Privacy Policy
Effective May 22, 2026
This Privacy Policy explains how Edge Ecom LLC (“we,” “us,” or “our”) collects, uses, and protects information in connection with QuoteSense (the “App”), a quote-building application that merchants install on their Shopify stores. We’ve written this in plain English so merchants and their customers can understand exactly what happens to their data.
1. Who we are
QuoteSense is operated by Edge Ecom LLC, a limited liability company formed under the laws of the State of Wyoming and registered as a foreign limited liability company in the State of New Jersey. You can reach us at support@quotesense.io.
Under data protection law, our role depends on the data involved. When a merchant uses QuoteSense to capture quote requests from their own end customers, the merchant is the data controller for that end-customer data and Edge Ecom LLC acts as a data processor on the merchant’s documented instructions. For information we collect directly from merchants (account credentials, billing, support inquiries), we are the data controller.
2. Information we collect
From merchants (Shopify store owners)
When you install the App on your Shopify store, we collect:
- Your Shopify OAuth access and refresh tokens, which authorize the App to read and write data on your behalf via the Shopify Admin API.
- Your shop’s domain and admin handle.
- The shop owner’s email address, used for billing notices and transactional emails about your QuoteSense account.
- App subscription metadata (plan tier, status) returned by the Shopify Billing API. We never see or store your payment card or bank information — Shopify handles all billing collection.
- Aggregate usage analytics tied to your shop (e.g., number of quotes created, requests received) so you can see activity in your dashboard.
From end customers (storefront visitors)
When a customer submits a quote request through the App’s storefront form, we receive only the information they choose to provide:
- First and last name
- Email address
- Phone number (optional)
- Company name (optional)
- Shipping address (street, city, state, postal code, country)
- The products and quantities they’re requesting, or a free-text description if they use the “describe what you need” mode
- Optional file attachments (such as drawings or spec sheets), up to 10 MB each
Data we read from your Shopify store via the Admin API
To deliver the App’s functionality, we use the Shopify Admin API to read the following data from your shop:
- Customer records — name, email, phone, and default shipping address, used to pre-fill quote contacts when a merchant builds a quote for an existing customer and to attach the correct Shopify Customer to draft orders.
- Products and variants — titles, SKUs, prices, inventory levels, and images, used for product selection inside the quote builder.
- Draft orders — created and updated by the App to mirror quotes, so that accepted quotes can be completed via Shopify checkout.
- Shop settings — brand name, locale, currency, and policy URLs, used to brand the customer-facing quote page and quote emails.
We treat this data as Protected Customer Data under Shopify’s data-handling requirements. We access only the fields we need for the functions above, and we do not use it for any other purpose.
What we do NOT collect
- Payment card or bank account information
- Government-issued identifiers, Social Security numbers, or similar sensitive personal identifiers
- Tracking cookies or analytics pixels on storefront-facing surfaces
3. How we use this information
We use the information we collect to:
- Deliver the App’s core functionality — capturing quote requests, building priced quotes, syncing them to Shopify draft orders, and emailing customer-facing quote pages.
- Authenticate merchant sessions and authorize API calls to Shopify.
- Send transactional emails (subscription receipts, password resets, quote-status notifications).
- Maintain the App’s security, prevent abuse, and debug issues.
- Comply with applicable legal obligations, including responding to Shopify’s mandatory GDPR webhooks (see Section 6).
We do not sell personal information, and we do not use customer data for advertising or to train machine-learning models.
Legal bases (GDPR)
Where the EU or UK General Data Protection Regulation applies, our lawful bases for processing under Article 6 are:
- Performance of a contract (Art. 6(1)(b)) — providing the merchant account, billing, and the core quoting functionality the App delivers to merchants and (on the merchant’s behalf) to their end customers.
- Legitimate interests (Art. 6(1)(f)) — security monitoring, abuse prevention, debugging, and product improvement, balanced against the rights and freedoms of the individuals concerned.
- Legal obligation (Art. 6(1)(c)) — responding to Shopify’s mandatory GDPR webhooks, maintaining audit logs, breach notification, and complying with valid legal process.
4. Who we share data with
We share information only with the service providers (“subprocessors”) we need to operate the App. Each is bound by its own privacy and security commitments:
- Shopify Inc. (Canada) — the integration platform itself. Merchant and customer data flows through Shopify’s APIs. Privacy policy.
- Vercel Inc. (United States) — application hosting and Vercel Blob storage for file attachments. Privacy policy.
- Neon (operated by Databricks, Inc., United States) — managed PostgreSQL database where quotes, requests, and shop data are stored. Privacy policy.
- Upstash Inc. (United States) — Redis caching and session storage. Privacy policy (PDF).
- Resend (operated by Plus Five Five, Inc., United States) — transactional email delivery. Privacy policy.
We may also disclose information if required by law, court order, or valid legal process, or to protect the rights, property, or safety of our users or the public.
5. Security
We take reasonable steps to protect the information we hold:
- All traffic to and from the App is encrypted using TLS 1.2 or higher.
- Shopify access tokens are encrypted at rest using AES-256 before being written to the database.
- Merchant access uses Shopify OAuth combined with short-lived bearer session tokens issued by Shopify App Bridge. Incoming Shopify webhooks are verified via HMAC before being processed.
- No third-party tracking scripts run on customer-facing surfaces.
No method of transmission or storage is perfectly secure. If we become aware of a personal data breach affecting your data, we will notify Shopify within 24 hours, affected merchants without undue delay, and (where applicable under GDPR Article 33) the relevant supervisory authorities within 72 hours.
