Privacy Policy

Last updated: 23 May 2026

Overview

Variant Images Gallery ("the App") is a Shopify app installed by merchants on their Shopify stores. This policy explains what data the App accesses, how it uses that data, and what it stores.

What the App accesses

To provide variant-image mapping functionality, the App accesses the following through Shopify's Admin API, scoped to the merchant's store:

• Products, product variants, and product media (images) — read access
• Product and variant metafields under the namespace variant_images_gallery — read and write access
• Shop-level metafields under the namespace variant_images_gallery — read and write access (used to persist app settings)
• Theme list — read access (used to deep-link the merchant into the theme editor's App embeds panel)

The App does not access or read customer data, orders, customer-identifying information, payment data, or any personally identifiable information about a store's shoppers.

What the App stores on its own infrastructure

The App runs on Google Cloud Run with a managed Google Cloud SQL Postgres database. The only data persisted on this infrastructure is:

• Shopify OAuth session records: one row per installed shop containing the shop's myshopify.com domain, the OAuth access token issued by Shopify to the App, scope, and timestamps. These are required for the App to make authenticated Admin API calls on behalf of the merchant.
• Voucher access records: the shop's myshopify.com domain, whether a voucher is active, the redeemed voucher code, and redemption timestamps. These are used only to bypass billing for approved test, partner, or VIP stores.

Variant→image mappings and app settings live in Shopify metafields on Shopify's own infrastructure. The App does not maintain a separate copy of product media or variant assignment data.

How the App uses the data

• Reading products, variants, and media to display them in the admin UI for the merchant to assign images per variant.
• Writing per-product and per-variant metafields to record those assignments.
• Reading the metafield from the theme storefront (via a public storefront-side script) so the gallery can swap when a variant is selected.
• Reading and writing shop-level metafields to persist the merchant's app settings.
• Reading and writing voucher access records to unlock the App for approved test, partner, or VIP stores without Shopify billing.

Data sharing

The App does not sell, rent, or otherwise transfer any data to third parties. The App does not include analytics scripts, tracking pixels, or third-party advertising on the storefront output.

The App relies on the following sub-processors strictly for hosting and infrastructure:

• Google Cloud (Cloud Run, Cloud SQL, Cloud Build, Artifact Registry, Secret Manager) — runs the App and stores OAuth session records.
• Shopify — provides the Admin API, hosts product/variant/shop metafields, and delivers the theme app embed to storefronts.

GDPR mandatory webhooks

The App subscribes to the three GDPR mandatory webhooks and responds as follows:

• customers/data_request: the App does not store any customer data; the webhook is acknowledged.
• customers/redact: the App does not store any customer data; the webhook is acknowledged.
• shop/redact: on receipt, the App deletes the shop's OAuth session record and voucher access record from its Postgres database.

Additionally, on receipt of app/uninstalled, the App deletes the shop's OAuth session and voucher access record immediately rather than waiting for shop/redact.

Data retention

OAuth session records and voucher access records persist for as long as the App remains installed on a store. On app uninstall or on receipt of shop/redact, these records are deleted from the App's database. Metafields stored on Shopify's side are retained according to Shopify's own retention policies and may be removed by the merchant at any time via the Shopify admin.

Cookies and tracking

The App's admin UI runs inside Shopify admin and does not set any cookies of its own beyond what is required by Shopify App Bridge for embedded authentication. The App's theme app embed on the storefront does not set cookies and does not emit analytics or tracking events.

Contact

Questions or data-rights requests? Email praduman508@gmail.com.

Changes to this policy

Material changes to this policy will be communicated to installed merchants by email and noted with an updated "Last updated" date above.