The short version
Skucast is a back-office tool. We process the minimum customer data needed to forecast inventory and route dropship orders — name and shipping address, and nothing else (no email, no phone, no payment info). We never sell or share your customers' data. We read it from Shopify on demand, keep it only as long as the merchant's account needs it, and purge it 30 days after uninstall. Sub-processors are limited to Cloudflare, Shopify, Anthropic (AI panel only), and Resend (email). Billing is handled by Shopify directly via the Shopify Billing API.1. Who we are
This policy is published by Carmotive LLC DBA Skucast ("Skucast", "we", "us"), a Michigan limited liability company. Skucast operates the inventory and purchasing management application available on the Shopify App Store at apps.shopify.com/skucast and the marketing site at skucast.app.
For privacy questions, data subject requests, or to report a security concern, contact [email protected].
2. Whose data this covers
Two categories of people:
- Merchants — the Shopify store owners and staff who install and use Skucast. We are the data controller for merchant account information (name, email, billing address, plan choice).
- Merchant customers — the people who place orders on a merchant's Shopify store. We are the data processor for this data: we read it from the merchant's Shopify account to provide Skucast's features, on the merchant's behalf. The merchant remains the data controller. Our processing terms are in our Data Processing Addendum.
3. Merchant data we collect
| Category | Source | Used for |
|---|---|---|
| Shopify shop domain, shop owner name, email | Shopify install flow | Account identity, support, billing |
| Subscription tier, billing status | Shopify Billing API | Subscription processing — Shopify handles all payment data; Skucast never sees card numbers or billing addresses |
| Operator session activity (which pages you visit, when crons run, mutations you make) | Worker logs, audit log entries on PO/RMA records | Debugging, abuse prevention, audit trail required by the App Store |
| Support correspondence | Email to [email protected] | Responding to your request |
4. Merchant customer data we process
To provide Skucast's features, we process the following data about the merchant's customers, on the merchant's behalf:
| Field | Shopify API source | Why Skucast needs it |
|---|---|---|
| Customer name (first + last) | Customer, Order.customer | Render the customer's name on Work Orders and Quotes printed for the merchant; reference customers in PO line item notes ("special order for J. Smith") |
| Shipping address | Order.shippingAddress | Route dropship POs — the vendor needs the end-customer address to ship directly to them on the merchant's behalf |
| Order line items, quantities, fulfillment status, sale dates | Order, LineItem, Fulfillment | Forecaster: compute per-SKU demand velocity; dropship workflow: detect which orders need vendor fulfillment; EOD reports: aggregate daily sales |
Customer data we do NOT process:
- Customer email addresses — Skucast never emails end-customers; all email goes to merchant staff or vendors
- Customer phone numbers — Skucast does not call or text customers
- Payment data — Shopify handles payment processing; Skucast never sees card numbers, billing addresses on cards, or other financial details
- Browsing or session data on the storefront — Skucast has no storefront footprint; we cannot observe what visitors do on the merchant's store
- Marketing-consent state — we don't use customer data for marketing and therefore don't need to read consent state; Shopify enforces it at the source for all uses
5. How we use the data
We use merchant data to:
- Provide the Skucast features the merchant installed the app for: inventory forecasting, purchase order management, RMAs, dropship routing, dashboards, scheduled reports, optional AI panel
- Send service-related email (cron summaries, security notifications) via Resend
- Bill the merchant for the Skucast subscription via the Shopify Billing API — Shopify processes payment on Skucast's behalf as part of the merchant's Shopify bill
- Diagnose issues and protect the service from abuse
- Comply with legal obligations
We use merchant customer data only for the purposes listed in section 4 above. We never:
- Sell, rent, or trade customer data
- Use customer data for advertising or marketing
- Use customer data to train AI models (the Skucast AI panel does not send customer PII to Anthropic — it operates on aggregates and merchant-scoped queries; see section 8)
- Combine customer data across merchants
6. Legal bases (GDPR / UK GDPR)
- Merchant data: performance of our contract with the merchant (Skucast Terms of Service), and our legitimate interests in operating, debugging, and securing the service
- Merchant customer data: Skucast acts as the merchant's processor; the merchant relies on its own legal basis (typically performance of its contract with the customer, or legitimate interests). Our processing terms are in the DPA.
