Privacy Policy
Last updated: June 25, 2026
Quick summary. Quay is a B2B credit management app for Shopify wholesale stores. We process two kinds of data: Shopify data we read through the Admin API (your companies, orders, payment terms) and operational data we store ourselves (your app settings, the AR aging projection, our audit log, your subscription state).
We do not sell your data, run ads, or share it with advertising networks, and the Quay app itself runs no third-party analytics or tracking. We share data only with the operational vendors (subprocessors) listed in Section 6 below. Reminder emails to your buyers are deferred to a future version (V1.1) and will be disclosed here before they ship.
1. Who we are
Quay is currently operated by Andrei Markov, an individual entrepreneur registered in Georgia, trading as “Simple Business”. Contact for privacy questions: [email protected].
For your store's data being processed by an app you've installed: you, the merchant, are the data controller for your buyers' personal data; Quay is the data processor, acting on your instructions per the Shopify Partner Program agreement and our Terms of Service.
These Terms of Service together with this Privacy Policy constitute the written processing agreement required under GDPR Article 28 between Quay (as processor) and you (as controller). If your business requires a separate bilateral Data Processing Agreement, contact us at [email protected].
By accepting these terms, you authorize Quay:
- To process your store's personal data only as needed to provide the service described in our Terms of Service §2.
- To process data only on your documented instructions, which are these Terms and this Privacy Policy (GDPR Article 28(3)(a)).
- To engage the subprocessors listed in Section 6 of this Privacy Policy (GDPR Article 28(3)(d), which incorporates the conditions of Article 28(2)). We will notify you in writing before any changes to the subprocessor list take effect, giving you a reasonable opportunity to object.
Quay personnel with access to your data are bound by confidentiality obligations consistent with GDPR Article 28(3)(b).
Quay is operated from Georgia and complies with the Law of Georgia on Personal Data Protection (No. 3144/2023, in force since 1 March 2024), overseen by the Personal Data Protection Service (PDPS). Because your store and your buyers may be located in the European Economic Area or the United Kingdom, we also process personal data in line with the EU GDPR and the UK GDPR; where those apply, the Article 28 commitments above govern our role as processor.
2. Data we read from Shopify
When you install Quay, the app calls Shopify's Admin API to read the
following. We request only the scopes the service needs. One of them —
read_all_orders — is a scope Shopify gates behind explicit
justification; Quay requests it solely to read your full B2B order history
(see Orders below), not just the most recent 60 days.
We do not request scopes unrelated to credit management, such as
write_payment_mandate or storefront pixel-tracking scopes.
- Companies — names, IDs, payment terms, contact information. Required to compute and assign credit policies per company.
- Customers — the association between a buyer (a company contact) and their B2B company. In the current version we read only this linkage (the customer ID and the company it maps to) to apply the correct company's credit context at checkout and in the buyer's account banner. Contact names and emails are read only when reminder emails ship in a future version; they are not used today.
- Orders — line items, totals, payment status, and
fulfillment status, used to compute the outstanding-balance projection
per company. Because B2B net terms can run to Net 90 and overdue
invoices stay unpaid well beyond Shopify's default 60-day order window,
Quay requests the
read_all_ordersscope so the one-time history import at install and the daily reconciliation can see your full B2B order history; day-to-day updates come from order webhooks. - Payment terms (net-30, net-60, etc.). Required to determine when invoices are overdue.
- Staff identity (
currentStaffMember) — name and email of the merchant staff member currently using the Quay admin UI. Used solely to display "who made this change" in the in-app audit log. - Shop name and address — for sender identity in future reminder emails (V1.1; not used today).
3. Data we write back to Shopify
Quay writes the results of its analysis to company metafields
under the $app:billing namespace. These remain in
Shopify while the app is installed:
credit_limit— the credit limit you set for each company.available_credit— the computed amount the company can still charge.-
enforcement_state—off/hide_net_terms/hard_block, the runtime authoritative state read by checkout enforcement. enforcement_reason— human-readable cause of the current state.in_plan— whether the company is covered by your current subscription cap.
The $app: prefix means only Quay can write to these
metafields, and they are set merchant-readable. On uninstall, Shopify's
standard dialog offers a checkbox to delete the app's metafields with the
app's data.
