nmuaInstall StockAlert →
※  StockAlert

privacy

Last updated · May 2026

1. Who this covers

This privacy policy covers StockAlert specifically - our Shopify inventory monitoring and alerting app published by Noomua. For questions about this policy, contact us at hello@noomua.com.

2. What StockAlert accesses and stores

What we read from your store. StockAlert uses the following Shopify access scopes:

  • read_products, read_inventory, read_locations - product titles, variant IDs, stock levels, and location data to evaluate thresholds and send alerts.
  • read_orders, read_fulfillments - order and fulfillment data (including merchant and third-party fulfillment orders) to compute per-variant sales velocity and power restock forecasting. The order webhooks we receive contain an order identifier, the product variants purchased, their quantities, and the assigned fulfillment locations. We read this data; we do not retain individual order line items beyond what is described below.
  • write_inventory - used only when you explicitly trigger the merchant-initiated Restock action. We do not write to your inventory unless you initiate that action.

What we store. The data we persist:

  • Your shop domain and Shopify access token (token is invalidated and nulled on uninstall).
  • Your plan name and alert settings.
  • The notification email addresses you configure in the app - these are merchant-provided addresses for receiving alerts, not your customers' emails.
  • Product and variant data: titles, IDs, stock levels, and per-SKU thresholds.
  • An alert-history log.
  • An order identifier plus aggregated per-variant, per-location sales counters derived from order and fulfillment data. The order identifier is stored so we can de-duplicate attribution and reverse the counters if an order is refunded or cancelled; the counters themselves drive sales-velocity forecasting. We do not store individual order line items beyond this.

No store-customer PII. StockAlert does not collect or store customer names, customer email addresses, phone numbers, billing addresses, shipping addresses, or any other personally identifiable information about your end shoppers. The velocity engine operates entirely on aggregated unit counts - customer identity is irrelevant to how it works.

3. How we use your data

  • Alerting and digests. Inventory levels are checked against your thresholds; low-stock alerts and daily summaries are delivered to your configured notification addresses via Resend.
  • Restock forecasting. Aggregated sales-velocity counters are used to predict when each variant will run out and recommend optimal reorder timing.
  • Merchant-initiated Restock. When you trigger the Restock action, we use the write_inventory scope to update inventory levels in your store on your instruction.
  • App improvement. Aggregate usage patterns help us understand reliability and feature priorities.

Your data is not sold and is not used for advertising. We share it only with the sub-processors listed below, to the extent required to operate the app.

4. Sub-processors

  • Shopify - app installation, OAuth authentication, and billing.
  • Supabase - database storage for all app data.
  • Resend - delivery of transactional alert emails and daily digests.
  • Fly.io - hosting and infrastructure for the StockAlert backend.

5. Data security

Data is encrypted in transit using HTTPS/TLS and encrypted at rest by Supabase, our database provider. Your Shopify access token is obtained through Shopify's OAuth flow - we do not handle or store your raw Shopify login credentials. Billing runs through Shopify Billing, so no payment or card data ever touches StockAlert's systems.

6. Data retention and compliance

App data is retained for as long as StockAlert is active on your store.

On uninstall. When you uninstall StockAlert, the app/uninstalled webhook fires immediately: your Shopify access token is invalidated and nulled, and your store locations are deactivated. Your remaining data - alert settings, thresholds, history, velocity counters, and notification addresses - is not deleted at this point. It is retained so that reinstalling does not require a full re-sync.

Roughly 48 hours after uninstall, Shopify fires the shop/redact webhook. At that point all of your store data is permanently and irreversibly deleted. You can request immediate, permanent deletion at any time by emailing hello@noomua.com.

GDPR. StockAlert handles Shopify's mandatory GDPR webhooks:customers/data_request, customers/redact, and shop/redact. Because we do not store customer PII, customer-data requests are honoured as confirmed no-ops. The shop/redact webhook triggers permanent deletion of all store data.

7. Your rights

Depending on your location, you may have the right to access, correct, or delete the data we hold about your store. To exercise any of these rights, email us at hello@noomua.com and we will respond within a reasonable timeframe.

8. Changes and contact

We may update this policy as the app or legal requirements change. Material changes will be noted with an updated date at the top of this page. Continued use of StockAlert after changes are posted constitutes acceptance of the updated policy.

For privacy questions or data requests, contact hello@noomua.com. Please include “StockAlert Privacy” in your subject line.

StockAlert Terms← Back to StockAlertStockAlert Docs →View on App Store →