Privacy Policy

Last Updated: February 11, 2026

Introduction

NexusForm (“we”, “our”, or “the App”) is a Shopify embedded app that enables merchants to create, manage, and publish custom forms on their Shopify storefronts. This Privacy Policy explains how we collect, use, store, and protect information when you install and use NexusForm.

We are committed to transparency and protecting your data. If you have questions about this policy, please contact us at the email address provided below.

Information We Collect

1. Information Collected Through Shopify APIs

When you install NexusForm, we access the following information via Shopify’s APIs:

Data Type	Purpose
Shop domain	Identify your store and associate forms/submissions
Shop email	Send email notifications for form submissions
Admin user info (name, email)	Authentication and session management
OAuth access tokens	Authenticate API requests to your store
Shop metafields	Store form bundle URLs for theme rendering

We request only the minimum OAuth scopes required:

write_themes - Deploy form blocks to your theme
write_metaobjects - Store form configurations in shop metafields

2. Information Collected Directly from Merchants

Data Type	Purpose
Form configurations	Store form structure, fields, styling, and validation rules
Email notification settings	Configure submission notifications and auto-responders
Custom color schemes	Store merchant-defined styling preferences
Audit logs	Track app actions for security and compliance

3. Information Collected from Your Customers

When customers submit forms on your storefront, we collect:

Data Type	Purpose
Form submission data	Store responses (varies by form: name, email, phone, custom fields)
File uploads	Store uploaded files (images, documents, signatures)
IP address	Rate limiting, fraud prevention, and abuse detection
User agent	Debugging and analytics
Submission timestamp	Record keeping and timeline display

Important: You control what data your forms collect. NexusForm processes whatever fields you configure in your forms.

How We Use Collected Information

We use collected information for the following purposes:

Provide App Services
- Render forms on your storefront
- Process and store form submissions
- Send email notifications to you and your customers
- Display submission data in your admin dashboard
Improve the App
- Analyze usage patterns to improve features
- Debug issues and optimize performance
- Track feature adoption for product development
Security and Compliance
- Detect and prevent fraud and abuse
- Rate limit form submissions (5 per 15 minutes per IP)
- Maintain audit logs for compliance purposes
- Validate HMAC signatures on storefront requests
Communication
- Send transactional emails (submission notifications, auto-responders)
- Notify you of important app updates (if opted in)

We do not:

Sell your data or your customers’ data to third parties
Use customer submission data for advertising
Share data with other merchants

Data Retention

Data Type	Retention Period
Form configurations	Until form is deleted or app is uninstalled
Submissions	Until manually deleted by merchant or app uninstalled
File uploads	Until associated submission is deleted
Session tokens	Until expired or app is uninstalled
Audit logs	90 days

Soft Deletes

When you delete forms, submissions, or customer records, we use “soft delete” (marking as deleted rather than immediate removal). This allows for:

Accidental deletion recovery
Compliance with data retention laws
Audit trail maintenance

Soft-deleted data is permanently purged after 30 days.

App Uninstallation

When you uninstall NexusForm:

Active sessions are terminated immediately
Form metafields are removed from your Shopify store
Your data is marked for deletion and removed within 30 days
File uploads are deleted from storage within 7 days

Data Storage and Security

Where Data is Stored

Service	Location	Purpose
Supabase (PostgreSQL)	United States	Primary database
Supabase Storage	United States	File uploads and form bundles
Supabase Edge Functions	Nearest region	Email notifications

Security Measures

We implement industry-standard security practices:

Encryption in transit: All data transmitted via HTTPS/TLS
Encryption at rest: Database and storage encrypted at rest
Access controls: Role-based access, principle of least privilege
Authentication: Shopify OAuth 2.0 for admin access; HMAC signature validation for storefront requests
Rate limiting: 5 submissions per 15 minutes per IP address
Input sanitization: All HTML content sanitized to prevent XSS attacks
Secure tokens: Edge function authentication via secure secrets

We share data only with the following third-party services essential for app operation:

Service	Purpose	Data Shared
Shopify	Platform integration	OAuth tokens, metafields
Supabase	Database and storage	All app data
Resend	Email delivery	Recipient emails, notification content

We do not share data with:

Advertising networks
Data brokers
Other Shopify merchants
Any other third parties

All third-party services are contractually obligated to protect your data.

Your Rights and Choices

For Merchants

You have the right to:

Access your data: View all forms, submissions, and settings in the app
Export your data: Export submissions as CSV from the dashboard
Delete your data: Delete individual submissions, forms, or uninstall the app
Modify your data: Edit form configurations and settings at any time

For Your Customers

Your customers can request data access or deletion by contacting you directly. You are responsible for:

Responding to customer data requests
Deleting customer submissions when requested
Complying with applicable privacy laws (GDPR, CCPA, etc.)

To delete customer data:

Go to Submissions in NexusForm
Find the customer’s submission(s)
Delete individually or use bulk delete

European Users

If you or your customers are in the European Economic Area (EEA), you have additional rights under GDPR:

Legal basis: We process data based on contractual necessity (providing the app) and legitimate interests (security, improvement)
Data transfers: Data is transferred to the United States where our services are hosted. We rely on standard contractual clauses for lawful transfer
Data Protection Officer: Contact us at the email below for DPO inquiries

NexusForm includes a “GDPR Consent” field type that you can add to forms to collect explicit consent from your customers before processing their data.

Children’s Privacy

NexusForm is not directed at children under 13 (or 16 in the EEA). We do not knowingly collect data from children. If you believe a child has submitted data through a form, please contact us and the merchant to have it removed.

Changes to This Policy

We may update this Privacy Policy periodically. When we make material changes:

We will update the “Last Updated” date at the top
We will notify merchants via email or in-app notification for significant changes

Continued use of NexusForm after changes constitutes acceptance of the updated policy.

Contact Us

If you have questions about this Privacy Policy or your data, contact us:

Email: [Your support email]

Address: [Your business address if applicable]

Summary

What	How
Data collected	Shop info, form configs, submissions, file uploads, IP/user agent
Why	Provide form services, send notifications, security
Stored where	Supabase (US)
Retention	Until deleted or app uninstalled; purged within 30 days
Shared with	Shopify, Supabase, Resend (for email) only
Your rights	Access, export, delete, modify

This Privacy Policy complies with Shopify App Store requirements and is designed to meet GDPR, CCPA, and other applicable privacy regulations.