LogoMkSaaS Demo
  • Features
  • Pricing
  • Blog
  • Docs
LogoMkSaaS Demo

Make AI SaaS in days, simply and effortlessly

GitHubX (Twitter)BlueskyYouTube
Built withLogo of MkSaaSMkSaaS
Product
  • Features
  • Pricing
  • FAQ
Resources
  • Blog
  • Documentation
  • Changelog
  • Roadmap
Company
  • About
  • Contact
  • Waitlist
Legal
  • Cookie Policy
  • Privacy Policy
  • Terms of Service
© 2026 MkSaaS Demo. All Rights Reserved.

Privacy Policy

How Storymark collects, uses, and protects your data — including data received via Shopify

2025/03/19

Introduction

Storymark ("we", "our", or "us") operates the Storymark Digital Product Passport platform at fashpass.com and as a Shopify application. This Privacy Policy explains what data we collect, how we use it, and your rights over it.

By using Storymark, you agree to the collection and use of information described in this policy.

Information We Collect

Account Information

When you sign up directly on fashpass.com we collect your name, email address, and password (hashed). When you install Storymark from the Shopify App Store we collect the shop owner's name and email address from your Shopify store's shop information endpoint.

Shopify Store Data

When you connect your Shopify store we receive and store:

  • Product data: product titles, handles, descriptions, images, tags, variants, and product type. This data is used solely to generate and manage your Digital Product Passports.
  • Shop metadata: your shop domain and OAuth access token (encrypted at rest), used to sync products and register webhooks.

We do not store Shopify customer data (orders, customer profiles, purchase history, or payment information). Storymark only reads product catalogue data.

Digital Product Passport Content

All sustainability data you enter into Storymark (materials, certifications, supply chain steps, environmental metrics, etc.) is stored on our servers and published to your public DPP pages.

Usage Data

We collect standard web server logs (IP address, browser, pages visited) and may use analytics tools to understand how the platform is used.

How We Use Your Information

  • To create and manage your Storymark account and brand workspace
  • To sync your Shopify product catalogue and generate Digital Product Passports
  • To display your public DPP pages (accessible via QR code or direct URL)
  • To send transactional emails (account verification, password reset, billing receipts)
  • To process subscription payments via Stripe (standalone) or Shopify Billing (App Store)
  • To improve and maintain the platform

Shopify Data Practices

Storymark is available as a Shopify application. In connection with Shopify:

  • We request only the read_products and write_products OAuth scopes.
  • We do not access, store, or process Shopify customer personal data.
  • Product data synced from Shopify is used only to pre-populate and manage your DPPs within Storymark.
  • When you uninstall the Storymark app, your Shopify access token is immediately revoked and removed from our systems. Your DPP content is retained for 48 hours to allow reinstallation, after which it is permanently deleted per Shopify's GDPR requirements.
  • We respond to Shopify's mandatory GDPR webhooks (customers/data_request, customers/redact, shop/redact).

Data Retention and Deletion

  • Account data: retained while your account is active. You may request deletion by contacting us.
  • Shopify product data: deleted within 48 hours of app uninstallation, in compliance with Shopify's shop/redact webhook requirements.
  • DPP content: retained until you delete it or your account is closed.

Data Security

We implement industry-standard security measures including encrypted connections (TLS), hashed passwords, and encrypted storage of OAuth tokens. Access to production data is restricted to authorised personnel.

Third-Party Services

We use the following third-party services to operate Storymark:

  • Shopify: product data sync and (for App Store merchants) billing
  • Stripe: payment processing for standalone subscriptions
  • Resend: transactional email delivery
  • Cloudflare R2 / AWS S3: file storage for logos and QR code images
  • Vercel / hosting provider: application hosting

Each of these services has its own privacy policy and data handling practices.

Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Request deletion of your data
  • Object to certain processing activities
  • Export your data in a portable format

To exercise any of these rights, please contact us.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on the platform. The date at the top of this page reflects when it was last updated.

Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us.