Kestori

Kestori Privacy Policy

Effective date: 2026-06-04

Operator: Forethought Studio (Aaron Hertzmann), Helsinki, Finland

Contact: [email protected]

What Kestori is

Kestori is a Shopify app that helps merchants spot SKUs at risk of stockout. It sends a daily low-stock digest email and surfaces an embedded dashboard inside the Shopify admin. Kestori operates as a data processor on behalf of the installing merchant store.

What we access

When a merchant installs Kestori, Shopify grants the app a set of API scopes. Kestori reads:

  • Products and variants (read_products): SKU, title, variant identifiers, product/variant metadata necessary to display low-stock candidates and accept per-SKU configuration.
  • Inventory levels (read_inventory): on-hand quantity per variant per location, polled and updated via webhooks (inventory_levels/update, products/update, products/delete).
  • Order line items (read_orders, pending Shopify approval for protected customer data access): unit counts and timestamps for sold variants, used solely to compute recent sales velocity. Kestori does not read customer names, addresses, emails, phone numbers, payment details, or any other order field beyond line-item quantity and time. Until this scope is granted, velocity is unavailable and Kestori falls back to a configuration-only forecast.

Kestori does not read:

  • Customer personal data (names, addresses, contact info, payment instruments).
  • Storefront browsing or session data.
  • Anything outside the granted scopes above.

What we collect from the merchant

  • Account email: from the Shopify session, used as the default recipient of the daily digest. The merchant can change or add recipients in the app's settings page.
  • Configuration: lead-time days, safety-buffer days, per-SKU overrides, digest recipients, and digest pause state. Entered by the merchant in the app.

How data is stored

  • Location: a managed MySQL 8 database on a Hetzner Cloud server in Nuremberg, Germany (EU).
  • Encryption in transit: TLS 1.2+ for all browser, Shopify API, and email-relay connections.
  • Encryption at rest: the host disk uses LUKS full-disk encryption.
  • Access: limited to the operator account (Forethought Studio) and Shopify webhook ingest via HMAC verification. No analytics, advertising, or third-party data brokers receive Kestori data.

How long we keep data

Kestori retains shop data only while the app is installed.

  • On uninstall (app/uninstalled webhook): the merchant's products, variants, inventory snapshots, order rollups, settings, sessions, and billing state are queued for deletion and removed within 48 hours.
  • On Shopify privacy webhooks:
    • customers/data_request: Kestori does not store customer-identifying data; we acknowledge and respond with confirmation that no customer-identifying records exist.
    • customers/redact: same as above (no records to redact).
    • shop/redact: a final sweep removes any residual rows for the shop within 30 days of the webhook, per Shopify's published GDPR compliance window.
  • Operational logs: structured log lines (without customer-identifying content) are retained for 30 days for debugging and security review, then rotated out.

Third parties

Kestori uses a small, fixed set of subprocessors:

  • Shopify (data source): the merchant's Shopify store, accessed via Admin GraphQL.
  • Amazon Web Services Simple Email Service (SES) (email delivery): sends the daily low-stock digest email to the merchant's configured recipients. Recipient addresses and digest contents (product titles, SKUs, quantities) transit SES; SES retains transient delivery metadata per AWS's own retention policy.
  • Hetzner Cloud (hosting): operates the server that runs the Kestori application and database.

Kestori does not share data with any other third party.

What the merchant can do

  • View or export data: contact [email protected]; we will provide a copy of every row Kestori stores for the shop in JSON.
  • Delete data on demand: uninstalling Kestori from the Shopify admin triggers the deletion path described above. Alternatively, email [email protected] to request immediate deletion without uninstalling.
  • Pause the digest: the settings page in the embedded app exposes a digest pause toggle that takes effect on the next scheduled send.

Changes to this policy

Material changes will be announced in the embedded dashboard at least 30 days before they take effect, and the effective date above will be updated.

Contact

Questions, deletion requests, or privacy concerns: [email protected].