Privacy Policy

1. Who This Policy Covers

Steady is a subscription management app for Shopify merchants. We process merchant data and limited customer data only when a merchant installs the app, configures features, or directs Shopify to send us webhook events and API data needed to provide the service.

2. What We Collect

We collect data needed to operate subscription workflows, recover failed payments, support merchant-configured outbound webhooks, and provide optional advisor assistance.

• Shop information such as store domain, shop identifiers, billing and app configuration metadata, and subscription settings.
• Customer information that merchants direct Shopify to send to us through webhook topics and API access, including customer name, email address, and phone number.
• Subscription data mirrored from Shopify resources such as subscription contracts, billing attempts, and related customer records required for subscription management.
• Operational data such as app usage logs, webhook delivery logs, and support messages.
• Optional advisor inputs and outputs when a merchant uses AI-assisted support or guidance features.

3. How We Use Data

• Run subscription management workflows inside the merchant's Shopify store.
• Support dunning, failed-payment recovery, and merchant-directed customer subscription operations.
• Deliver merchant-configured outbound webhooks and operational notifications.
• Provide optional advisor AI assistance for merchants who choose to use those features.
• Maintain service security, troubleshoot incidents, and improve reliability.

4. Subprocessors and Service Providers

We use a limited number of service providers to operate Steady:

• Fly.io for application hosting and infrastructure support.
• Anthropic for optional advisor AI assistance. Zero Data Retention status is pending and not yet represented as contracted ZDR coverage.
• Email provider for transactional and support email delivery. Provider finalization is in progress.

5. Retention and Deletion

• Subscription mirror data is retained while the merchant uses Steady and deleted or anonymized after uninstall, subject to Shopify-mandated redaction and legal obligations.
• Raw webhook buffer data is intended to be retained for up to 7 days once the planned buffer retention fix is fully deployed.
• Advisor conversation data is retained for up to 90 days.
• Data is encrypted at rest and in transit.

6. Shopify Data Rights and GDPR Requests

Steady supports merchant and customer privacy workflows using Shopify's required mechanisms. Where applicable, data export and deletion requests are handled through Shopify privacy endpoints and related internal deletion processes, including:

• customers/data_request for export requests.
• customers/redact for customer deletion requests.
• shop/redact for shop-level data deletion requests.

Merchants and data subjects may also contact us directly to request access, correction, deletion, or portability review where required by GDPR or other applicable privacy laws.

7. Security

We use administrative, technical, and organizational safeguards designed to protect merchant and customer data, including encryption, access controls, and logging appropriate to the service.

8. Contact

For privacy questions, data requests, or support related to this policy, contact support@demandx.io.