Last updated: February 24, 2026
This Privacy Policy ("Policy") describes how Beemlo ("we," "us," or "our") collects, uses, stores, and protects information in connection with the Beemlo application for Shopify (the "Service"). By installing or using the Service, you ("Merchant," "you," or "your") acknowledge that you have read and understood this Policy.
The short version: Beemlo does not store any personally identifiable information (PII) about your customers. We store only Shopify resource IDs, tag names, metafield namespaces, metafield keys, metafield values, and timestamps. No customer names, email addresses, phone numbers, physical addresses, or payment information ever touch our servers.
This Policy applies to all information collected or processed by Beemlo through (a) the Shopify application, (b) the embedded admin extension blocks, (c) the Beemlo web dashboard, and (d) any communications between you and Beemlo (collectively, the "Service"). This Policy does not govern any third-party services, including Shopify, to which you may link or with which you may interact.
When you install Beemlo, we collect and store:
myshopify.com domain (e.g., your-store.myshopify.com)We use this information solely for account identification, authentication, and transactional communications related to the Service.
When tags or metafields are created, modified, or removed on customers, orders, or products in your Shopify store, Shopify delivers a webhook notification to our servers. From each webhook payload, we extract and store only the following:
We generate and store operational logs relating to webhook processing, error diagnostics, and Service performance. These logs may contain Shopify resource IDs and store domain identifiers but do not contain PII.
Beemlo is architected to minimize data collection. We do not collect, store, or process:
Beemlo does not interact with, render content to, or collect any information from your store's online storefront or your end customers' browsers.
Beemlo requests only the minimum read-only permissions necessary to deliver the Service:
| Scope | Purpose |
|---|---|
read_customers | Identify customer resources referenced in tag and metafield change events |
read_orders | Identify order resources referenced in tag and metafield change events |
read_products | Identify product resources referenced in tag and metafield change events |
Beemlo does not request and has never requested any write, delete, or modify permissions. We never create, alter, or delete any data in your Shopify store.
We process the information described in Section 2 solely for the following purposes:
We do not use your data for advertising, marketing, profiling, automated decision-making, behavioral analytics, or any purpose other than providing and maintaining the Service.
For Merchants located in the European Economic Area ("EEA") or the United Kingdom ("UK"), our legal bases for processing are:
Your data is stored on Cloudflare's global edge network using Cloudflare D1 databases. The Beemlo application is hosted on Vercel. Transactional emails are sent via Resend.
Each Merchant's change event data is stored in a dedicated, isolated database instance. No Merchant can access another Merchant's data. Store configuration data (domains, subscription status, preferences) is stored in a separate shared configuration database with row-level access controls.
All data in transit between your browser, the Shopify platform, and our servers is encrypted using TLS 1.2 or higher. Data at rest in Cloudflare D1 is encrypted using Cloudflare's platform-level encryption.
Access to stored data is restricted to authenticated requests originating from your Shopify admin session (verified via Shopify's session token). Administrative access to our infrastructure is limited to authorized personnel using multi-factor authentication.
We do not sell, rent, lease, trade, or otherwise disclose your data to third parties for monetary or other valuable consideration. For purposes of the California Consumer Privacy Act, as amended ("CCPA"), we do not "sell" or "share" personal information as those terms are defined under the CCPA.
We engage the following third-party service providers, each of which processes data solely on our behalf and pursuant to written agreements that impose data protection obligations substantially similar to those described in this Policy:
| Provider | Purpose | Data Processed | Location |
|---|---|---|---|
| Cloudflare, Inc. | Data storage (D1), compute (Workers), CDN, DDoS protection | Change event data, store configuration | Global edge network |
| Vercel, Inc. | Application hosting | Shopify session tokens (transient) | United States |
| Resend, Inc. | Transactional email delivery | Merchant email address, store domain | United States |
We do not engage any other subprocessors. We will update this table if subprocessors change and will provide thirty (30) days' advance notice of any new subprocessor via email or by updating this Policy.
