Skip to main content

Apimio Privacy Policy

Last updated: May 15, 2026

At a glance

Apimio is a Product Information Management (PIM) platform that helps merchants organize, score, and publish their product catalogs across sales channels. This policy explains what data we collect, how we use it, who we share it with, and your rights over it.

The short version:

  • We collect what we need to run the app: your account info, your product catalog, and (for connected sales channels) order data needed to compute aggregated sales metrics per product.
  • We never collect customer-identifying data from your sales channels — no names, emails, addresses, or phone numbers from your shoppers.
  • We retain data only as long as you have an active account, plus a short post-cancellation grace period.
  • You can export or delete your data at any time. Uninstalling our app from your sales channel triggers automatic deletion within 48 hours.
  • We are GDPR- and CCPA-compliant.

If anything in this policy is unclear, email zia@apimio.com — a real person will respond within 5 business days.

1. Who we are

Apimio Inc. ("Apimio", "we", "us", "our") operates the Apimio platform at app.apimio.com and the marketing site at apimio.com.

Contact:

  • General: zia@apimio.com
  • Privacy / Data Protection: zia@apimio.com
  • Data Protection Officer: zia@apimio.com

When this policy uses "you", we mean the merchant (the business or individual using Apimio) or a person authorized by that merchant to use the platform. When it says "your customers" or "shoppers", we mean the people who buy products from your storefront — they are your customers, not ours.

2. Information we collect

We collect three categories of information.

2.1 Information you give us directly

When you sign up, configure, or use Apimio:

  • Account information: your name, email address, password (hashed, never stored in plain text), profile photo, role within your organization.
  • Organization information: company name, billing address, tax ID, currency, units of measure, brand and vendor data.
  • Billing information: payment-method tokens issued by Stripe (we never see or store your raw card number — Stripe holds those), invoice history, plan tier.
  • Support communications: the contents of any email, chat, or ticket you send us, along with screenshots or attachments you share.
  • User-uploaded content: your product titles, descriptions, attributes, images, files, taxonomy assignments, and any other catalog data you create, import, or upload to Apimio.

2.2 Information we receive from connected sales channels (e.g. Shopify)

When you connect a sales channel like Shopify to Apimio, you authorize us — through the channel's standard OAuth flow — to access specific kinds of data using narrowly-scoped permissions. We deliberately request only the minimum access required for each Apimio feature.

For Shopify specifically, we request and use the following scopes:

  • `read_products`, `write_products` — Product titles, descriptions, variants, options, prices, tags, vendor, product types, metafields — Core PIM functionality — keep your catalog in sync between Shopify and Apimio
  • `read_inventory`, `write_inventory` — Inventory levels per variant per location — Inventory dashboards and updates
  • `read_locations`, `write_locations` — Warehouse location names and addresses — Multi-store inventory routing
  • `read_publications`, `write_publications` — Sales-channel publication state of products — Channel-specific publishing decisions
  • `read_markets` — Market regions, currencies, pricing rules — Multi-market support
  • `read_locales`, `read_translations`, `write_translations` — Per-locale translations of product fields — Multi-language catalog management
  • `read_content`, `write_content` — Collections, pages, and the merchant's own content — Collection synchronization
  • `read_metaobjects`, `read_metaobject_definitions`, `write_metaobjects`, `write_metaobject_definitions` — Custom metaobject definitions and values — Bundle support, structured custom fields
  • `read_orders` *(pending Shopify approval — see §2.3)* — Aggregated revenue and units sold per product over a trailing 90 days — Revenue × Quality prioritization in Quality Guard
  • `read_analytics` — Limited analytics queries — Reserved for future use; currently unused

2.3 What we do not collect from your sales channels

This is important enough to call out explicitly. From your connected sales channels (Shopify, etc.) we never:

  • Access customer names, email addresses, phone numbers, IP addresses, billing addresses, shipping addresses, or any other customer-identifying field
  • Access individual order details beyond the aggregate fields needed for product-level revenue ranking
  • Access payment details, credit card numbers, or transaction-level financial data
  • Store, log, or transmit your shoppers' personally identifiable information