7. Where data lives and how long we keep it
| Data | Storage | Retention |
|---|---|---|
| Merchant account record (shop domain, owner, plan) | Cloudflare KV, encrypted at rest, multi-region replicated within the US | Life of the merchant's account; deleted within 30 days after uninstall |
| PO and RMA records (which reference customer names + addresses) | Cloudflare KV, US region | Life of merchant account; deleted within 30 days after uninstall |
| Forecaster aggregates (per-SKU demand velocity, classifications) | Cloudflare KV, US region | ≤ 90 days; recomputed continuously |
| Audit log entries | Cloudflare KV, US region | 2 years |
| Worker request logs (HTTP status, latency, no request body) | Cloudflare Workers logging | 30 days |
| Customer-data reads from Shopify | Not durably stored — read on demand, used in-flight, discarded | Not retained |
| Support email | Inbox + Resend | 3 years from last correspondence |
| Billing records (invoices) | Shopify Billing API (invoices appear on the merchant's Shopify bill) | Per Shopify's retention policy |
8. The Skucast AI panel (optional feature)
If a merchant enables the embedded AI panel, conversational queries are sent to Anthropic's Claude API to generate responses. We:
- Send only aggregated or merchant-scoped data needed to answer the query (e.g. "show me critical SKUs" sends the list of low-stock SKUs, not customer names)
- Do not send raw customer PII (names, addresses) into prompts unless the merchant operator explicitly asks a question that references a specific customer
- Configure the API call to opt out of using prompts for Anthropic model training (per Anthropic's commercial terms)
- Anthropic processes the request and returns a response; conversation history is stored in Cloudflare KV scoped to the merchant + operator session
Merchants can disable the AI panel in Settings at any time.
9. Sub-processors
We share data with the following sub-processors, each bound by data protection terms equivalent to or stricter than this policy:
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | Hosting (Workers, KV, Pages), DDoS protection, TLS termination | US (primary), with global edge |
| Shopify Inc. | Source system — we read merchant + customer data from the merchant's Shopify store via Admin API | US / Canada |
| Anthropic, PBC | Claude API for the optional AI panel (only when enabled by the merchant) | US |
| Resend, Inc. | Outbound transactional email (cron summaries, vendor POs, security notifications) | US |
We will give merchants at least 30 days' notice before adding a new sub-processor that processes their data.
10. International transfers
Skucast is operated from the United States. Where personal data is transferred from the EEA, UK, or Switzerland to the US (or any other country with a different data-protection regime), we rely on the Standard Contractual Clauses incorporated by reference in our DPA, and on equivalent mechanisms in each sub-processor's terms.
11. Security
- All data in transit is encrypted with TLS 1.2 or higher
- All data at rest in Cloudflare KV is encrypted at the platform level
- Production access is restricted to Skucast operators using authenticated CF dashboard sessions with mandatory 2FA
- Merchant dashboard sessions require Shopify session tokens validated on every request
- Every mutation to PO, RMA, or settings records writes an audit log entry tied to the operator's identity
- We do not export merchant data to long-term backup destinations — Cloudflare's multi-region KV replication is the durability layer
- Our incident response policy is documented internally and triggers merchant notification within 24 hours of any confirmed breach affecting their data
12. Your rights
If you are a merchant, you can:
- Access the data we hold about you — request via [email protected]
- Correct or update your account data — most fields are editable in Skucast Settings; for others, contact us
- Delete your data — uninstalling Skucast triggers automatic deletion of your merchant data within 30 days; you can also request immediate deletion via email
- Export your data — request a JSON export via email; we'll deliver within 30 days
- Object to processing or restrict it — contact us; we'll tell you what we can and can't accommodate while you remain a customer
- Lodge a complaint with your supervisory authority (EU/UK residents) or your state Attorney General (US residents)
If you are a merchant's customer, your rights are exercised through the merchant (the data controller). When the merchant receives your request via Shopify's mandatory data-request webhook, the data is forwarded to Skucast and we respond to the merchant within 30 days. To exercise your rights directly with us, you can also contact [email protected] with proof of your identity and the merchant's shop domain.
13. Mandatory Shopify compliance webhooks
As required by Shopify, Skucast implements three GDPR-related webhooks:
customers/data_request— when triggered by Shopify on behalf of a merchant customer, Skucast surfaces all data we hold about that customer within 30 dayscustomers/redact— when triggered, Skucast permanently deletes all data about that customer within 30 days, including references in PO line items and audit logs (preserving only the structural record needed for accounting integrity)shop/redact— when triggered (typically 48 hours after a merchant uninstalls and after a 30-day grace period), Skucast permanently deletes all data about that merchant and their customers within 30 days
14. Children's data
Skucast is a B2B tool. We do not knowingly collect data about children under 16. The merchant is responsible for the lawfulness of any data they choose to process about their customers.
15. Changes to this policy
We'll update this page when we change our practices. Material changes — new sub-processors, expanded data uses, retention extensions — will be communicated to merchants at least 30 days in advance by email. The "Last updated" date at the top of this page always reflects the current version.
16. Contact
Carmotive LLC DBA Skucast
Howell, Michigan, USA
Privacy + data subject requests: [email protected]
Security disclosures: [email protected]
General support: [email protected]