← Back to home

1. Who We Are

Stovura (“Stovura,” “we,” “us,” or “our”) is a public Shopify embedded application that provides inventory and demand-planning tools for Shopify merchants, with an initial focus on apparel direct-to-consumer brands. The App connects to a merchant’s Shopify store and analyses product, inventory, and order data to provide demand forecasting, inventory planning, and replenishment recommendations.

This Privacy Policy explains what personal data we process in connection with the App, why, and the rights available to merchants and their customers.

Who operates Stovura

The App is currently operated by Pallavi Dhanopiya, an individual sole proprietor based in Pune, Maharashtra, India. References in this Policy to “Stovura,” “we,” “us,” or “our” mean this operator. If the App is later operated by a registered legal entity, this section and the contact table below will be updated to name that entity, and the updated “Last updated” date will indicate the change.

Contact details:

OperatorPallavi Dhanopiya (sole proprietor)
Postal addressPune, Maharashtra, India
Privacy / data requestsprivacy@stovura.com
General supportsupport@stovura.com
Websitehttps://stovura.com
App listingShopify App Store

2. Our Role: Processor, Not Controller

Under the EU General Data Protection Regulation (“GDPR”) and comparable laws, the merchant who installs Stovura is the data controller for any personal data processed through their store. Stovura acts as a data processor, processing data only on the merchant’s documented instructions and only to provide the App’s functionality.

The formal allocation of responsibilities between the merchant (controller) and Stovura (processor) is set out in our Data Processing Agreement (“DPA”), which forms part of the merchant’s agreement to use the App.

3. What Data We Process

Stovura is designed around data minimisation. We process only what the App needs to generate inventory plans, and we deliberately do not collect customer-identifying information. The categories below describe everything the App processes.

3.1 Installation and Shopify authentication (OAuth)

Stovura is installed from the Shopify App Store and authenticates through Shopify’s standard OAuth flow. When a merchant installs or opens the App, Shopify provides:

The access token is a credential, not customer data; it is stored securely and used only to make authorised API calls on the merchant’s behalf. It is cleared when the merchant uninstalls the App.

3.2 Store, catalog, inventory, and order data

To produce forecasts, sell-through metrics, and reorder recommendations, the App reads the following from the merchant’s Shopify store through Shopify’s APIs:

From these inputs the App generates forecasting and planning data — demand forecasts, size/colour curves, sell-through metrics, safety-stock and reorder calculations, and the resulting buy lists. This derived data describes product movement, not individuals.

3.3 Merchant account and configuration data

We process the settings a merchant enters to operate the App — for example lead times, service levels, supplier minimum-order quantities, and per-colour or per-style planning preferences — together with basic operational data such as server logs. These describe the merchant’s business preferences and account, not end customers.

3.4 What we explicitly do NOT collect

Stovura does not request, receive, or store customer personal data. Within Shopify’s protected customer data framework, we hold Level 1 access and have deliberately left every protected customer field unselected. We do not access or store:

Because of this design, the App holds no end-customer personal data at rest. The order-derived information we keep is aggregated sales facts (units per variant per day), which describe product movement rather than people.

3.5 Usage telemetry

To understand how merchants use the App and where it can be improved, Stovura records a small amount of self-hosted usage telemetry. This telemetry is engineered to contain no personal data of end customers and no sensitive store data:

Examples of what telemetry records: that an install occurred; that a catalog sync ran and roughly how many products/locations it covered; that a reorder list was generated and the spread of recommendation states; that a CSV export was served and how many rows; and categorised error events (for example, “import / validation error”) without the underlying message. The complete field-by-field inventory is maintained internally in our telemetry data inventory and is available to merchants on request.

4. Why We Process Data (Purpose and Lawful Basis)

We use data only for the purposes above. We do not sell personal data, and we do not use merchant or customer data — including derived or aggregated data — to develop or train AI or machine-learning systems.

DataPurposeLawful basis (GDPR)
Products, variants, inventory, locationsGenerate forecasts, sell-through metrics, and reorder recommendationsPerformance of the merchant’s contract; legitimate interests
Order-derived sales facts (variant, quantity, date — aggregated)Calculate demand and seasonalityPerformance of contract; legitimate interests
Usage telemetry (pseudonymous)Measure feature usage and reliability to improve the AppLegitimate interests (minimised, store-level)
Account / authentication / settingsOperate, secure, and configure the AppPerformance of contract

5. Sharing and Sub-Processors

We do not sell personal data and do not share it for advertising. We disclose data only to the limited service providers (“sub-processors”) needed to run the App, and to Shopify as the platform. Our current sub-processor is:

Sub-processorPurposeData locationOwnership
Render (Render Services, Inc.)Application hosting and managed PostgreSQL databaseEuropean Union (Frankfurt, Germany)U.S.-incorporated; EU region used

Shopify itself acts as the platform and, depending on the data flow, as a controller or processor under its own terms and Data Processing Addendum. We will give merchants advance notice of any change to our sub-processor list and an opportunity to object, as set out in the DPA.

6. Where Data Is Stored and International Transfers

All merchant and store data processed by Stovura is stored in the European Union (Frankfurt, Germany) on Render’s managed infrastructure. We selected EU data residency specifically to keep merchant data within the EEA at rest.

Two cross-border considerations apply:

7. How We Protect Data

We maintain technical and organisational measures appropriate to the data we handle, including:

No method of transmission or storage is completely secure, but these measures are designed to reduce risk in proportion to the limited and non-identifying nature of the data we hold.

8. How Long We Keep Data

We keep data only as long as needed to provide the App, and we delete it on the triggers below.

DataRetentionDeletion trigger
Store / catalog / aggregated sales data, settings, reorder outputsKept while the App is installedDeleted when the merchant uninstalls and on a shop-data erasure (“shop redact”) request — see Section 9
Usage telemetry (pseudonymous)Up to 180 days on a rolling basis while installedOlder events purged automatically; all telemetry for a store purged on uninstall / shop-redact
Authentication session dataDuration of installationCleared on uninstall

These two retention periods are intentionally distinct: store and order-derived data persist only while the App is installed and are erased on uninstall/erasure, whereas telemetry is additionally subject to a rolling 180-day maximum even during active use. A standalone Retention Policy statement accompanies this notice.

9. Merchant and Data-Subject Rights

Subject to applicable law, merchants and, where relevant, their customers may request to access, correct, delete, restrict, or port personal data, and may object to certain processing. Because Stovura holds no end-customer personal data, most customer-level requests will have nothing to action in our systems; we nonetheless respond to and log every request we receive through Shopify’s required channels.

We implement Shopify’s mandatory privacy webhooks:

To exercise a right or ask a question, contact us at privacy@stovura.com. Merchants subject to GDPR may also lodge a complaint with their local supervisory authority.

10. Children’s Data

Stovura is a business-to-business tool used by merchants to manage inventory. It is not directed to children and does not knowingly process children’s personal data.

11. Changes to This Policy

We may update this Privacy Policy as the App or legal requirements change. We will post the updated version with a new “Last updated” date and, where required, notify merchants. Continued use of the App after an update constitutes acceptance of the revised policy.

12. Contact Us

For any privacy question or request:

Pallavi Dhanopiya
Pune, Maharashtra, India
Privacy / data requests: privacy@stovura.com
General support: support@stovura.com
Website: https://stovura.com

Governing law: India, without prejudice to mandatory data-protection rights merchants and their customers have under the GDPR and other applicable laws.


← Back to home