooks
  • Time-limited presigned URLs for file access

5. Data Sharing

We do not sell, rent, or share personal data. Data is shared only with:

  • Shopify: For authentication, billing, and webhook processing (as required for app operation)
  • Cloudflare: For file storage (as a data processor, under their privacy terms)
  • Law enforcement: Only when required by applicable law

6. GDPR Compliance

Under GDPR, the merchant is the data controller and Uploads A-Plenty acts as a data processor. We support:

  • Data subject access requests
  • Data deletion requests
  • Data portability requests
  • Data Processing Agreements (DPA) upon request

We implement Shopify's mandatory GDPR webhooks for customer data requests, customer data erasure, and shop data erasure.

7. CCPA Compliance

  • We do not sell personal information
  • We support “Do Not Sell My Personal Information” requests
  • We support data access and deletion requests

8. What Happens on Uninstall

  • Billing is cancelled immediately through Shopify
  • Shop data is marked for deletion
  • All uploaded photos and shop data are permanently deleted within 30 days
  • Authentication tokens are revoked

9. Changes to This Policy

We may update this policy from time to time. Significant changes will be communicated via the app's admin interface or email. Continued use of the app after changes constitutes acceptance of the updated policy.

10. Contact

For privacy-related inquiries, data requests, or DPA requests:

Email: hello@uploads-a-plenty.com
Developer: RAVENCI Solutions
Response time: Within 48 hours on business days