Apollo by eBrands← Back to home
Privacy Policy

Apollo by eBrands — Shopify Privacy Policy

Last updated: July 2026

1. Who we are

Apollo is a software platform operated by eBrands Holdings Oy ("eBrands", "we", "us"). The Apollo Shopify connector at shopify.ebrands.com is the authorization entry point that enables Apollo to access your Shopify store data through the Shopify Admin API.

2. What this policy covers

This policy describes how Apollo collects, processes, stores, retains, and deletes Shopify-derived data accessed via the Admin API under your authorization. It is designed to comply with Shopify's API License and Terms of Use and Protected Customer Data requirements.

3. What data we access

Under your authorization, Apollo reads only the Admin API data needed to deliver the features you have signed up for:

  • Orders: order IDs, line items, quantities, status, market, and fulfillment timestamps.
  • Inventory: stock levels per location and per variant.
  • Financials & payouts: payout reports, fees, refunds, and settlement records.
  • Catalog & listings: products, variants, SKUs, prices, and inventory items.
  • Customers: customer records associated with orders you have chosen to sync.

Apollo accesses Protected Customer Data (buyer name, address, contact) only when strictly necessary for fulfillment-related features, and handles it under stricter rules described in section 6.

4. How we use the data

Shopify-derived data is used solely to:

  • Provide the operations dashboard, customer intelligence, and inventory planning features.
  • Aggregate brand performance across the channels you sell on, for your own use.
  • Support and troubleshoot your Apollo account when you contact us.

We do not, and will not:

  • Use Shopify data to market your customers with unrelated communications.
  • Aggregate or sell competitive insights across other merchants' data.
  • Share Shopify data with advertising networks or unrelated third parties.

5. Legal basis

Where the GDPR or equivalent regimes apply, our legal basis for processing Shopify-derived data is the contract between eBrands and the partner who authorized the connector, and our legitimate interest in operating and securing the Apollo platform. For Protected Customer Data, the controller is the merchant; eBrands acts as processor.

6. Encryption and security

  • In transit: All Shopify data is transmitted using TLS 1.2 or higher.
  • At rest: PII is encrypted at rest using AES-256. Access tokens are stored in HashiCorp Vault with an AWS Secrets Manager mirror for disaster recovery.
  • Access control: Unique user IDs, mandatory MFA, least-privilege role-based access, quarterly access reviews. Off-boarded staff lose access within 24 hours.
  • Logging: Access to systems handling Shopify data is logged and monitored. Vulnerability scanning runs continuously; an incident response plan is documented and tested.

7. Retention

  • PII: retained for no more than 30 days after order delivery, except where a longer period is required by tax, legal, or accounting obligations.
  • Non-PII Shopify data: retained for up to 18 months from collection unless a longer period is required by law or to provide the service you have contracted for.

8. Deletion and data removal

On uninstallation of the app, or on written request to apollo@ebrands.com, Apollo permanently and securely deletes Shopify data tied to your store within 30 days, in line with NIST media-sanitization guidance. Apollo honors Shopify's mandatory GDPR webhooks (customers/redact, shop/redact,customers/data_request).

9. Sub-processors

Apollo runs on AWS infrastructure inside the European Union. We review sub-processors handling Shopify data at least annually and contractually require equivalent protections. The current list is available on request.

10. International transfers

Shopify data is processed inside the EEA. If a transfer outside the EEA becomes necessary, we use Standard Contractual Clauses or another lawful transfer mechanism.

11. Incident response

In the event of a confirmed data incident affecting Shopify data, eBrands will notify affected partners and Shopify within 72 hours of confirmation.

12. Your rights

You can revoke Apollo's authorization at any time from your Shopify admin → Apps → Apollo. To request access, correction, deletion, or export of your data, contact apollo@ebrands.com. We respond within 30 days.

13. Contact

eBrands Holdings Oy
Email: apollo@ebrands.com
Website: ebrands.com

14. Changes

We may update this policy as the Apollo platform evolves or as Shopify's policies change. Material changes will be communicated to active partners by email.