Privacy Policy – HeavyBag

Last updated: December 31, 2025

1) Who we are

HeavyBag ("we", "us", "our") is a Shopify app that lets merchants map upsell products for POS.

2) Information we collect from merchants

• Shopify store data: store name, store domain, access tokens, and app installation details to operate the app.
• Configuration data: product-to-product upsell mappings stored as metafields; app settings such as plan status and mapping counts.
• Operational logs/metrics: anonymized or aggregated request logs for troubleshooting and performance.

We do not collect customer personal data directly. If Shopify webhooks or API responses include customer data, we process it only as needed to operate the app and do not persist it beyond operational needs.

3) How we use merchant data

• To operate the app: fetch/store product mappings, display upsells, and manage billing.
• To provide support and troubleshoot issues.
• To measure app performance and improve reliability.

4) Sharing and disclosure

• We do not sell merchant data.
• We may share data with essential sub-processors (e.g., hosting, database, error monitoring) solely to operate the app.
• We may disclose data if required by law or to protect our legal rights.

5) Data storage and security

• Data is stored in our managed database and hosting infrastructure.
• Access is restricted to necessary personnel and secured via authentication and encryption in transit.
• We retain data only as long as needed to provide the app or comply with legal obligations.

6) Merchant and customer rights

• Merchants can uninstall the app at any time, which revokes our API access.
• GDPR/CCPA requests: contact us using the details below; we will assist with access, correction, or deletion requests for data we control.
• Upon uninstallation, we will delete store tokens and app configuration data within a reasonable timeframe unless retention is required by law.

7) International transfers

Data may be processed in the regions where our hosting and sub-processors operate. We use reasonable safeguards for international transfers.

8) Children

The app is not directed to children under 16 and does not knowingly collect their data.

9) Changes to this policy

We may update this policy. Material changes will be noted by updating the "Last updated" date above.

10) Contact

For privacy inquiries or data subject requests, contact:
Email: chromano@gmail.com
Av Demetrio Mitre, 81, Sao Carlos, SP, Brazil