Privacy policy

Chart Candy is an embedded Shopify Admin app published by Clip Art Inc. (“Chart Candy”, “we”, “us”) at chartcandy.app. It surfaces sales, product, and traffic dashboards for the merchant who installs it. This page explains what data we receive from Shopify, what we persist, what we don't, and how to delete it.

When a merchant installs Chart Candy, Shopify grants the access scopes the app requests. Today those are read_orders, read_customers, read_products, read_analytics, read_reports. Within the app we read:

• Shop profile (name, currency, timezone, catalog product count).
• Paid orders within the rolling chart window (line items, totals, processed-at timestamp, an opaque buyer identifier).
• Shopify Reports / ShopifyQL aggregates (sessions, referrers, UTM campaigns, product tags, product views, items added to cart).

Buyer email addresses, full names, phone numbers, and addresses are never requested or read. Customers are referenced by anonymous numeric IDs only.

Chart Candy keeps the smallest amount of data needed to authenticate the shop and serve its dashboard on the next load. Our PostgreSQL database stores:

• Shopify session records — the shop's myshopify.com domain, granted scopes, and the Shopify-issued offline access token used to call the Admin API on the merchant's behalf.
• Plan information — the shop's current Chart Candy tier (Free / Plus / Pro) and the Shopify subscription identifier returned by Shopify Billing.
• Support requests — only when a merchant submits one through the app's Contact form: the shop domain, the message body, and an optional reply-to email the merchant chooses to include.

Order data, customer data, traffic aggregates, and product analytics are fetched live from Shopify on every dashboard load and are not cached or stored.

We rely on the following third parties to operate the service:

• Shopify Inc. — Admin API, Billing API, mandatory privacy webhooks, and the embedded App Bridge runtime.
• Railway Corp. — application hosting (Node.js runtime) and managed PostgreSQL for the data described above.

All connections are encrypted in transit (TLS 1.2+). We do not sell, rent, or share any data with advertising networks or analytics resellers.

• While the app is installed: session and plan records are kept so the dashboard works between visits.
• On uninstall: Shopify sends a shop/redact webhook approximately 48 hours later. When we receive it, Chart Candy deletes the shop's session, plan, and support-request records.
• Shopper data: none stored, so the customers/data_request and customers/redact webhooks are acknowledged with no further action.

Merchants and the shoppers of a merchant's store have the right to request access to, correction of, or deletion of their personal data. The standard route is via the store admin in Shopify — Shopify forwards the request to Chart Candy through the mandatory privacy webhooks above. You can also email us directly at [email protected] and we will respond within 30 days.

Chart Candy is built to comply with Shopify's Protected Customer Data requirements: we minimize the data we read, never persist buyer PII, and keep a clear audit trail of the privacy webhooks we receive.

The Chart Candy dashboard runs inside Shopify Admin via the App Bridge and authenticates with short-lived Shopify session tokens. We do not set tracking cookies, run third-party analytics on the merchant UI, or share usage data with advertising networks. The public marketing pages at chartcandy.app are served as static HTML without analytics scripts.

If we materially change how Chart Candy processes data, we will update this page and bump the effective date above. For substantive changes that affect installed merchants, we'll also surface a banner inside the Chart Candy app the next time you open it.

Questions, data-access or deletion requests, or anything else: [email protected].