Last Updated: January 2026
This Privacy Policy describes how Merch Table (“we”, “us”, or “our”) collects, uses, and shares information when you install and use our Shopify application.
1. Information We Collect
From Shopify Stores (Merchants)
When you install Merch Table, we collect and store:
- Shop Information: Your Shopify store domain (e.g.,
your-store.myshopify.com) - Access Token: An encrypted OAuth token that allows our app to interact with your store’s API
- Configuration Data: Your app settings, including which Discord roles to sync, discount rules, and product visibility settings
From Discord
When you connect your Discord server, we collect:
- Server ID: The unique numeric identifier for your Discord server
- Role Information: Role IDs and names from your server (for sync configuration)
From Customers
When customers link their accounts, we collect:
- Shopify Customer ID: The numeric identifier assigned by Shopify
- Discord User ID: The numeric identifier assigned by Discord
Important: We do NOT collect or store:
- Customer names, email addresses, or physical addresses
- Discord usernames, avatars, or personal information
- Payment information or purchase history
- Any personally identifiable information (PII) beyond numeric IDs
2. How We Use Information
We use the collected information to:
- Provide the Service: Link Discord accounts to Shopify customers, sync Discord roles as customer tags, create automatic discounts, and manage product visibility
- Maintain and Improve: Monitor app performance, fix bugs, and improve functionality
- Communicate: Respond to support requests and send service-related notices
We do NOT:
- Sell your data to third parties
- Use your data for advertising purposes
- Share your data with unrelated third parties
- Access your data except as necessary to provide the service
3. Data Storage and Security
Storage Location
All data is stored in a PostgreSQL database hosted on Fly.io infrastructure in the United States.
Security Measures
- Encryption at Rest: Shopify access tokens are encrypted using AES-256-GCM before storage
- Encryption in Transit: All data transmission uses HTTPS/TLS encryption
- Access Controls: Database access is restricted to application services only
- Webhook Verification: All incoming Shopify webhooks are verified using HMAC signatures
Data Retention
- Active Installations: Data is retained while the app is installed on your store
- Uninstallation: All shop data is permanently deleted when you uninstall the app
- Customer Unlinking: Customer link data is deleted when a customer unlinks their account
4. Data Sharing
We share data only in the following circumstances:
Service Providers
We use the following service providers to operate our application:
| Provider | Purpose | Data Shared |
|---|---|---|
| Fly.io | Application hosting | All application data (encrypted) |
| Discord | Bot functionality | Discord user/server IDs |
| Shopify | E-commerce platform | Customer IDs, tags |
Legal Requirements
We may disclose information if required by law, legal process, or government request.
Business Transfers
If our business is acquired or merged, your data may be transferred as part of that transaction. We will notify you of any such change.
5. Your Rights
For Merchants (Store Owners)
You have the right to:
- Access: View what data we store about your shop
- Correct: Update your app configuration at any time
- Delete: Uninstall the app to delete all your data
- Export: Request an export of your data
For Customers (End Users)
Customers who have linked their accounts have the right to:
- Unlink: Run
/unlink_shopifyin Discord to remove the account link - Request Deletion: Contact the store owner or us to request data deletion
- Access: Request information about what data is stored
GDPR Rights (EU Residents)
If you are in the European Union, you have additional rights under GDPR:
- Right to access your personal data
- Right to rectification of inaccurate data
- Right to erasure (“right to be forgotten”)
- Right to restrict processing
- Right to data portability
- Right to object to processing
To exercise these rights, contact us at the email below.
6. GDPR Compliance
We comply with Shopify’s mandatory GDPR webhooks:
Customer Data Request
When a customer requests their data through Shopify, we respond with:
- Whether we have any data associated with that customer
- The Discord user ID linked to their account (if any)
- The Discord role tags synced to their profile
Customer Data Erasure
When a customer requests deletion through Shopify:
- We delete all customer link records associated with that customer
- We confirm deletion to Shopify within 30 days
Shop Data Erasure
When a merchant uninstalls the app or requests deletion:
- We delete all shop data, including configuration and customer links
- We delete the encrypted access token
- We confirm deletion to Shopify within 30 days
7. Children’s Privacy
Merch Table is not directed at children under 13 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us.
8. International Data Transfers
Our servers are located in the United States. If you are accessing our service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States.
9. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by:
- Posting the new Privacy Policy on this page
- Updating the “Last Updated” date
- Sending a notification through the Shopify admin (for material changes)
10. Contact Us
If you have questions about this Privacy Policy or our data practices, please contact us:
Email: hello@nervous.net
11. Data Processing Agreement
For merchants who require a Data Processing Agreement (DPA) for GDPR compliance, please contact us at the email above.
Summary
| What We Collect | What We Don’t Collect |
|---|---|
| Shop domain | Customer names |
| Encrypted access token | Customer emails |
| Discord server ID | Customer addresses |
| Discord role IDs/names | Discord usernames |
| Shopify customer IDs | Payment information |
| Discord user IDs | Purchase history |
| App configuration | Any other PII |