Technical specifics for the `read_orders` scope (currently pending Shopify Protected Customer Data Level 1 approval as of the date of this policy):

When approved and active, our Orders query reads only:

  • order.id — used solely to deduplicate when we paginate
  • order.lineItems[].quantity — to sum units sold per product
  • order.lineItems[].product.id — to attribute the line to a product
  • order.lineItems[].discountedTotalSet.shopMoney.amount — to sum revenue per product

We aggregate these into per-product totals (revenue_total_usd, units_sold, orders_count) over rolling 7-, 30-, and 90-day windows. The exact GraphQL query is in our open codebase at app/Classes/Shopify/FetchOrderMetrics.php and is reproduced in our Shopify Partner submission. We commit to keeping this query free of customer-identifying fields.

2.4 Information we collect automatically

When you use Apimio, our servers and software automatically collect:

  • Log data: IP address, browser type and version, operating system, device type, referrer URL, pages visited, timestamps, and HTTP request metadata.
  • Cookies and similar technologies: session cookies, CSRF tokens, and analytics identifiers (see §10).
  • Performance data: error reports, stack traces, request latencies, and feature usage events (e.g., "user clicked Fix now on rule X"). Error reports and performance data are sent to Sentry; usage events are sent to PostHog. Both have their own privacy practices linked in §6.

3. How we use information

We use the information we collect to:

  • Provide the service — Store your catalog, sync to channels, compute Quality Guard scores — Contract
  • Bill you — Charge your subscription, send invoices, handle disputes — Contract
  • Communicate with you — Send service emails, respond to support, send announcements you've opted into — Contract / Legitimate interest
  • Improve Apimio — Aggregate usage analytics, identify bugs, prioritize features — Legitimate interest
  • Comply with the law — Tax records, audit logs, lawful requests from authorities — Legal obligation
  • Prevent fraud and abuse — Detect unusual login patterns, rate-limit API misuse — Legitimate interest

We do not use your data to train AI models for sale to third parties. We do use AI services (currently Anthropic and OpenAI, via Apimio's own API contracts) to power optional features like meta-description generation — but only with content you explicitly submit for that feature, and we do not allow those providers to train on your data per their enterprise privacy terms.

4. How we share information

We do not sell your personal information. We share it only with the following categories of recipients, and only when necessary.

4.1 Service providers (subprocessors)

We use third-party services to operate Apimio. Each is contractually bound to use your data only for the purposes we specify and to meet GDPR-grade security standards. Our current subprocessor list:

  • Amazon Web Services (AWS) — Database hosting, file storage, compute — All Apimio data — us-east-2 (Ohio, USA)
  • Laravel Cloud — Application hosting — All Apimio data — us-east-2 (Ohio, USA)
  • Stripe — Payment processing — Billing email, payment-method tokens — USA
  • Sendgrid — Transactional email delivery — Email address, name — USA
  • Pusher — Real-time notifications — User ID, organization ID — USA
  • Sentry — Error tracking — Stack traces, request metadata; no customer data — USA
  • PostHog — Product analytics — Page views, feature events, user ID — EU (Frankfurt)
  • Anthropic — Optional AI features (meta descriptions etc.) — Only content you submit for AI generation — USA
  • OpenAI — Optional AI features (fallback provider) — Only content you submit for AI generation — USA
  • Google OAuth — Sign-in authentication — Email address only — USA
  • Cloudflare — DNS, CDN, edge security — IP addresses for security — Global edge
  • Bitbucket / Atlassian — Internal source-control and ticket tracking — Internal Apimio team data only — not customer data — USA

We will update this list and notify affected customers materially in advance of adding any subprocessor that would receive customer data.

4.2 Legal disclosures

We may disclose information when required to do so by law, valid legal process, or in good faith if we believe disclosure is reasonably necessary to:

  • Comply with subpoenas, court orders, or government investigations
  • Enforce our Terms of Service
  • Protect the rights, property, or safety of Apimio, our customers, or the public
  • Address fraud, security, or technical issues

We will challenge requests we believe are overbroad and will notify you of any compelled disclosure unless we are legally prohibited from doing so.

