EZBundle Privacy Policy
Last updated: May 26, 2026
This Privacy Policy applies solely to the EZBundle Shopify app, published by Extensions Market. It discloses what data EZBundle collects from merchants, how that data is used, with whom it is shared, and how it is stored and deleted. By installing or using EZBundle, you (the merchant) agree to this policy.
Summary: EZBundle collects only what it needs to function โ your shop domain, OAuth token, bundle configurations you create, and the discount codes it generates on your behalf. It does not collect or store any customer personal data. All merchant data is deleted within 48 hours of uninstallation.
1. Data EZBundle Collects
Merchant data (collected on install)
- Shop domain โ your
myshopify.com domain. Used to identify your account, associate bundle data, and authenticate Shopify Admin API calls.
- OAuth access token โ a Shopify-issued token provided during installation. Used to authenticate requests to the Shopify Admin API (product lookups, discount creation). Stored securely in our database and never exposed to the storefront.
- Billing plan tier โ which EZBundle plan (Free, Starter, or Growth) is active for your store. Used to enforce bundle limits and feature gating. Managed via Shopify's billing system.
Bundle data (stored per shop)
- Bundle configuration โ the title, description, type (fixed or mix-and-match), discount type, discount value, min/max item limits, and status of each bundle you create. This is data you enter and is stored so your bundles render correctly on your storefront.
- Bundle items โ the product GIDs, variant GIDs, product titles, variant titles, prices, image URLs, quantities, and positions for items included in each fixed bundle. This data comes from your Shopify product catalog via the Admin API and is stored to power the storefront widget.
- Collection reference โ for mix-and-match bundles, the Shopify collection GID and title used to populate the product selection widget. Not stored beyond the collection ID and name.
- Discount codes and GIDs โ when you activate a bundle, EZBundle creates a Shopify discount code on your behalf and stores the generated code string and Shopify discount node GID in our database. This is needed to delete the discount when a bundle is deactivated or deleted.
Shopify API scopes used
| Scope | Purpose | Data persisted? |
|---|
read_products |
Lets merchants search and select products/variants when building a fixed bundle |
Product title, variant title, price, image URL stored in bundle items table |
read_collections |
Lets merchants select a collection for mix-and-match bundles |
Collection GID and title stored per bundle |
write_discounts / read_discounts |
Creates and deletes Shopify discount codes when bundles are activated/deactivated |
Discount code string and GID stored per bundle |
2. Data EZBundle Does NOT Collect
- Customer names, email addresses, phone numbers, or mailing addresses
- Customer order history, purchase amounts, or payment data
- Storefront visitor browsing behaviour (clicks, sessions, conversions)
- Any analytics on how shoppers interact with bundle widgets
- IP addresses of storefront visitors
3. How Data Is Used
- Shop domain + OAuth token โ to authenticate your session in the EZBundle admin and to make authorised Shopify Admin API calls on your behalf.
- Bundle configurations and items โ to render your bundle widgets correctly on your storefront via the Shopify App Block system and the EZBundle widget script.
- Discount codes โ generated and stored so the storefront widget can apply the correct discount when a customer adds a bundle to their cart. The code is deleted from Shopify when the bundle is deactivated or removed.
- Billing tier โ to enforce plan limits (bundle count caps) and gate features (analytics, unlimited bundles) based on your active subscription.
4. Third-Party Services
| Service | Data shared | Purpose |
|---|
| Shopify |
Shop domain, session token, product/discount API requests |
Platform authentication, storefront App Blocks, discount creation, billing |
| Railway |
App request payloads (bundle settings, API responses) |
Cloud hosting for the EZBundle server and PostgreSQL database |
| Google Analytics |
Anonymised page view data |
Traffic analytics on extensionsmarket.com only โ not inside the Shopify admin or storefront |
We do not share any merchant or customer data with advertising networks, data brokers, or any party not listed above.
5. Data Retention
- Active installation โ your shop domain, OAuth token, bundle configurations, and associated discount data are retained for as long as EZBundle is installed on your store.
- After uninstallation โ all merchant data (shop domain, session token, bundles, items, discount codes) is deleted from our database within 48 hours of receiving the
app/uninstalled webhook from Shopify. Associated Shopify discount codes are also deleted from your Shopify store at that time.
- Backups โ Railway database backups are retained for up to 7 days and then permanently deleted.
6. Security
All data is transmitted over HTTPS. OAuth tokens are stored in a private PostgreSQL database hosted on Railway with no public network access. We do not log API responses that contain sensitive merchant data. Database credentials are stored as environment variables and never committed to source code.
7. Your Rights
As a merchant, you have the right to:
- Access โ request a copy of the data we hold about your store.
- Deletion โ request immediate deletion of all your store's data. You can also trigger deletion by uninstalling EZBundle from your Shopify admin, which initiates automatic deletion within 48 hours.
- Correction โ update or delete your bundle configurations at any time from the EZBundle admin dashboard.
To exercise these rights, contact us at [email protected]. We will respond within 5 business days.
8. GDPR & CCPA
EZBundle is designed to minimise data collection. For GDPR purposes, Extensions Market acts as a data processor on behalf of the merchant (data controller) for any data accessed via the Shopify API. For CCPA purposes, we do not sell personal information. We support Shopify's mandatory GDPR webhook topics (customers/data_request, customers/redact, shop/redact) โ because EZBundle does not store customer personal data, these webhooks result in no-ops with a 200 OK response.
9. Changes to This Policy
We may update this policy when EZBundle's data practices change. If we make material changes, we will update the "Last updated" date above. Continued use of EZBundle after changes constitutes acceptance of the updated policy.
10. Contact
For questions about this Privacy Policy or to submit a data request: