Privacy Policy — GetItBy
Last updated: 2026-05-24
GetItBy ("we", "the app") is a Shopify app that displays an estimated delivery date on product pages and recalibrates itself from fulfilled order data. This policy explains what we collect, what we do with it, and your rights.
Who we collect data about
We collect data about Shopify merchants (store owners) who install GetItBy, and about fulfilled orders on those stores. We do not collect data about end shoppers visiting the product page beyond what Shopify passes through the theme app block (product ID, variant ID, collection IDs, product tags, product metafields).
What we collect
- Store identifier — your shop domain (e.g.
store.myshopify.com) and the Shopify-issued offline access token used to call the GraphQL Admin API. Stored in our database. - Delivery settings you configure: processing days, cutoff hour, transit windows, holidays, rules, copy and date format templates.
- Order fulfillment metadata (only after you submit the Protected Customer Data form and approve the
read_ordersscope): order ID, placement timestamp, fulfillment timestamp, computed transit days. We do not store customer names, addresses, emails, payment info, or line-item contents. - Estimate counters — a monthly count of how many product-page estimates we served, used for plan limits.
How we use it
- To render the estimated delivery date on product pages on your storefront.
- To recalibrate the displayed transit window from the rolling mean of real fulfilled-order transit days (the "self-calibration" feature).
- To enforce plan limits (Starter: 500 estimates/month; Grow: 10,000).
- To diagnose errors (Sentry; aggregated, no PII).
Where it lives
GetItBy is hosted on Vercel (United States) and uses Neon Postgres (United States) as its database. The Shopify Admin API is called through Shopify's infrastructure. Aggregated error telemetry (no PII) is sent to Sentry.
Third-party data flows
- Shopify — we read products, collections, tags, metafields, and (with PCD approval) fulfilled orders via the GraphQL Admin API. Authentication: OAuth + offline access tokens.
- Vercel — hosts the application; sees inbound requests including headers.
- Neon — stores merchant settings, rules, calibration aggregates, and per-order timestamps.
- Sentry — receives anonymized error telemetry (stack traces, request paths). We never send merchant access tokens, customer PII, or order line items to Sentry.
How long we keep it
Data is retained for as long as the app is installed. On uninstall, we receive Shopify's app/uninstalled and shop/redactwebhooks and delete all data for your shop within 48 hours. Data-export and customer-redact webhooks (customers/data_request,customers/redact) are also honored.
Security & incident response
All data is encrypted in transit (TLS 1.2+) and at rest (Neon Postgres storage-level encryption). Access to production systems is limited to the app operator. If we become aware of a security incident affecting your data, we will notify affected merchants at their store owner email within 72 hours with what happened, what data was involved, and what we are doing about it, and we will notify Shopify through Partner support channels.
Your rights
You can request a copy of, or deletion of, your data at any time by emailing danny@8thorigin.com. Uninstalling the app triggers automatic deletion.
Cookies
The embedded admin uses Shopify's session-token authentication; we do not set our own cookies on the merchant admin or the storefront.
Changes
We'll update this policy if our practices change and update the date above. Material changes will be flagged in-app.
Contact
Questions and support: danny@8thorigin.com.