Privacy Policy

Last updated: May 2026

This Privacy Policy explains how Clockwork Apps ("we", "us", or "our") collects, uses, and protects information when you use any of our applications.

This policy covers every Clockwork Apps application, including:

ListingIQ — Product Readiness (Shopify)
Bulk Product Editor (Shopify)
Order Exporter (Shopify)
SmartTags (Shopify)
Vault — Secure Backups (Shopify)
Bulk Product Editor (BigCommerce)
Bulk Product Editor v2 (BigCommerce)
BCVault — Secure Backups (BigCommerce)
SmartTags (BigCommerce)
Bulkflow — Bulk Product Editor (Webflow)
PathKeeper: No Broken Links (Webflow)
Bulk SEO Optimizer (Wix)
Bulk Price Editor / Scheduler (Wix)
Bulk Product Editor (Wix)
Redirect Manager (Wix)
Low Stock Monitor (Wix)

Information We Collect

Store & Account Information

When you install any of our apps, we collect your store/site identifier and an OAuth access token (or a signed-payload token, depending on the platform) issued by Shopify, BigCommerce, Webflow, or Wix. This token allows our app to read or write data on your behalf with the permissions you explicitly grant during installation. For Webflow apps, the token is workspace-scoped — it covers every site in the workspace you authorize.

Product & Catalog Data

Apps that analyze or edit your products (Bulk Product Editor variants, ListingIQ, Bulkflow) read product data including titles, descriptions, images, variants, pricing, tags, and metadata. This data is processed to provide the app's functionality. We do not permanently store raw product data — it is processed in memory and discarded after each operation, with one exception: pre-edit snapshots taken by Bulkflow and the BigCommerce Bulk Product Editor v2 are uploaded to encrypted Amazon S3 storage so the merchant can perform a one-click revert. These snapshots are retained for the lifetime of the corresponding job and removed when the job is deleted.

URL & Link Data (PathKeeper)

PathKeeper walks your Webflow site via Webflow's API to enumerate every CMS item slug, every Ecommerce product slug, every page URL, and every outbound link inside CMS rich-text fields. For each link found we store its normalized form, last-known HTTP status, and a SHA-256 hash for indexing. Slug history is retained per-item so we can detect rename events. We never read or store the body of any external page we probe — only the HTTP status code.

Order Data

The Order Exporter app reads order data (customer names, addresses, line items, totals) solely to generate export files at your request. Exports are stored temporarily in AWS S3 and are accessible only to you via a time-limited download link. We do not analyze, share, or retain order data beyond what is needed to produce your export.

Backup Data (Vault, BCVault & Vaultflow)

Our backup apps — Vault (Shopify), BCVault (BigCommerce), and Vaultflow (Webflow) — create gzipped JSON snapshots of your store/site catalog and supporting resources, uploaded to Amazon S3 with server-side encryption (AES-256) at rest. Vault (Shopify) and Vaultflow (Webflow) back up catalog and structural data only (products, collections, pages, blog posts, redirects, themes/CMS) and do not capture customer or order data. BCVault (BigCommerce) additionally backs up customer records and customer-group pricing where the merchant enables it; merchants can erase an individual customer from every BCVault backup on request (see "GDPR & Data Subject Rights" below). Backups are retained according to your plan/settings, are accessible only to the authorized merchant, are never read by any human at Clockwork Apps, and are never shared with third parties. A merchant can download any of their own backups as a portable JSON export at any time.

Usage & Analytics Data

We store aggregated, non-personally-identifiable data such as analysis scores, scan summaries, and historical trends. This data powers features like trend charts within the app and helps us improve our products.

Contact Form Submissions

If you submit a support message through an in-app contact form, we receive your name, email address, and message content. This information is used solely to respond to your inquiry.

How We Use Your Information

To provide, operate, and improve the functionality of our apps.
To authenticate your store/site and maintain your session.
To process billing — via Shopify's RecurringApplicationCharge API for Shopify apps, via Wix's billing webhook for Wix apps, and via Stripe for BigCommerce and Webflow apps (since neither platform exposes a native app-billing API). Stripe receives only the data required to bill you (email, payment method) — never your store/site contents.
To respond to support requests.
To store historical analysis data so you can track improvements over time.

Data Sharing

We do not sell, trade, rent, or share your store data or personal information with any third parties. Data is stored on servers we control (AWS infrastructure in the US-West-2 region). The only third-party services we use are:

AWS S3 — for backup snapshots, pre-edit revert snapshots, and temporary storage of order export files.
AWS SES — for sending transactional emails (export notifications, breakage digests, support replies, scheduled-job receipts).
Stripe — for processing subscription payments on BigCommerce and Webflow apps. Stripe receives the merchant's email and payment method; it never receives the merchant's store/site catalog or customer data.
Shopify Billing API — for processing subscription payments on Shopify apps.
Wix Billing webhook — for processing subscription state on Wix apps.

Data Retention

Your access token is retained for as long as your app is installed and active.
Upon uninstallation, your access token is invalidated immediately and marked inactive in our database.
Order export files stored in S3 are automatically deleted after 7 days.
Bulkflow / BigCommerce BPEv2 pre-edit snapshots are retained until the corresponding job is deleted, with a 90-day default cap.
Vault / BCVault backup snapshots are retained according to your plan: 7 days (Free), 30 days (Basic), 90 days (Pro).
PathKeeper slug history, URL registry, and breakage rows are retained for the lifetime of the install and purged when the merchant uninstalls.
Analysis history and configuration data is retained for up to 12 months after uninstallation, after which it is purged.
You may request immediate deletion of all your data at any time (see below).

GDPR & Data Subject Rights

We comply with Shopify's, BigCommerce's, Webflow's, and Wix's GDPR/privacy requirements. If you are a merchant, or a customer of a merchant using our apps, you have the right to:

Access — request a copy of the data we hold about you.
Portability — receive a portable export of your data. Our backup apps let merchants download any of their backups as JSON directly from the app.
Erasure — request deletion of your data. When a merchant uninstalls a backup app, all of that store's backups and stored credentials are permanently deleted after a short grace window (immediately, in response to a platform shop/redact signal where one exists). For BigCommerce merchants whose customers exercise erasure, BCVault provides a per-customer redaction tool that scrubs that customer's personal data from every stored backup.
Correction — request correction of inaccurate data.
Objection — object to processing of your data.

To exercise any of these rights, contact us at clockwork.ecom@gmail.com. We will respond within 30 days.

International data transfers. Our infrastructure is hosted on Amazon Web Services in the United States (US-West-2 region). If you are located in the European Economic Area, the United Kingdom, or Switzerland, your data is transferred to the US under Standard Contractual Clauses (SCCs); contact us to request a copy of the SCCs or a Data Processing Agreement (DPA).

Security

We implement industry-standard security measures including:

HTTPS encryption for all data in transit.
Encrypted storage of access tokens in our database.
HMAC signature verification for all webhook callbacks from Shopify and BigCommerce.
OAuth state-parameter CSRF guards on Webflow installation flows.
JWT-signed payload verification on Wix billing webhooks.
S3 server-side encryption for all stored files (AWS-managed keys).
Access to production systems is restricted to authorized personnel only.

Children's Privacy

Our apps are designed for use by businesses and are not directed at children under the age of 13. We do not knowingly collect personal information from children.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify merchants of material changes by updating the "Last updated" date at the top of this page. Continued use of our apps after changes constitutes acceptance of the updated policy.

Contact Us

If you have any questions, concerns, or data requests regarding this Privacy Policy, please contact:
Clockwork Apps
clockwork.ecom@gmail.com