6. Data retention and deletion
- While the App is installed: quote requests and quotes are retained so merchants can review history. Merchants can soft-delete quote requests through the App’s admin UI; those records remain in the database in case the merchant restores them.
- When the App is uninstalled: we immediately mark the shop’s data for deletion. We complete the deletion when we receive Shopify’s
shop/redactwebhook (typically 48 hours after uninstall), or, as a fallback, within 30 days of uninstall if that webhook is not delivered. - Shopify mandatory GDPR webhooks: as required by Shopify, we honor the following webhooks within 30 days of receipt:
customers/data_request— we return the end-customer data we hold for the requested customer.customers/redact— we delete the requested end-customer’s personal data.shop/redact— we delete all data associated with a shop. Shopify sends this webhook approximately 48 hours after a merchant uninstalls the App.
Retention periods
We retain different categories of data for different periods, reflecting how long they’re needed for the purposes described in this policy:
| Data category | Retention period |
|---|---|
| Active quote requests and quotes | For the lifetime of the merchant’s App install. |
| Soft-deleted quote requests | Until the merchant restores or permanently deletes the record. |
| Shop data after uninstall | Hard-purged within 30 days of uninstall, typically within 48 hours when Shopify’s shop/redact webhook is delivered. |
Audit logs (shop_events) | Retained for the lifetime of the install; purged together with shop data on uninstall. |
| Server request logs | 90 days (default retention by our hosting provider, Vercel). |
| Transactional email logs | 30 days (default retention by our email provider, Resend). |
| Billing and subscription records | 7 years, retained separately, to meet US tax recordkeeping requirements. |
A valid customers/redact webhook overrides the retention periods above and triggers immediate deletion of the requested end-customer’s personal data, regardless of the merchant’s soft-delete or install status.
7. Your rights
Depending on where you live, you may have rights under laws such as the EU and UK General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA), including the right to:
- Access the personal information we hold about you
- Correct information that is inaccurate
- Request deletion of your information
- Receive a copy of your information in a portable format
- Object to or restrict certain uses of your information
End customers who submitted a quote request to a merchant’s store should contact that merchant directly — they are the controller of that data. We process it on their behalf. If you can’t reach the merchant, you can also email us at support@quotesense.io and we will work with the merchant to honor your request. Merchants may contact us directly at the same address.
How to submit a request
To exercise any of the rights above, email support@quotesense.io with the subject line “Privacy Request” and a brief description of what you need. We will acknowledge your request within 5 business days and respond substantively within 30 days — the maximum response window under both GDPR and the CCPA. One request per calendar year is free of charge. We may ask you to verify your identity before completing the request to protect against impersonation.
Additional disclosures for California residents (CCPA)
In the past 12 months, we have collected the following categories of personal information for the business purposes shown below. We have not sold or shared personal information for cross-context behavioral advertising, and we have no actual knowledge of selling or sharing the personal information of consumers under 16 years of age.
| Category | Examples | Source | Business purpose |
|---|---|---|---|
| Identifiers | Name, email, phone number, IP address | Storefront quote-request form; Shopify Admin API | Process and respond to quote requests; account and security operations |
| Customer records (Cal. Civ. Code §1798.80) | Shipping address, company name | Storefront quote-request form; Shopify Admin API | Fulfill quoted orders via Shopify checkout |
| Commercial information | Products and quantities requested; quote and order history within the App | Storefront form; merchant admin activity | Build and price quotes; report activity to the merchant |
| Internet or network activity | Server logs, request paths, user-agent strings | Automatic when you use the App | Security, abuse prevention, debugging |
| Customer-provided files | Drawings, spec sheets, or other documents (optional) | Storefront quote-request form | Provide context for the quote |
We disclose each of the above categories to the subprocessors listed in Section 4 for the business purposes shown. We do not sell or share personal information for cross-context behavioral advertising. California residents have the right to know, delete, correct, and limit the use of sensitive personal information, and to not be discriminated against for exercising those rights.
8. International data transfers
We and our subprocessors are based in the United States, and the information we collect is stored and processed in the United States. If you access the App from outside the U.S., your information will be transferred to and processed there. We rely on appropriate safeguards (such as Standard Contractual Clauses, where applicable) when our subprocessors transfer personal data across borders on our behalf.
9. Children’s privacy
The App is intended for use by Shopify merchants and their business customers. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child, please contact us at support@quotesense.io and we will delete it.
10. Cookies and tracking
On the merchant admin surfaces of the App, we use Shopify App Bridge session tokens (passed as bearer tokens, not cookies) and a small number of strictly necessary cookies set by Auth.js (formerly NextAuth.js), the open-source authentication library we use, to keep merchants signed in. We do not set advertising or analytics cookies. Storefront-facing surfaces (the quote-request form and the customer-facing quote page) do not set cookies or run third-party tracking scripts of any kind.
11. Updates to this policy
We may update this Privacy Policy from time to time. When we do, we will revise the “Effective” date at the top of this page. Material changes will be communicated to merchants by email or through a notice in the App. Continued use of the App after an update constitutes acceptance of the revised policy.
12. Governing law
This Privacy Policy is governed by the laws of the State of Wyoming, without regard to its conflict-of-laws principles.
13. Contact us
For any privacy-related questions or requests, contact us at:
Edge Ecom LLC
1621 Central Ave, Cheyenne, WY 82001
Email: support@quotesense.io