Legal
Privacy Policy
Last updated — date TBC
Template — copy to be ported
The structure, type, and measure are final. The dashed notes below say what each section must cover; the actual wording is being ported from the existing site and reviewed before launch.
1. What this covers
Port: who operates InfiniteSync, which app and which site this policy applies to, and the plain-English summary sentence up front — a merchant should be able to read one paragraph and know the shape of the answer.
2. What we collect
Port: the itemized list — store identity and contact details from the Shopify install, the Google account identity from the OAuth grant, sync logs and error records, and basic usage. Separate what is collected automatically from what the merchant hands over.
3. Your Google Drive data
Port — the section that matters most.Which scope is requested and why the narrow one is unusable; which files are read and written; that the files stay in the merchant's own Drive under their own account; and what happens to our access on uninstall. This must line up word-for-word with the permissions section and the FAQ — three different answers to this question is the fastest way to lose a careful reader.
4. Your Shopify data
Port: the scopes requested on the Shopify side, that products and variants are read to resolve SKUs, that product images are written, and the explicit list of what is never touched — orders, customers, inventory, pricing.
5. How we use it
Port: purposes, tied one-to-one to the data listed above. Include the negatives that merchants actually care about: no selling, no ad targeting, no training anything on their photos.
6. Google API Services Limited Use
Port:the Limited Use disclosure required for restricted Drive scopes, including the affirmative statement and the link to Google's policy. Google's verification review reads this section specifically — the required language is prescribed and should not be paraphrased.
7. Sub-processors
Port:the current list of infrastructure and processing providers, what each one handles, and where. Keep it a real list with a real update habit rather than a generic “trusted third parties” sentence.
8. Retention and deletion
Port:how long each category is kept, what uninstalling triggers, and how to request deletion. State plainly that the merchant's images are not ours to delete — they are in their Drive.
9. Your rights
Port: access, correction, deletion, portability, objection; the GDPR and CCPA positions; and the actual route to exercise them, with a response window.
10. Security
Port: encryption in transit and at rest, how OAuth tokens are stored, who internally can reach what. Claim only what is true and currently implemented — this paragraph is the one that gets quoted back in an incident.
11. Changes to this policy
Port: how changes are announced, the notice period for material changes, and where old versions live.
12. Contact
Port: the real support address, the legal entity name and registered address, and the data-protection contact.