Privacy Policy

Last updated: May 12, 2026

Bismuth Studio ("we", "us", "our") operates the Gizmo: Limited Edition Drops Shopify application ("the App"). This policy explains what data we collect from merchants who install the App, how we use it, and your rights regarding that data.

Information We Collect

When you install the App, we collect and store the following:

• Shop domain and access token — required to authenticate API requests to your Shopify store.
• Shop timezone — your store's IANA timezone (e.g. "America/New_York"), used to calculate daily limit reset times in your local time.
• Limit configurations — product IDs, product titles, limit types, quantity caps, and schedule settings you define within the App.
• Shopify order IDs and line item quantities — recorded when a paid order contains a product with an active limit, solely to track units sold against that limit. We do not store customer names, email addresses, or any other personal data from orders.
• Inventory snapshots — a record of your product variant inventory levels at the time a limit is triggered as sold out, used to restore your inventory accurately if you end the limit.

How We Use Your Information

All data collected is used solely to provide the App's functionality: enforcing purchase limits on your products, displaying limit status in the App dashboard, and restoring your inventory when a limit ends. We do not use your data for advertising, analytics, or any purpose unrelated to the App.

Data Storage and Security

Your data is stored on servers hosted by Render (render.com) in the United States. All data is transmitted over HTTPS using TLS encryption. We verify the authenticity of all Shopify webhook payloads using HMAC signatures before processing them.

Data Retention

We retain your data for as long as the App is installed on your store. When you uninstall the App, Shopify delivers a shop/redact webhook to our servers within 48 hours. Upon receiving it, we permanently delete all data associated with your shop, including limit records, order tracking records, and inventory snapshots.

Third-Party Sharing

We do not sell, trade, or share your data with third parties. The only external services that process your data are our infrastructure providers:

• Render (render.com) — application hosting and managed PostgreSQL database.
• Shopify — the platform through which the App operates.

Your Rights (GDPR & CCPA)

As a merchant using our App, you have the right to request a copy of the data we hold about your store, request correction of inaccurate data, and request deletion of your data at any time. You may also withdraw consent by uninstalling the App, which triggers automatic deletion as described above.

To exercise any of these rights, contact us at gizmo@bismuth.studio.

GDPR — Data Processing

For merchants in the European Economic Area, we act as a data processor on your behalf (you are the data controller). We process only the data necessary to provide the App's features and implement appropriate technical and organizational measures to protect that data.

Sub-processors: Render (hosting), Shopify (platform).

The App includes handlers for Shopify's mandatory GDPR webhooks (customers/data_request, customers/redact, shop/redact). Because we store no customer personal data, customer data requests and redact requests are no-ops. Shop redact requests trigger full data deletion as described above.

Changes to This Policy

We may update this policy from time to time. We will post the revised policy at this URL with an updated "Last updated" date. Continued use of the App after changes constitutes acceptance of the revised policy.

Contact

For privacy-related questions, contact us at: gizmo@bismuth.studio