Privacy Policy

SPRL Studio ("we," "us," or "our") is an inventory management platform for vintage resellers. We help vendors manage product listings, sync inventory across sales channels (including Shopify, Etsy, and Shop SPRL), and fulfill orders from a single dashboard.

This Privacy Policy explains what data we collect, how we use and protect it, and your rights regarding that data. It applies to all users of SPRL Studio, including Shopify merchants who install our app.

Information you provide directly

When you create an account, we collect your name, email address, and business information. You may also provide payment details for vendor payouts through Stripe Connect.

Data accessed via Shopify

When you install SPRL Studio on your Shopify store, we request access to the following data through the Shopify API:

• Products: titles, descriptions, images, variants, pricing, tags, and inventory levels
• Orders: order details, line items, fulfillment status, and customer shipping information
• Inventory: stock quantities and location data
• Store information: shop name, domain, currency, and locale settings

We access this data solely to synchronize your inventory and orders between Shopify and SPRL Studio. We do not access data beyond what is necessary for the app to function.

Data from other platforms

If you connect Etsy or Instagram accounts, we access similar product and listing data from those platforms via their respective APIs. Instagram is used for one-way content publishing only.

Product images for AI processing

When you use our AI metadata extraction feature, your product images are sent to our AI provider (Anthropic) to extract information such as brand, measurements, era, and condition. Images are processed in real time and are not stored by the AI provider after processing is complete.

We use the data we collect to:

• Synchronize products, inventory, and orders across your connected sales channels
• Process and fulfill orders received from Shopify and other platforms
• Generate shipping labels through our shipping provider
• Process vendor payouts through Stripe Connect
• Extract product metadata using AI when you opt into that feature
• Provide customer support and respond to your inquiries
• Improve and maintain the reliability of our services

We do not sell your data. We do not use your data for advertising. We do not share your data with third parties except as described in this policy.

Your data is stored in a PostgreSQL database hosted by Supabase, which provides enterprise-grade infrastructure with encryption at rest and in transit.

Specific security measures include:

• All OAuth access tokens (Shopify, Etsy, Instagram) are encrypted before storage in our database
• API communication between services uses HMAC signature verification and API key authentication
• All data is transmitted over HTTPS/TLS
• Row-level security policies ensure vendors can only access their own data
• Webhook endpoints verify request signatures to prevent unauthorized access

While you use the app

We retain your data for as long as your account is active and your app is installed. Product data, order history, and sync records are maintained to provide continuous service.

When you uninstall the app

When you uninstall SPRL Studio from Shopify, we process the following data changes within 48 hours:

• Integration data deleted: your Shopify OAuth tokens, store connection details, and sync configuration are permanently removed
• Customer PII scrubbed: personally identifiable information from orders (customer names, email addresses, shipping addresses) is removed or anonymized
• Financial records retained: order totals, payout records, and transaction history are kept as required for tax and legal compliance. These records do not contain customer PII after scrubbing
• Product data: your product catalog data is retained in case you reinstall. You may request full deletion at any time (see Your Rights below)

Shopify mandatory webhooks

We comply with Shopify's mandatory webhook requirements. When we receive a shop/redact webhook, we delete all store-specific data associated with your Shopify domain. When we receive a customers/redact or customers/data_request webhook, we process the request within 30 days as required by Shopify.

We share data with the following third-party services, each solely for the purpose described:

We do not sell data to any third party. Each service listed above receives only the minimum data required to perform its function.

For all users

You have the right to:

• Access your data: request a copy of all personal data we hold about you
• Correct your data: request corrections to inaccurate or incomplete data
• Delete your data: request deletion of your personal data, subject to legal retention requirements
• Export your data: receive your data in a portable, machine-readable format

For EU/EEA residents (GDPR)

In addition to the rights above, you may restrict or object to certain processing of your data. Our legal basis for processing is contract performance (providing the service you signed up for) and legitimate interest (improving our services). Where we rely on consent, you may withdraw it at any time.

For California residents (CCPA)

Under the California Consumer Privacy Act, you have the right to know what personal information we collect, request its deletion, and opt out of its sale. We do not sell personal information. You will not receive discriminatory treatment for exercising your CCPA rights.

Rights of your customers

If a customer of your Shopify store contacts us (or you forward their request) asking to access or delete their personal data, we will process that request within 30 days. Customer data we hold is limited to order information (name, email, and shipping address) received through Shopify's API. We honor all data subject requests received via Shopify's mandatory GDPR webhooks.

How to exercise your rights

To make a data access, correction, or deletion request, email us at studio@sprl.shop. We will respond within 30 days. We may ask you to verify your identity before processing your request.

SPRL Studio uses essential cookies for authentication and session management. We do not use third-party advertising cookies or tracking pixels. We may use privacy-respecting analytics to understand usage patterns and improve the service.

SPRL Studio is a business tool intended for use by adults. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us and we will delete it.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through a notice in the application. The "Effective date" at the top of this page indicates when the policy was last revised.

If you have questions or concerns about this Privacy Policy or our data practices, please contact us:

We aim to respond to all privacy-related inquiries within 30 days.