PE
Dealex - Expiry Discount Rulesby Kreativdev

Privacy Policy

Last updated: June 17, 2026

Dealex - Expiry Discount Rules (“the App”) is a Shopify application developed and maintained by Kreativdev (“we”, “us”). This Privacy Policy explains how we collect, use, and protect information in connection with your Shopify store when you install and use the App.

1. Information We Collect

When you install Dealex - Expiry Discount Rules on your Shopify store, we access and store the following information through Shopify's APIs:

  • Store information: Your shop domain, store name, currency, timezone, and installation timestamp.
  • Merchant account information: First name, last name, email address, Shopify user ID, and account role (store owner or staff) — provided by Shopify during OAuth authentication and stored in your API session record.
  • Product and variant data: Product IDs, titles, handles, variant IDs, SKUs, barcodes, and pricing — stored only for products where you create batches in the app.
  • Batch data: Batch identifiers, expiry dates, quantities, cost prices, status, and received dates — created and managed by you within the app.
  • Order data: Shopify order IDs, line item IDs, product and variant references, quantities, and order timestamps — stored for batch traceability and FEFO audit trail purposes.
  • Customer data: Only a one-way SHA-256 hash of the customer's email address from orders. The original email is never stored and cannot be recovered from the hash. This hashed reference is used solely for batch-to-order traceability and recall-related investigations. We do not collect or store customer names, addresses, phone numbers, plain-text emails, or payment details.
  • Billing data: Subscription ID, selected plan, status, and trial end date — managed through Shopify's Billing API.
  • Automation data: Discount rules you configure, automation run logs, and price sync job records.
  • Shopify metafields: We store a variant-level expiry date metafield and a storefront badge toggle metafield on your Shopify store to power the app's features.

We request the following Shopify access scopes, which are the minimum required for the App to function:

  • read_products, write_products — read and manage product and variant data, and apply price changes from discount rules.
  • read_inventory — read inventory levels to track stock movements across batches.
  • read_orders — read order details for batch allocation and traceability.

2. How We Use Your Information

We use the data we collect exclusively to provide and operate the features of Dealex - Expiry Discount Rules:

  • Expiry tracking: Monitoring product batches by expiry date and tracking stock levels per batch across multiple lots.
  • Discount automation: Applying automated discount rules triggered by days-to-expiry thresholds you configure, with price changes synced to your Shopify store.
  • Stock rotation: Allocating specific batches to customer orders using FEFO (First Expiry, First Out) so products nearest to expiry are shipped first.
  • Storefront display: Showing expiry dates on your storefront through an optional Theme App Extension block (Expiry Badge) that reads variant-level metafields.
  • Analytics and reporting: Generating at-risk inventory reports, realized expiry loss tracking, sell-through rates, and recovered value calculations.
  • Recall management: Linking batches to recall records so affected products can be traced to customer orders.
  • Plan enforcement: Applying feature limits based on your active billing subscription tier.

We do not sell, rent, or share your information with any third parties for advertising or marketing purposes.

3. Data Storage and Security

Dealex - Expiry Discount Rules and its database are hosted on Railway (railway.app), a cloud platform that provides managed PostgreSQL infrastructure. Your data is stored in this managed database.

We implement the following security measures to protect your information:

  • All data in transit is encrypted using HTTPS/TLS between your browser, Shopify's servers, and our infrastructure.
  • Shopify API access tokens are stored exclusively on the server and are never exposed to your browser or client-side code.
  • All incoming webhooks from Shopify are cryptographically verified to confirm they originate from Shopify's servers.
  • OAuth callbacks are validated via HMAC signature verification.
  • Each store's data is logically isolated through tenant-scoped database queries — every record is tied to a specific shop identifier.
  • A strict Content Security Policy is enforced that prohibits external tracking domains, analytics scripts, and unauthorized third-party connections.

4. Data Retention and Deletion

While Dealex - Expiry Discount Rules is installed on your store, your data is retained for as long as needed to provide the service.

When you uninstall the app, our uninstall webhook performs the following cleanup automatically:

  • Permanently deletes all your shop data from our database — including products, variants, batches, orders, rules, automation logs, settings, and billing records — through cascading deletion.
  • Deletes all session credentials and API access tokens for your store.
  • Attempts to remove app-created metafields (expiry date values and storefront badge toggle) from your Shopify products and variants on a best-effort basis.

In addition, we implement Shopify's mandatory GDPR privacy compliance webhooks:

  • shop/redact: Triggers the same full cascade deletion of your store's data from our database.
  • customers/data_request: Acknowledged — we do not hold plaintext customer data. Only an irreversible SHA-256 hash is stored, which cannot be used to retrieve or identify an individual customer.
  • customers/redact: We hash the provided email using the same one-way SHA-256 function and nullify matching customerEmailHash values on order-to-batch traceability records. No plaintext customer identifiers are stored.

5. Third-Party Services

Dealex - Expiry Discount Rules relies on the following third-party services as data processors:

  • Shopify Inc. — The app is an embedded Shopify application and uses Shopify's Admin API, Billing API, Webhooks, Metafields, and CDN to function. Your use of Shopify is governed by Shopify's Privacy Policy.
  • Railway Corp. (railway.app) — Provides the cloud infrastructure and managed PostgreSQL database that hosts the app and stores all data. Railway acts as a data processor on our behalf.

We do not use any third-party analytics services, error-tracking tools, email marketing platforms, advertising networks, or AI services. No data is shared with any additional providers beyond Shopify and Railway.

6. Your Data Rights

Dealex - Expiry Discount Rules implements Shopify's mandatory GDPR and CPRA privacy compliance webhooks. As a merchant, your store data qualifies as your data. Individual customer personal data is not stored by this App (only a one-way hashed email reference for recall tracing).

Our processing of your personal data is subject to applicable data protection laws, including the GDPR where it applies. If you are located in the EU, EEA, UK, or other regions with similar data protection laws, you may have additional rights regarding your personal data.

If you need to access, correct, or delete your personal data, or exercise any other data subject right under applicable law, you may:

  • Contact us at contact@kreativdev.com. We will respond to verified requests in accordance with applicable data protection laws.
  • Uninstall the app at any time, which triggers automatic deletion of all your shop data.

7. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted at https://kreativdev.com with an updated date.

8. Contact

For privacy-related questions or to exercise your data rights, contact us at:

Email: contact@kreativdev.com
Website: https://kreativdev.com