Privacy Policy — Restock Pilot
Last updated: 18 June 2026
Restock Pilot ("Restock Pilot", "the App", "we", "us" or "our") is an inventory forecasting and purchase-order application for Shopify, operated by Iluora ("the Provider"). This Privacy Policy explains what information the App accesses, collects, stores and shares when a merchant installs and uses it, and the rights available to merchants and their customers.
By installing or using Restock Pilot you agree to the practices described in this policy.
1. Who is the data controller?
For the data you (the merchant) provide and the configuration you create in the App, you are the data controller and Restock Pilot acts as a data processor on your behalf. For the limited account information we hold about the person who installs and administers the App, Iluora acts as a controller.
Provider contact: support@iluora.com
2. What information we access and store
2.1 Store data read from Shopify
With your authorization (Shopify OAuth), the App reads the following from your Shopify store in order to calculate replenishment suggestions and keep inventory in sync:
- Products and variants (titles, SKUs, identifiers).
- Inventory levels and locations.
- Orders — used only to compute sales velocity (units sold per day per variant/location). We request the minimum level of protected customer data needed and do not access, store or process customer names, emails, phone numbers, addresses or payment details. Only aggregated quantities and variant identifiers are retained.
The App also writes inventory levels back to Shopify when you mark a purchase order as received.
2.2 Data you create in the App
- Suppliers you add, including the contact details you choose to enter (contact name, email, phone, lead time, MOQ, terms).
- Purchase orders and their line items (products, quantities, costs).
- Settings such as forecast window, default lead time, safety stock, review period and the alert email address you set.
- Data you import via the Stocky migration tool (supplier and purchase-order CSVs you upload).
2.3 Account and session data
- Your shop domain and the Shopify access token required to call the API on your behalf.
- Basic staff account information provided by Shopify for the user who installs/uses the App (name, email, preferred language/locale). This is used to authenticate the session and localize the interface.
2.4 Technical data
- Standard server logs (e.g. request timestamps, error traces) generated by our hosting provider for security and reliability. These are not used for advertising or profiling.
We do not use cookies for tracking or advertising. We do not sell your data or your customers' data.
3. How we use the information
We use the information solely to provide the App's functionality:
- Calculate restock suggestions, reorder points and low-stock alerts.
- Create, export (PDF/CSV) and manage purchase orders.
- Write received quantities back to your Shopify inventory.
- Send low-stock and reorder email alerts to the address you configure.
- Operate billing through the Shopify Billing API (subscription and trial).
- Provide support, maintain security, and debug issues.
We do not use your data, or your customers' data, to train AI models or for any purpose unrelated to operating the App.
4. Subprocessors
We rely on the following third-party providers to operate the App. Each only processes data as needed to deliver their service:
| Subprocessor | Purpose | Data involved |
|---|---|---|
| Shopify | Platform, OAuth, billing, webhooks | All store data, as authorized |
| Railway | Application hosting and PostgreSQL database | All data stored by the App |
| Resend | Sending low-stock / reorder email alerts | Recipient email address, alert content |
| cron-job.org | Scheduled trigger for the daily alerts job | A protected request to our scheduling endpoint (no merchant data sent) |
We may update this list as our infrastructure evolves; material changes will be reflected in this policy.
5. Data location and security
Application data is stored in a PostgreSQL database hosted by Railway. We protect data in transit using HTTPS/TLS and restrict access to credentials and the database to the Provider. Shopify access tokens are stored to make authorized API calls and are never shared with third parties other than the subprocessors listed above.
No method of transmission or storage is 100% secure, but we take reasonable technical and organizational measures to protect the information we hold.
6. Data retention and deletion
- We retain your App data for as long as the App is installed.
- When you uninstall the App, or when Shopify sends a shop/redact request (typically 48 hours after uninstall), we delete the store's data (suppliers, purchase orders, settings, sales-velocity records and session/token data) associated with your shop.
-
We honor Shopify's mandatory compliance webhooks:
- customers/data_request — because the App stores no customer personal data, we have no customer PII to return; we respond accordingly.
- customers/redact — we hold no customer PII to erase.
- shop/redact — we erase the shop's data as described above.
If you need data exported or deleted outside of these flows, contact support@iluora.com.
7. Your rights
Depending on your jurisdiction (e.g. GDPR in the EU/UK, CCPA in California), you may have the right to access, correct, export or delete personal data we hold about you, and to object to or restrict certain processing. To exercise these rights, contact support@iluora.com. We will respond within the timeframe required by applicable law.
Because Restock Pilot processes store and (aggregated, non-personal) order data on your behalf as your processor, requests from your customers should generally be directed to you as the merchant; we will assist you in fulfilling them.
8. Children's privacy
The App is a business tool intended for merchants and is not directed to children. We do not knowingly collect personal data from children.
9. International transfers
Our subprocessors may process data in countries outside your own, including the United States. Where required, transfers are carried out under appropriate safeguards provided by those subprocessors.
10. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date above and, where appropriate, notify merchants. Continued use of the App after changes take effect constitutes acceptance of the updated policy.
11. Contact
Questions or requests regarding this policy or your data:
Iluora — Restock Pilot
Email: support@iluora.com