Apollo by eBrands — Shopify Privacy Policy
Last updated: July 2026
1. Who we are
Apollo is a software platform operated by eBrands Holdings Oy ("eBrands", "we", "us"). The Apollo Shopify connector at app-connect.ebrands.com is the authorization entry point that enables Apollo to access your Shopify store data through the Shopify Admin API.
2. What this policy covers
This policy describes how Apollo collects, processes, stores, retains, and deletes Shopify-derived data accessed via the Admin API under your authorization. It is designed to comply with Shopify's API License and Terms of Use and Protected Customer Data requirements.
3. What data we access
Under your authorization, Apollo reads only the Admin API data needed to deliver the features you have signed up for:
- Orders: order IDs, line items, quantities, status, market, and fulfillment timestamps.
- Inventory: stock levels per location and per variant.
- Financials & payouts: payout reports, fees, refunds, and settlement records.
- Catalog & listings: products, variants, SKUs, prices, and inventory items.
- Customers: customer records associated with orders you have chosen to sync.
Apollo accesses Protected Customer Data (buyer name, address, contact) only when strictly necessary for fulfillment-related features, and handles it under stricter rules described in section 6.
4. How we use the data
Apollo's primary purpose for accessing Shopify data is to keep your ERP (Brightpearl) and analytics platform in sync with what happens in your Shopify store. When a customer places an order in Shopify, Apollo receives the order webhook, forwards the order (with the shipping and customer details required to fulfill it) into your own Brightpearl instance, and lands a copy in Apollo's analytical store for your cross-channel reporting.
Concretely, Shopify-derived data is used to:
- Push new and updated orders into your Brightpearl ERP as they happen, so your fulfillment team works from one system of record.
- Provide the operations dashboard, customer intelligence, and inventory planning features in Apollo.
- Aggregate brand performance across the channels you sell on, for your own use.
- Support and troubleshoot your Apollo account when you contact us.
We do not, and will not:
- Use Shopify data to market your customers with unrelated communications.
- Aggregate or sell competitive insights across other merchants' data.
- Share Shopify data with advertising networks or unrelated third parties.
5. Legal basis
Where the GDPR or equivalent regimes apply, our legal basis for processing Shopify-derived data is the contract between eBrands and the partner who authorized the connector, and our legitimate interest in operating and securing the Apollo platform. For Protected Customer Data, the controller is the merchant; eBrands acts as processor.
6. How data flows through Apollo
When you install the connector, Shopify events flow into Apollo through two paths:
- Access-token path: the offline access token from OAuth is stored in HashiCorp Vault (source of truth) with an AWS Secrets Manager mirror in eu-north-1. The DynamoDB brand record for your brand references the Secrets Manager ARN under
channels.shopify.<shop_slug>. - Business-event path: Shopify EventBridge partner source → AWS SQS queue in eu-west-1 → Apollo webhook-receiver (Go service in AWS EKS) → Kafka topics
prd.ecommerce.shopify.*→ ClickHouse in eu-north-1 (analytical store). - Order push to Brightpearl (the primary purpose of the connector): every relevant Shopify order webhook —
orders/create,orders/updated,orders/paid,orders/cancelled,orders/fulfilled, and the associated refunds/returns — is normalized by Apollo's webhook-receiver and pushed into your Brightpearl instance as an order-create/update call. This is a forward-only sync; Apollo never reads back from Brightpearl. The push carries the fulfillment-critical fields (line items, quantities, shipping address, customer identifier, order totals).
7. Encryption and security
- In transit: All Shopify data is transmitted using TLS 1.2 or higher.
- At rest: AES-256 across every store. Vault uses S3-backend SSE with AWS-managed KMS; AWS Secrets Manager and DynamoDB use AWS-managed KMS; Kafka and ClickHouse (EBS-backed) inherit encryption from their volume layer.
- Access control: per-service IAM roles via IRSA on EKS, per-service Vault policies scoped to specific paths, unique user IDs, mandatory MFA on Apollo dashboards, quarterly access reviews. Off-boarded staff lose access within 24 hours.
- Data isolation: every brand has its own Vault path, its own Secrets Manager entry (
<brand>/shopify-XXXXXX), and its own partition in ClickHouse. Cross-brand data access is not possible via any application code path. - Logging: Access to systems handling Shopify data is logged and monitored via Loki + Grafana. Sensitive fields (access tokens, API secrets) are redacted from log lines. Vulnerability scanning runs continuously; an incident response plan is documented and tested.
- Sub-processor certifications: the third parties that process Shopify data on our behalf independently maintain their own security certifications — see /subprocessors.
8. Retention
- PII: retained for no more than 30 days after order delivery, except where a longer period is required by tax, legal, or accounting obligations.
- Non-PII Shopify data: retained for up to 18 months from collection unless a longer period is required by law or to provide the service you have contracted for.
- GDPR request audit trail: kept for 7 years in Vault to evidence compliance with data-subject-request obligations. The audit trail contains request metadata (topic, shop, timestamp, payload hash) but not the customer data itself.
9. Deletion and data removal
On uninstallation of the app, or on written request to apollo@ebrands.com, Apollo permanently and securely deletes Shopify data tied to your store within 30 days, in line with NIST media-sanitization guidance. Apollo honors Shopify's mandatory GDPR webhooks (customers/redact, shop/redact,customers/data_request).
The shop/redact handler additionally emits a shop-purge tombstone to our Kafka topics so any downstream consumer of the pipeline (analytics dashboards, other MCPs) purges in the same wave.
10. Sub-processors
Apollo runs on AWS infrastructure inside the European Union. Our sub-processor list — AWS, Vercel (hosting the OAuth landing app), Shopify (data source), and Brightpearl (optional order sink when the merchant uses it) — is published at /subprocessors. We review sub-processors handling Shopify data at least annually and contractually require equivalent protections.
11. International transfers
Shopify data is processed inside the EEA — eu-west-1 (Ireland) for compute and eu-north-1 (Stockholm) for canonical brand data and Shopify secrets. If a transfer outside the EEA becomes necessary (e.g. Shopify-side infrastructure or Brightpearl regions), we rely on Standard Contractual Clauses or another lawful transfer mechanism as declared by the applicable sub-processor.
12. Incident response
In the event of a confirmed data incident affecting Shopify data, eBrands will notify affected partners and Shopify within 72 hours of confirmation.
13. Your rights
You can revoke Apollo's authorization at any time from your Shopify admin → Apps → Apollo. To request access, correction, deletion, or export of your data, contact apollo@ebrands.com. We respond within 30 days.
14. Data Processing Agreement
For merchants processing personal data under the GDPR or equivalent frameworks, our standard Data Processing Agreement is available at /legal/dpa. For custom terms, contact apollo@ebrands.com.
15. Contact
eBrands Holdings Oy
Email: apollo@ebrands.com
Website: ebrands.com
16. Changes
We may update this policy as the Apollo platform evolves or as Shopify's policies change. Material changes will be communicated to active partners by email.