Privacy Policy — Flexbundle

Last updated: 2026-05-12

This policy explains what data the Flexbundle Shopify app ("we", "the app") processes when a merchant ("you") installs and uses it. The app is designed to process the minimum data needed to render flexible product bundles. It is not used for analytics, advertising, or profiling.

1. Data we process

From your Shopify store (server-side)

When you install Flexbundle, Shopify issues us an offline access token tied to your shop. We store:

Your shop's *.myshopify.com domain.
The offline access token, used only to call Shopify's Admin API on your behalf — currently only to activate the Cart Transform function and to create the custom.bundle_components metafield definition once on install.
The timestamp of installation.

We do not read, store, or transmit any customer personal data, order data, or product data on our servers.

In the storefront (client-side only, never sent to us)

The theme extension reads:

The contents of the custom.bundle_components product metafield (a list of variant IDs).
The state of bundle component checkboxes during a shopping session.
The currently selected parent variant ID.

This data is used solely to render the bundle UI in the browser and to construct the /cart/add.js request to Shopify. None of it is sent to Flexbundle servers.

In Shopify Cart Transform (runs on Shopify's infrastructure, not ours)

The Cart Transform function reads cart line IDs and the two line-item attributes (_bundle_id, _bundle_parent_variant_id) attached at add-to-cart. The function runs entirely on Shopify's infrastructure; we receive no copy of its input or output.

2. Data we do not collect

Customer names, emails, addresses, phone numbers, IP addresses.
Order details.
Payment information.
Browsing or analytics events.
Cookies.

3. Sharing

We do not share data with third parties. We use no sub-processors beyond Shopify itself.

4. Retention

We retain the offline access token and shop domain only for as long as the app is installed. When the app is uninstalled, Shopify sends us the app/uninstalled and shop/redact webhooks; we delete the shop's entry promptly (in any case within 30 days).

5. GDPR mandatory webhooks

In line with Shopify's protected-customer-data rules we expose three endpoints:

customers/data_request — we respond confirming we hold no customer data for the requesting customer.
customers/redact — we acknowledge the request (no customer data to delete).
shop/redact — we delete the shop's entry from our session store.

6. Your rights

Because we do not hold customer personal data, GDPR data-subject requests from end customers will not produce any data for us to return or delete. Merchants can uninstall the app at any time, which triggers deletion of their offline access token.

7. Contact

For privacy questions, contact: kontakt@bahosting.dk

Data controller: BA Digital ApS, VAT no. DK46442903, Denmark.
Phone: +45 41 13 07 79