4.3 Corporate transactions

If Apimio is involved in a merger, acquisition, bankruptcy, or sale of all or part of its assets, your information may be transferred to the acquiring entity, subject to the protections of this Privacy Policy or a successor policy of equivalent strength. We will notify you of any such change with at least 30 days' advance notice.

5. Data retention

We retain personal data only for as long as necessary for the purposes set out in this policy. Specific retention windows:

  • Account data (name, email, organization) — Active account + 90 days after cancellation
  • Catalog data (products, attributes, files) — Active account + 30 days after cancellation, then deleted (you can request earlier deletion)
  • Sales aggregates (`product_sales_metrics`)90 days rolling — older data is dropped by a nightly cleanup job
  • Audit logs — 2 years (for security investigations and legal compliance)
  • Billing records — 7 years (for tax and accounting compliance)
  • Application logs — 30–48 hours rolling on our hosting platform
  • Support communications — Active account + 1 year after cancellation

When you uninstall the Apimio app from your sales channel (or when your sales channel triggers the shop/redact webhook), we delete all data associated with that channel within 48 hours, ahead of Shopify's 30-day requirement.

6. Data security

We implement industry-standard security measures including:

  • Encryption in transit: TLS 1.3 for all HTTP traffic; TLS for all database, cache, and queue connections
  • Encryption at rest: AWS RDS encrypted volumes for databases; AWS S3 server-side encryption for object storage
  • Access control: Role-based access for Apimio employees; engineering production access requires multi-factor authentication and is audit-logged
  • Network isolation: Database and Redis services live inside a private VPC; no direct public internet access
  • Code review: All production-affecting code changes are reviewed by at least one second engineer before deploy
  • Vulnerability management: Dependency updates monitored; critical CVEs patched within 7 days; quarterly automated security scans
  • Backup and recovery: Daily encrypted database backups retained 30 days; documented disaster-recovery procedure tested quarterly
  • API key handling: All third-party API keys (Shopify access tokens, Anthropic/OpenAI keys for BYOK enterprise customers) are encrypted at rest using libsodium sealed boxes and only decrypted in-process at call time. They are never returned via Apimio's API or written to logs.

No system is perfectly secure. If we become aware of a data breach affecting your information, we will notify you in compliance with applicable law and our contractual commitments.

7. Your rights

Depending on where you are located, you may have the following rights over your data. We honor all of them regardless of jurisdiction.

7.1 Universal rights

  • Access: Request a copy of the personal data we hold about you. We respond within 30 days.
  • Correction: Ask us to correct inaccurate or incomplete data.
  • Deletion: Ask us to delete your data. We will comply unless we have a legal obligation to retain it (e.g. tax records).
  • Export: Download your data in a portable format. From inside Apimio: Settings → Data Export. Or email us.
  • Object: Object to certain processing activities, including marketing communications. Unsubscribe links are in every marketing email.

7.2 GDPR (residents of the EEA, UK, Switzerland)

In addition to the above:

  • Restrict processing: Pause certain processing while we resolve an inquiry
  • Withdraw consent: Where we rely on consent as the legal basis, you can withdraw it at any time without affecting prior lawful processing
  • Complain to a supervisory authority: You may lodge a complaint with your local data protection authority

7.3 CCPA / CPRA (California residents)

  • Right to know: what personal information we have, how we use it, who we share it with
  • Right to delete: see "Deletion" above
  • Right to correct: see "Correction" above
  • Right to opt out of sale or sharing: We do not sell your personal information and do not share it for cross-context behavioral advertising. There is nothing to opt out of, but we honor "Global Privacy Control" browser signals as legally-binding opt-out requests anyway.
  • Right to non-discrimination: We will not charge you a different price or deny service for exercising your rights

To exercise any of these rights, email zia@apimio.com or use the in-app tools at Apimio → Settings → Privacy.

7.4 Rights regarding your shoppers' data

Because we do not collect your shoppers' personal information, we hold no data about your customers to give to or delete on their behalf. If a shopper contacts you with a data request that involves their interaction with your Shopify store, that request is for you (the merchant) to handle directly with Shopify — we are not a controller of that data.

