BoxBook

← Back to home

Privacy Policy

Last updated: April 17, 2026

BoxBook (“BoxBook,” “we,” or “us”) provides shipping-material inventory tracking and rule-based automation for Shopify merchants. This Privacy Policy explains what information we collect when you install and use BoxBook, how we use it, and the choices you have.

1. Who this policy covers

This policy applies to Shopify merchants who install BoxBook on their store and to their staff who use the embedded app. BoxBook is a business-to-business tool — we do not market to, or knowingly collect data from, the end customers of merchants who use Shopify to sell to consumers.

2. Information we collect

We collect only what we need to operate the app. Specifically:

  • Shop profile: your Shopify shop domain, store name, primary email, country, currency, and install / uninstall timestamps.
  • Authenticated user profile: the Shopify user ID, name, email, and locale of staff who open the embedded app, supplied to us by Shopify through the standard OAuth flow.
  • Shopify API credentials: the OAuth access token issued to BoxBook for your store, encrypted at rest.
  • Store operations data: locations, fulfillments, and order events received from Shopify webhooks so we can evaluate your rules and decrement the correct materials.
  • App-generated content: the materials, stock levels, rules, executions, and stock-transaction history you create inside BoxBook.
  • Notification preferences: any low-stock alert email you configure, plus a record of alerts we sent.
  • Operational logs: minimal request, webhook, and error logs used to keep the service healthy. These do not contain buyer personal data.

BoxBook requests the Shopify scopes read_fulfillments, read_locations, read_orders, and read_products. We do not request write access to your storefront or customer records.

3. Buyer (customer) data

When Shopify sends us fulfillment or order webhooks, the payload can include buyer details such as a shipping address or customer ID. BoxBook uses these payloads only to match rule conditions (for example, tag- or location-based routing) and to reference the originating event in its audit log. We do not build buyer profiles, share buyer data with third parties, or use it for marketing. Raw event payloads are retained only as long as needed for rule execution and troubleshooting.

4. How we use information

  • Authenticate you and keep your Shopify session secure.
  • Evaluate the rules you define and adjust material stock in response to Shopify fulfillment events.
  • Display dashboards, history, and executions scoped to your shop.
  • Send operational notifications (such as low-stock alerts) to the email you configure.
  • Report usage to Shopify’s billing API so your subscription and per-order charges are accurate.
  • Monitor, debug, and improve the service, and respond to support requests.

5. How we share information

We do not sell your data. We share information only with the service providers that are necessary to run BoxBook, and only to the extent they need it:

  • Shopify — for authentication, webhooks, billing, and app installation.
  • Our hosting and database providers — to run the application and store your data.
  • Resend — when you enable email notifications, to deliver low-stock and other operational emails on our behalf.

We may also disclose information when required by law, to enforce our terms, or to protect the rights, property, or safety of BoxBook, our merchants, or others.

6. Data retention and deletion

We retain shop and app data while BoxBook is installed on your store. When you uninstall the app, or when Shopify sends us a shop-redact request, BoxBook deletes or anonymizes your shop’s data in accordance with Shopify’s mandatory privacy webhooks:

  • customers/data_request — we respond with any buyer data we hold for the requested customer.
  • customers/redact — we delete or anonymize buyer data we hold for the requested customer.
  • shop/redact — forty-eight hours after app uninstall, we delete the shop’s data from our systems. Aggregated, non-identifying statistics may be retained.

7. Security

BoxBook uses HTTPS in transit, encrypts Shopify access tokens at rest with AES-256-GCM, validates every webhook’s HMAC signature, and enforces strict per-shop scoping on every query. Access to production systems is restricted to authorized personnel. No system is perfectly secure, but we take reasonable measures to protect your information.

8. International transfers

BoxBook is operated from, and data is processed in, regions that may differ from where you or your customers are located. By installing BoxBook you acknowledge that your information may be transferred to and processed in those regions, subject to appropriate safeguards.

9. Your rights

Depending on where you and your customers reside, applicable privacy laws (including the GDPR and CCPA) may grant rights to access, correct, export, or delete personal information. Merchants can exercise these rights directly in Shopify; we honor the standard Shopify privacy webhooks described above. Merchant staff can contact us at privacy@boxbook.io for any request concerning their own account data.

10. Children’s privacy

BoxBook is intended for use by businesses and their staff. It is not directed to children under 13, and we do not knowingly collect personal information from children.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date at the top of this page. Material changes will be communicated in-app or by email when appropriate.

12. Contact

Questions about this policy or our data practices? Email us at privacy@boxbook.io.

© 2026 BoxBook. Built for Shopify merchants.

HomePrivacyShopify admin