Privacy Policy

Last updated: April 16, 2026

Adminlog ("we", "our", "us") is a Shopify embedded application developed by Bedrock Digital Apps. This privacy policy explains what data we collect, why we collect it, how we store and protect it, and what rights you have regarding your data.

1. What data we collect

When you install Adminlog on your Shopify store, we receive and store the following data through Shopify's API:

• Store information: Shop domain, plan tier, staff member names and IDs (for change attribution)
• Product data: Product titles, descriptions, prices, variants, images, SKUs, barcodes, metafields — captured as audit log entries when changes occur
• Order data: Order numbers, customer names, email addresses, order totals, fulfillment status — captured when order lifecycle events occur
• Customer data: Customer names, email addresses, phone numbers, tags — captured when customer records are created or modified
• Inventory data: Stock levels, location names, SKUs — captured when inventory changes occur
• Financial data: Discount codes, price rules, refund amounts — captured when financial events occur
• Theme data: Theme names, settings data (for speed optimization snapshots) — captured when themes are published or modified

We do not collect payment card numbers, bank account details, social security numbers, or any financial credentials. All payment processing is handled exclusively by Shopify.

2. Why we collect this data

We collect and process this data solely to provide the Adminlog service:

• Maintaining an audit trail of changes made in your Shopify store
• Identifying who made each change (staff member attribution)
• Detecting anomalies (unusual patterns such as mass deletions or refund spikes)
• Generating reports and analytics about store activity
• Sending email alerts when configured thresholds or conditions are met
• Providing site speed monitoring and optimization recommendations

We do not sell, rent, or share your data with third parties. We do not use your data for advertising or profiling.

3. Where your data is stored

• Primary database: Managed PostgreSQL hosted on enterprise cloud infrastructure in the United States (US-East region)
• Backups: Daily encrypted database backups synced to offsite object storage within the United States
• Application servers: Enterprise cloud infrastructure in the United States
• Email notifications: Delivered via a major enterprise email provider

All data resides in the United States. We do not transfer data to other countries.

4. How we protect your data

• Encryption in transit: All connections use HTTPS (TLS 1.2+) via automatic Let's Encrypt certificates
• Encryption at rest: Full-disk encryption on all server volumes. Database backups are stored in encrypted offsite object storage.
• Tenant isolation: Every database query is scoped by your shop's unique identifier. One merchant cannot access another merchant's data.
• Authentication: Access is controlled through Shopify's OAuth 2.0 flow. Sessions are stored server-side in PostgreSQL with automatic expiry.
• API security: Enterprise API keys are stored as SHA256 hashes (never plaintext). Webhook callbacks are signed with HMAC-SHA256.
• Rate limiting: Per-shop webhook rate limiting with progressive quarantine prevents abuse and resource exhaustion.
• Integrity verification: Enterprise plan includes cryptographic chain hashing on audit records for tamper-proof verification.

5. Data retention

We retain your audit log data based on your subscription plan:

• Starter plan: 30 days
• Professional plan: 90 days
• Enterprise plan: 365 days (configurable up to 5 years)

Data older than your plan's retention period is automatically deleted by a daily cleanup process. If you uninstall Adminlog, all your data is permanently deleted within 30 days.

6. Your rights (GDPR and CCPA)

You have the right to:

• Access — Request a copy of all data we hold about your store
• Rectification — Request correction of inaccurate data
• Erasure — Request deletion of your data (also happens automatically on uninstall)
• Portability — Export your audit logs in CSV format at any time from the Reports page
• Restriction — Request that we stop processing your data while a complaint is resolved

We honor Shopify's mandatory GDPR webhooks: customers/data_request, customers/redact, and shop/redact. These are processed automatically within 48 hours of receipt.

To exercise any of these rights, email support@bedrk.dev.

7. Cookies and tracking

Adminlog does not use cookies, analytics trackers, or third-party scripts. The only cookies present are those set by Shopify's App Bridge for session management, which are required for the app to function inside the Shopify Admin.

8. Changes to this policy

We may update this privacy policy from time to time. Material changes will be communicated via the in-app notification system. The "Last updated" date at the top of this page reflects the most recent revision.

9. Contact

Bedrock Digital Apps
Email: support@bedrk.dev