4. Data we store in our own database
To operate Quay, we maintain a Postgres database hosted by DigitalOcean (United States). For each shop, we store:
- Sessions — your Shopify offline access tokens, managed by Shopify's official session-storage adapter. Encrypted at rest by DigitalOcean's managed Postgres disk encryption.
- Shop settings — your in-app preferences (display name, sender email for future reminders, AR aging window, etc.).
- AR aging projection — a per-order outstanding-balance record computed from your Shopify orders. Not authoritative: refreshed from Shopify on each order webhook.
- Policy assignments — which credit policy (Standard, Trusted, VIP, Probation, or High Risk) applies to each company.
- Audit log — append-only record of policy edits, credit limit changes, and manual enforcement toggles. Records the Shopify staff user ID that made each change.
- Staff identity cache — names and emails of Shopify staff members who made audit-logged changes. Refreshed every 24 hours from Shopify.
- Subscription state — your Quay plan, status, and billing-period dates. Synced from Shopify's Billing API.
- Webhook deduplication table — Shopify webhook IDs we've already processed, to prevent double-counting under Shopify's retry behavior.
- Net Terms suspension state — for each company location Quay has placed on pay-on-order (because it is over its limit, overdue, or manually held), we record the original Shopify payment-terms template so we can restore it later.
- Dashboard metrics cache — a cached snapshot of your AR aging figures and the names of your top companies by outstanding balance, used to render the dashboard quickly. Derived from your Shopify data and refreshed hourly; never authoritative.
- Operational caches and a background-job queue — which of your companies are within your plan's limit, and a transient queue of background recompute/sync jobs. These hold only shop and company identifiers plus job bookkeeping (including the staff user ID that triggered a job), and are reconstructed from Shopify on demand.
- Reminder dispatch log — an append-only record of reminder emails sent. Reserved for the V1.1 reminder feature and currently empty (Quay sends no emails today).
We do not store your buyers' addresses, phone numbers, payment information, or browsing behavior. We do not store any data about visitors to your storefront.
Buyer-facing banner. Quay's Customer Account UI Extension shows the authenticated buyer a single banner on their Shopify customer account page when their company is over its limit or on credit hold, explaining the restriction and who to contact. The banner is composed at the company level: it does not list individual invoices, balances, or another contact's orders. Healthy accounts and direct-to-consumer buyers see nothing. It is shown only to the buyer through Shopify's Customer Account authentication, scoped to their own company — never another company's.
5. Marketing site (quayhq.com)
The marketing site at quayhq.com uses Cloudflare Web
Analytics: a cookie-free, privacy-first analytics service that
aggregates page views and referrer data without setting tracking cookies
and without persistent visitor identifiers. We use it to understand
traffic sources and content effectiveness. No personal data is collected.
We believe no consent banner is required because the marketing site uses
no cookies or persistent identifiers; if your jurisdiction's regulator
takes a different view on cookie-free analytics, contact us at
[email protected].
The app itself (everything under app.quayhq.com) uses
no analytics.
6. Subprocessors
Data we entrust to operational vendors:
- Shopify — your platform of record. We read from and write to your Shopify store via the Admin API. Per the Shopify Partner Program agreement.
- DigitalOcean (United States) — application hosting and managed Postgres database. Disk encryption at rest; TLS in transit.
- Cloudflare (US/global) — DNS, CDN, and cookie-free Web Analytics for the marketing site.
Quay does not sell your data, serve advertising, or share your data with advertising networks or third-party product-analytics services. If we engage a new operational subprocessor in the future — for example, an error-monitoring service to improve reliability, or the transactional email provider described below — we will add it to this list and notify installed merchants before it goes live.
Email transport. When reminder emails ship in V1.1, we will engage a transactional email provider (currently expected to be Resend or Postmark). We will update this page and notify installed merchants before the feature is enabled.
7. Data retention
While Quay is installed, we retain operational data for as long as needed to run the service.
On app uninstall, Shopify revokes our access token and
fires the app/uninstalled webhook. We delete your access
tokens and session rows immediately, and we schedule the
rest of your shop data for deletion 30 days later.