That said, your sales channel may forward data requests to us through standard webhooks:

  • `customers/data_request`: when a shopper asks for their data, we email you a confirmation that we have nothing on that shopper to disclose
  • `customers/redact`: when a shopper is deleted, we delete any (theoretical) order-derived data we might hold for that shopper — in practice this is a no-op because we never store customer-level data, but the handler runs and audit-logs for compliance
  • `shop/redact`: when you uninstall the Apimio app from your sales channel and 48 hours pass, we delete all data associated with your store

8. International data transfers

Apimio is a US-based company. We store and process most data in AWS data centers in Ohio (us-east-2). Some subprocessors (notably PostHog) process data in the European Union.

If you are outside the United States, your data may be transferred to, stored in, and processed in the United States and other countries where our subprocessors operate. We rely on the following legal mechanisms for international transfers:

  • EU–US Data Privacy Framework: for transfers to US subprocessors that have self-certified
  • Standard Contractual Clauses (SCCs): for transfers to subprocessors not covered by an adequacy decision
  • UK Addendum to the SCCs: for transfers from the United Kingdom

By using Apimio, you consent to these transfers.

9. Children's privacy

Apimio is a business-to-business product and is not directed to children under 16. We do not knowingly collect personal information from children under 16. If you believe we have inadvertently collected such information, contact zia@apimio.com and we will delete it.

10. Cookies and similar technologies

We use cookies and similar technologies for the following purposes:

  • Strictly necessary — Authentication, security, load balancing — Laravel session cookie, CSRF token
  • Functional — Remembering your preferences (e.g., dismissed banners, layout choices) — UI state in localStorage
  • Analytics — Understanding how Apimio is used so we can improve it — PostHog distinct ID

We do not use advertising or cross-site tracking cookies. Most browsers allow you to control cookies through their settings — see your browser's help section for details.

If your jurisdiction requires consent for non-essential cookies (e.g., EU, UK), you will see a cookie consent banner on your first visit.

11. Changes to this policy

We may update this policy from time to time. When we make material changes, we will:

  • Update the "Effective date" and "Version" at the top
  • Notify active account holders via email at least 30 days before the change takes effect
  • Post a notice in the Apimio app for 30 days after the change

Previous versions are archived and available on request. Continued use of Apimio after the effective date constitutes acceptance of the updated policy.

12. Contact us

For privacy questions, data requests, or to exercise your rights:

Email: zia@apimio.com Data Protection Officer: zia@apimio.com

We respond to all privacy inquiries within 5 business days; formal data requests within 30 days.

Appendix A — Quick reference for Shopify reviewers

If you are reviewing our app's Protected Customer Data application, the following sections of this policy are the most relevant:

  • §2.2 — What Shopify scopes we request and why
  • §2.3 — What customer data we explicitly do NOT collect from your store
  • §5 — Retention windows, including the 48-hour deletion on uninstall
  • §7.4 — How we handle the three mandatory GDPR webhooks
  • §4.1 — Our full subprocessor list
  • §6 — Encryption and access-control practices

The exact GraphQL query we run against the Shopify Admin API for sales aggregation is documented in our codebase at app/Classes/Shopify/FetchOrderMetrics.php (method buildOrdersQuery). We commit to keeping that query free of customer-identifying fields. Any future change that would add such fields will be reflected here in §2.3 and will be subject to a fresh PCD review.

Appendix B — Version history

  • 3.0 — 2026-05-15 — Comprehensive rewrite. Added §2.2 and §2.3 covering Shopify scope-level transparency in support of PCD Level 1 application. Added subprocessor list. Added GDPR + CCPA-specific rights sections.
  • 2.x — (prior versions) — Historical — available on request

This document is provided as informational copy for legal review and website publication. It is not a substitute for advice from a qualified attorney familiar with your jurisdiction. Before publishing, have your counsel review the bracketed placeholders (registered business address) and verify the subprocessor list matches your current contracts.