FourCore

Legal · Last updated April 28, 2026

Privacy Policy

This Privacy Policy describes how FourCore ("we", "us", "the App developer") collects, uses, and shares personal information when a Shopify merchant installs and uses the FourCore Shoppable Videos application (the "App") on their Shopify store.

1. Data controller

FourCore is the data controller for personal information collected through the App. For privacy questions, data access, correction, or deletion requests, contact support@fourcore.dev.

2. Personal information we collect from merchants

When you install the App, Shopify provides us with limited information about you and your store via the Shopify Admin API. Throughout the lifetime of the App we collect and store:

  • Store identifiers — your myshopify.com domain, Shopify shop ID, plan name, and primary locale.
  • Authentication tokens — Shopify-issued OAuth access tokens, stored encrypted at rest and used only to call the Shopify Admin API on your behalf within the scopes you approved at install.
  • Product references — Shopify product and variant IDs you attach to videos, plus cached product titles, prices, and image URLs needed to render the storefront product card.
  • Video and widget data you create in the App — video titles, source URLs (Instagram / TikTok / direct upload), poster images, captions, and the layout / style configuration you choose in the editor.
  • Operational logs — non-identifying request logs and error traces (timestamps, route, error type) used to diagnose issues. Retained for up to 30 days.

Purpose: we use this data solely to operate the App — render shoppable widgets on your storefront, display the editor in the Shopify admin, sync product information, enforce subscription limits, and provide support.

3. Personal information we collect from your customers

The App's storefront widget runs in the visitor's browser and is designed not to collect personal information from your customers. We do not set advertising cookies, do not fingerprint visitors, and do not transmit shopper personal data to our servers. When a shopper adds a product to their cart from a video, that action follows your storefront's standard Shopify cart flow — we do not intercept, log, or store it.

Standard server access logs (IP address, user agent, timestamp) generated when the storefront browser fetches widget data from our servers may be retained for up to 30 days for security and abuse prevention. They are not used for marketing, profiling, or cross-site tracking.

4. Data imported from third parties

When you choose to import a video by Instagram or TikTok URL, we fetch the video file, poster image, and basic public metadata (caption, duration) from those platforms' public endpoints and store the resulting media in Shopify Files on your store. We do not request or store private account data, login credentials, or audience information from Instagram or TikTok.

5. How we share information

We do not sell your personal information. We do not share your personal information with advertisers or use it to train machine-learning models. We share data only with the sub-processors listed below, strictly to operate the App.

6. Sub-processors

The following service providers process data on our behalf:

  • Shopify Inc. (Canada / United States) — host of the merchant store, asset CDN for video files uploaded to Shopify Files, billing.
  • Vercel Inc. (United States) — application hosting and edge network for the App's admin UI and API.
  • Neon Inc. (United States) — managed PostgreSQL database storing widget configuration and metadata.

Each sub-processor is bound by their own publicly available data processing agreement.

7. International data transfers

Our application servers and database are hosted in the United States. If you access the App from outside the United States, your information will be transferred to, stored, and processed in the United States. Where applicable, we rely on Standard Contractual Clauses or equivalent legal mechanisms to safeguard cross-border transfers.

8. Data retention and deletion

We retain merchant data for as long as you have the App installed. When you uninstall the App, Shopify sends us the app/uninstalled webhook and we mark your shop as uninstalled. Stored configuration and metadata are then retained for up to 30 days to support re-install without losing your widgets, after which they are permanently deleted.

Video and image assets uploaded during use of the App live in your own Shopify Files (we never owned them) and remain under your control regardless of the App's status.

9. Shopify data subject request webhooks

Shopify forwards data-subject requests to apps via three mandatory webhooks, which we receive and act on:

  • customers/data_request — when a store customer asks the merchant for their personal data, we receive the request and respond with any personal data we hold about that customer. Because the App does not store shopper personal information, our response is normally that we hold no such data.
  • customers/redact — when a customer requests deletion 48 hours after order completion, we delete any personal data we may hold about that customer. In practice the App does not store shopper personal data, so this is typically a no-op acknowledged in our logs.
  • shop/redact — sent 48 hours after a shop uninstalls the App. On receipt we permanently delete all data associated with the shop, overriding the 30-day re-install grace period described above.

10. Your rights

Depending on your jurisdiction, you may have rights under the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA), or similar legislation — including the right to access, correct, port, restrict, or delete personal information we hold about you, and the right to object to processing or lodge a complaint with a supervisory authority.

To exercise any of these rights, email support@fourcore.dev. We respond within 30 days. We may need to verify your identity before acting on a request.

11. Security

All data in transit is encrypted using TLS 1.2 or higher. Shopify-issued access tokens are encrypted at rest in our application database. Production database access uses a private network endpoint with credential-based authentication. Access to production systems is restricted to a small, named group of operators and is auditable.

Despite these measures, no system can be guaranteed 100% secure. If we ever become aware of a security incident affecting your data, we will notify you in line with applicable law.

12. Children's data

The App is sold to Shopify merchants for use in their commerce operations. It is not directed at children. We do not knowingly collect personal information from children under the age of 13 (or the equivalent minimum age in your jurisdiction).

13. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes to our practices or for legal reasons. The "Last updated" date at the top of this page reflects the most recent revision. Material changes will be communicated through the App's admin interface or by email to the merchant contact on file before they take effect.

14. Contact

For any privacy-related question, request, or complaint, contact support@fourcore.dev.