The 30-day grace window exists so an accidental uninstall — or a reinstall while you evaluate Quay — does not lose your configuration. If you reinstall within 30 days, the pending deletion is cancelled and your policies, company assignments, and history are preserved. If you do not reinstall, a daily cleanup job permanently and irreversibly deletes all of your shop's data once the window elapses — including the audit log, the order-invoice projection, your policies, and every operational cache and queue listed in Section 4. Nothing is retained indefinitely.
Your stored data is accessible only to Quay operations staff (currently a single founder) and is never shared with third parties beyond the subprocessors in Section 6. If you want your data deleted sooner than the 30-day grace window, contact us at [email protected]. We will acknowledge your request within 30 days and purge promptly.
Cache refresh schedules: the KPI cache refreshes hourly; the Shopify staff identity cache refreshes every 24 hours.
8. Shopify GDPR webhooks
Every Shopify app must implement three GDPR-related webhooks. Quay implements them as follows:
-
customers/data_request— when one of your buyers asks for their data, Shopify forwards the request to Quay. Today Quay stores no buyer-keyed personal data (the audit log and AR projection are keyed by company and order, not by buyer). We acknowledge receipt and return success. -
customers/redact— when one of your buyers asks for their data to be deleted, Shopify forwards the request. We acknowledge receipt and return success (no buyer-keyed records to delete in V1). -
shop/redact— when you uninstall and opt into deleting the app's data, Shopify fires this webhook approximately 48 hours later. We immediately and irreversibly delete all of your shop's stored data across every table — access tokens, audit log, order-invoice projection, policies, and every operational cache — rather than waiting out the 30-day grace window in Section 7.
When reminder emails ship in V1.1, the customers/data_request
and customers/redact handlers will be extended to export and
delete reminder-log entries that include buyer email addresses.
9. Your rights
As a merchant, you can:
- Access your data inside Shopify at any time — we write results back to your metafields.
- Export records through Shopify's standard reports.
- Request deletion of your stored data sooner than the 30-day post-uninstall grace window by emailing [email protected].
- Lodge a complaint with your local data-protection authority.
As one of a merchant's buyers: route data-subject requests through the merchant first. If a request involves data that touches Quay, the merchant can contact us and we will support them in responding.
10. Security
The following applies to the Quay application at
app.quayhq.com. The marketing site at quayhq.com
is a static site hosted on Cloudflare Pages with no servers or PII storage.
- All data in transit is encrypted with TLS. HTTPS-only, with HSTS enabled.
-
Postgres connections use TLS (
sslmode=require) over a private VPC network between the app and database. - Postgres disk is encrypted at rest by DigitalOcean's managed Postgres service.
- Application database queries are scoped by shop ID through a Prisma client extension that throws when the scope is missing; the few low-level maintenance queries are explicitly shop-scoped. One merchant's data cannot be queried by another merchant — a constraint built into how the database client is constructed.
- Shopify webhooks are verified by HMAC signature before any processing.
- Embedded admin requests are verified by Shopify session token (JWT).
- Secrets are stored only in DigitalOcean's encrypted environment variables. Never in source code, never in logs.
Security incidents. If we become aware of a confirmed security incident affecting your data, we will notify you in writing without undue delay, and in any event within 72 hours of becoming aware for incidents involving EU/UK data subjects — so you can meet your own GDPR Article 33 obligations toward your supervisory authority. We will include details of the incident, its scope, and the steps we are taking to mitigate it.
11. International transfers
Our database is hosted by DigitalOcean in the United States. If you are based in the European Economic Area, the United Kingdom, or another jurisdiction with cross-border data-transfer restrictions, your data is transferred to and processed in the United States. We rely on:
- Shopify's Data Processing Addendum, which you accepted as a Shopify merchant.
- For onward transfers to our subprocessors (DigitalOcean, Cloudflare), we rely on their published Data Processing Agreements, which include Standard Contractual Clauses or equivalent transfer mechanisms. Standard Contractual Clauses are not signed bilaterally between Quay and individual merchants.
- DigitalOcean's and Cloudflare's published security and compliance posture.
12. Children
Quay is a business tool intended for use by merchants and their B2B customers. We do not knowingly collect data from anyone under 16. If you believe we have, contact [email protected].
13. Changes to this policy
We will post material updates to this page and update the "Last updated" date. For substantive changes that affect installed merchants, we will notify you through the in-app banner before the changes take effect.
14. Contact
For privacy questions, data-subject requests, or to inquire about retained records: [email protected].