Privacy Policy

Last updated: June 25, 2026

1. Who we are

Quay is currently operated by Andrei Markov, an individual entrepreneur registered in Georgia, trading as “Simple Business”. Contact for privacy questions: [email protected].

For your store's data being processed by an app you've installed: you, the merchant, are the data controller for your buyers' personal data; Quay is the data processor, acting on your instructions per the Shopify Partner Program agreement and our Terms of Service.

These Terms of Service together with this Privacy Policy constitute the written processing agreement required under GDPR Article 28 between Quay (as processor) and you (as controller). If your business requires a separate bilateral Data Processing Agreement, contact us at [email protected].

By accepting these terms, you authorize Quay:

Quay personnel with access to your data are bound by confidentiality obligations consistent with GDPR Article 28(3)(b).

Quay is operated from Georgia and complies with the Law of Georgia on Personal Data Protection (No. 3144/2023, in force since 1 March 2024), overseen by the Personal Data Protection Service (PDPS). Because your store and your buyers may be located in the European Economic Area or the United Kingdom, we also process personal data in line with the EU GDPR and the UK GDPR; where those apply, the Article 28 commitments above govern our role as processor.

2. Data we read from Shopify

When you install Quay, the app calls Shopify's Admin API to read the following. We request only the scopes the service needs. One of them — read_all_orders — is a scope Shopify gates behind explicit justification; Quay requests it solely to read your full B2B order history (see Orders below), not just the most recent 60 days. We do not request scopes unrelated to credit management, such as write_payment_mandate or storefront pixel-tracking scopes.

3. Data we write back to Shopify

Quay writes the results of its analysis to company metafields under the $app:billing namespace. These remain in Shopify while the app is installed:

The $app: prefix means only Quay can write to these metafields, and they are set merchant-readable. On uninstall, Shopify's standard dialog offers a checkbox to delete the app's metafields with the app's data.

4. Data we store in our own database

To operate Quay, we maintain a Postgres database hosted by DigitalOcean (United States). For each shop, we store:

We do not store your buyers' addresses, phone numbers, payment information, or browsing behavior. We do not store any data about visitors to your storefront.

Buyer-facing banner. Quay's Customer Account UI Extension shows the authenticated buyer a single banner on their Shopify customer account page when their company is over its limit or on credit hold, explaining the restriction and who to contact. The banner is composed at the company level: it does not list individual invoices, balances, or another contact's orders. Healthy accounts and direct-to-consumer buyers see nothing. It is shown only to the buyer through Shopify's Customer Account authentication, scoped to their own company — never another company's.

5. Marketing site (quayhq.com)

The marketing site at quayhq.com uses Cloudflare Web Analytics: a cookie-free, privacy-first analytics service that aggregates page views and referrer data without setting tracking cookies and without persistent visitor identifiers. We use it to understand traffic sources and content effectiveness. No personal data is collected. We believe no consent banner is required because the marketing site uses no cookies or persistent identifiers; if your jurisdiction's regulator takes a different view on cookie-free analytics, contact us at [email protected].

The app itself (everything under app.quayhq.com) uses no analytics.

6. Subprocessors

Data we entrust to operational vendors:

Quay does not sell your data, serve advertising, or share your data with advertising networks or third-party product-analytics services. If we engage a new operational subprocessor in the future — for example, an error-monitoring service to improve reliability, or the transactional email provider described below — we will add it to this list and notify installed merchants before it goes live.

Email transport. When reminder emails ship in V1.1, we will engage a transactional email provider (currently expected to be Resend or Postmark). We will update this page and notify installed merchants before the feature is enabled.

7. Data retention

While Quay is installed, we retain operational data for as long as needed to run the service.

On app uninstall, Shopify revokes our access token and fires the app/uninstalled webhook. We delete your access tokens and session rows immediately, and we schedule the rest of your shop data for deletion 30 days later.

The 30-day grace window exists so an accidental uninstall — or a reinstall while you evaluate Quay — does not lose your configuration. If you reinstall within 30 days, the pending deletion is cancelled and your policies, company assignments, and history are preserved. If you do not reinstall, a daily cleanup job permanently and irreversibly deletes all of your shop's data once the window elapses — including the audit log, the order-invoice projection, your policies, and every operational cache and queue listed in Section 4. Nothing is retained indefinitely.

Your stored data is accessible only to Quay operations staff (currently a single founder) and is never shared with third parties beyond the subprocessors in Section 6. If you want your data deleted sooner than the 30-day grace window, contact us at [email protected]. We will acknowledge your request within 30 days and purge promptly.

Cache refresh schedules: the KPI cache refreshes hourly; the Shopify staff identity cache refreshes every 24 hours.

8. Shopify GDPR webhooks

Every Shopify app must implement three GDPR-related webhooks. Quay implements them as follows:

When reminder emails ship in V1.1, the customers/data_request and customers/redact handlers will be extended to export and delete reminder-log entries that include buyer email addresses.

9. Your rights

As a merchant, you can:

As one of a merchant's buyers: route data-subject requests through the merchant first. If a request involves data that touches Quay, the merchant can contact us and we will support them in responding.

10. Security

The following applies to the Quay application at app.quayhq.com. The marketing site at quayhq.com is a static site hosted on Cloudflare Pages with no servers or PII storage.

Security incidents. If we become aware of a confirmed security incident affecting your data, we will notify you in writing without undue delay, and in any event within 72 hours of becoming aware for incidents involving EU/UK data subjects — so you can meet your own GDPR Article 33 obligations toward your supervisory authority. We will include details of the incident, its scope, and the steps we are taking to mitigate it.

11. International transfers

Our database is hosted by DigitalOcean in the United States. If you are based in the European Economic Area, the United Kingdom, or another jurisdiction with cross-border data-transfer restrictions, your data is transferred to and processed in the United States. We rely on:

12. Children

Quay is a business tool intended for use by merchants and their B2B customers. We do not knowingly collect data from anyone under 16. If you believe we have, contact [email protected].

13. Changes to this policy

We will post material updates to this page and update the "Last updated" date. For substantive changes that affect installed merchants, we will notify you through the in-app banner before the changes take effect.

14. Contact

For privacy questions, data-subject requests, or to inquire about retained records: [email protected].