Privacy Policy — Metaobject Bulk Manager
Last Updated: March 12, 2026
Developer: Curythm
Contact: contact@curythm.com
1. Introduction
This Privacy Policy describes how Curythm (“we”, “us”, or “our”) collects, uses, and handles information when you use the Metaobject Bulk Manager app (“the App”). The App is a Shopify application that provides bulk export and import functionality for metaobject data.
We are committed to protecting the privacy of merchants who install and use our App. This policy is designed to comply with applicable privacy laws, including the General Data Protection Regulation (GDPR), the California Privacy Rights Act (CPRA), and other relevant data protection regulations.
2. Information We Collect
2.1 Information Collected Through Shopify’s APIs
When you install and use the App, we access the following data through Shopify’s APIs:
- Metaobject Definitions: The structure and schema of your metaobject types (field names, types, and configurations).
- Metaobject Entries: The content stored in your metaobjects, which is accessed solely for the purpose of CSV export and import operations.
- Session Information: Shopify provides session data upon installation, which may include your store domain, staff member name, and email address. This is used for authentication and authorization purposes.
2.2 Information Collected Directly from Merchants
- CSV Files: When you use the import feature, you upload CSV files containing metaobject data. This data is processed to perform the import operation.
2.3 Information Collected from Merchants’ Customers
The App does not directly collect any information from your store’s customers. We do not place cookies or tracking technologies on customer devices, and we do not access or log customer browsing behavior.
Important Note: Depending on how you use metaobjects in your store, metaobject entries may contain personal information about your customers or other individuals. While we process this data as part of export/import operations, we do not use it for any purpose other than providing the App’s functionality.
3. How We Use Your Information
We use the information we collect solely for the following purposes:
- Providing App Functionality: Processing metaobject data for CSV export and import operations, including dry-run validation.
- Authentication: Verifying your identity and maintaining your session when using the App.
- Job Processing: Tracking the status and results of import operations (success/error counts and error details).
- Troubleshooting: Diagnosing technical issues to maintain and improve App functionality.
We do not use your information for advertising, marketing, profiling, or any purpose other than providing the App’s services as described above.
4. Data Storage and Retention
4.1 Where Data Is Stored
- Database: Neon Serverless PostgreSQL hosted in Singapore.
- Application Server: Google Cloud Run hosted in Tokyo, Japan (asia-northeast1).
- Data in Transit: All data is transmitted over HTTPS with TLS encryption.
4.2 What Data Is Stored
- Session Data: Authentication session records (store domain, access tokens, staff member name, and email) are stored in our database for as long as the App is installed.
- Import Job Records: Job metadata (status, row counts, error counts, and error messages) are stored in our database. CSV data uploaded for import is held in memory during processing and is set to null upon job completion or failure. It is not retained after processing.
4.3 Retention Periods
- Session Data: Deleted when you uninstall the App.
- Import Job Records: Deleted when you uninstall the App.
- CSV Upload Data: Cleared from memory immediately after processing is complete.
5. Data Sharing
We do not sell, rent, or share your data with any third parties, except for the following service providers that are necessary to operate the App:
- Google Cloud Platform (GCP): Hosting and infrastructure services.
- Neon: Database hosting services.
These service providers process data only on our behalf and are bound by their own privacy and security commitments.
6. Data Security
We implement the following security measures to protect your data:
- Encryption in Transit: All communications between your browser, Shopify, and our servers use HTTPS/TLS encryption.
- Encryption at Rest: Our database provider (Neon) encrypts stored data at rest.
- Access Control: Our application server endpoints are secured through Shopify’s session token authentication.
- Minimal Data Collection: We collect only the minimum data necessary to provide the App’s functionality.
- Data Sanitization: Error messages are sanitized to remove raw data before storage.
7. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
- Access: You can request information about what personal data we hold about you.
- Correction: You can request correction of inaccurate personal data.
- Deletion: You can request deletion of your personal data. Uninstalling the App will automatically delete all data associated with your store from our database.
- Restriction: You can request that we restrict processing of your personal data.
- Data Portability: You can request a copy of your personal data in a structured format.
To exercise any of these rights, please contact us at contact@curythm.com. We will respond to your request within 30 days.
8. Compliance Webhooks
In accordance with Shopify’s requirements, our App responds to the following mandatory compliance webhooks:
- Customer Data Request: When a customer requests their data, we respond accordingly. As our App does not directly store customer personal data, no customer-specific data is provided.
- Customer Data Erasure: When a customer requests data deletion, we respond accordingly. As our App does not directly store customer personal data, no additional action is required.
- Shop Data Erasure: When you uninstall the App, all data associated with your store (session records and import job records) is permanently deleted from our database.
9. International Data Transfers
Our servers and databases are located in Japan and Singapore. If you are located in the European Economic Area (EEA), United Kingdom, or another jurisdiction with data transfer restrictions, please be aware that your data will be transferred to and processed in these locations. We rely on appropriate safeguards to ensure your data is protected in accordance with applicable laws.
10. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will update the “Last Updated” date at the top of this policy. We encourage you to review this policy periodically.
11. Contact Us
If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at:
Curythm
Email: contact@curythm.com