We may disclose your information if required to do so by law, court order, subpoena, or other legal process, or if we reasonably believe that disclosure is necessary to (a) comply with applicable law, (b) protect our rights, property, or safety, or (c) prevent fraud or abuse of the Service.
Your data may be processed on servers located outside your country of residence, including in the United States. For transfers of data from the EEA or UK to countries not recognized by the European Commission as providing an adequate level of data protection, we rely on:
You may request a copy of the applicable SCCs by contacting us at support@beemlo.com.
shop/redact webhook forty-eight (48) hours after you uninstall the application. Upon receipt, we delete all data associated with your store from all databases.In accordance with Shopify's requirements, we have implemented and respond to all three mandatory privacy compliance webhooks:
customers/data_request): When a customer requests their data from you, Shopify notifies us. Because Beemlo does not store any customer PII, we acknowledge the request and confirm that no personally identifiable data is held.customers/redact): When you request deletion of a customer's data on their behalf, we permanently delete all tag events, metafield events, tag snapshots, and metafield snapshots associated with that customer's Shopify resource ID from your store's database. Erasure is completed within thirty (30) days of receipt.shop/redact): Forty-eight (48) hours after you uninstall Beemlo, Shopify sends this webhook. Upon receipt, we permanently delete all data in your store's dedicated database and remove your store configuration record from our shared database.Regardless of your jurisdiction, you have the right to:
If you are located in the EEA or UK, you additionally have the right to:
If you are a California resident, you have the right under the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"), to:
To exercise any of these rights, contact us at support@beemlo.com. We will verify your identity by confirming your Shopify store domain and respond within forty-five (45) days, as required by law.
We respect the privacy rights granted by applicable law in your jurisdiction, including but not limited to Brazil's LGPD, Canada's PIPEDA, Australia's Privacy Act, and South Korea's PIPA. To exercise any rights under applicable law, contact us at support@beemlo.com.
To the extent that Beemlo processes any data on your behalf that constitutes "personal data" under the GDPR or analogous data protection legislation, the parties acknowledge that you are the data controller and Beemlo is the data processor. Our Data Processing Agreement ("DPA"), which incorporates the Standard Contractual Clauses, governs such processing and is hereby incorporated into this Policy by reference. The DPA is available at beemlo.com/dpa and applies automatically to all Merchants.
In the event of a confirmed data breach affecting your data, we will:
The Service is a business-to-business application intended solely for use by Shopify merchants and their authorized personnel. The Service is not directed at, marketed to, or intended for use by individuals under the age of eighteen (18), or the applicable age of majority in their jurisdiction. We do not knowingly collect personal information from children. If you believe that a child has provided personal information to us, please contact us immediately at support@beemlo.com.
Beemlo does not engage in automated decision-making or profiling that produces legal or similarly significant effects on any individual. The Service is a passive recording tool that logs changes initiated by other sources.
The Beemlo application runs as an embedded Shopify app and does not set any cookies, tracking pixels, or local storage in your store's online storefront. Within the Shopify admin, we rely on Shopify's native session token mechanism for authentication. We do not use third-party analytics, advertising trackers, or social media pixels of any kind.
We may update this Policy from time to time. When we make material changes, we will (a) update the "Last updated" date at the top of this page, (b) notify you by email at the address associated with your Shopify store, and (c) where required by applicable law, obtain your consent before processing your data under the revised Policy. Non-material changes (e.g., typographical corrections) take effect immediately upon posting. Your continued use of the Service after the effective date of any revised Policy constitutes acceptance of such changes.
For questions, concerns, or requests relating to this Policy or your data, please contact:
Beemlo
Email: support@beemlo.com
If you are located in the EEA and believe we have not adequately addressed your data protection concern, you have the right to lodge a complaint with your local supervisory authority.