Shiney

Privacy Policy

Last updated: 30 June 2026

This policy explains how Shiney collects, uses, stores and shares personal information through our Shopify apps and this website (shiney.studio). We handle personal information in line with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), and, where it applies to people in the EU/UK, the GDPR.

Who we are

Shiney ("we", "us", "our") is a founder-led studio operated by Matthew Shine (ABN 24 473 876 549) that builds focused Shopify apps. We are the data controller for the personal information described in this policy. You can reach us at matt@shiney.studio.

Who this policy covers

This policy applies to:

  • Merchants who install one of our apps on their Shopify store.
  • The merchant’s staff whose Shopify user details we receive when they sign in to an app.
  • Visitors to this website.

What our apps access on your store

When you install an app, you grant the Shopify access scopes it needs to work. For Grist these are:

  • write_products - to read your product catalogue and map recipe ingredients to the products you stock.
  • write_metaobjects and write_metaobject_definitions - to store recipes as Shopify metaobjects in your store.
  • write_content - to manage the builder’s page content and settings.
  • read_orders - to count recipe-driven sales for your admin dashboard.

Information we store

We store the minimum needed to run each app. For our apps today, that is a single session record per store containing:

  • Authentication data: your shop domain, the access and refresh tokens, granted scopes, expiry and state.
  • Merchant staff details, for signed-in staff only: first name, last name, email address, locale, Shopify user ID, and role flags (such as account owner or collaborator).

Information we access but do not store

Some data is read live from Shopify to display a result and is never saved to our systems:

  • Orders: when you open the dashboard, we read order ID, name and date plus the recipe tags we set on line items, only to count recipe sales. We do not read or store customer identity, and we do not keep a copy of your orders.
  • Storefront recipe selections: when a shopper builds a recipe, their selection is written into the Shopify cart as line-item properties and handled by Shopify checkout. The app does not store it.

Information we do not collect

Our apps are built to avoid handling shopper personal data. We do not collect or store:

  • Shopper or customer personal data such as names, emails or addresses.
  • Persisted order records.
  • Payment or card data - billing is handled entirely by Shopify.

Information collected on this website

This marketing site keeps tracking to a minimum. We do not run advertising trackers or third-party analytics. The only personal information we collect here is whatever you choose to send us when you email us (for example, for support or early access).

How we use information

We use the information above to:

  • Provide, operate and maintain our apps and website.
  • Authenticate your store and staff and keep your session secure.
  • Build recipes from your catalogue and report recipe sales in your dashboard.
  • Respond to support requests and communicate with you about your account or an app.
  • Diagnose problems, prevent abuse, and keep the apps secure.
  • Comply with our legal obligations.

Legal bases (for EU/UK users)

Where the GDPR applies, we rely on: performance of a contract (to deliver an app you installed), our legitimate interests (to secure, support and improve our apps), consent (where you provide it, such as optional analytics), and compliance with legal obligations.

Who we share information with

We do not sell personal information. We share it only with the service providers that help us run our apps and site, and only as needed:

  • Shopify - the platform our apps run on and the source of store data; governed by Shopify’s own terms and privacy policy.
  • Vercel - hosting for our apps and this website.
  • Supabase - our managed Postgres provider, where the session record is stored.

International transfers

Our service providers may store and process data outside Australia, including in the United States and the EU. Where we transfer personal information overseas we take reasonable steps to ensure it is handled consistently with this policy and applicable law, including standard contractual clauses where required.

Data retention

We keep the session record for your store while the app is installed. When you uninstall the app, or when Shopify sends a shop redaction request, we delete that record (including any staff name and email it holds) within the period required by Shopify. We may retain limited records where we must do so to meet legal or accounting obligations.

Shopify data requests and deletion

Our apps respond to Shopify’s mandatory privacy webhooks. Because our apps do not store shopper personal data, a customer data request or customer redaction request returns no stored customer information. A shop redaction request deletes the store’s session record from our database. Merchants can also contact us directly to make a request.

Security

We use reasonable technical and organisational measures to protect personal information, including encryption in transit, access controls, and limiting what each app stores to the minimum it needs. No method of transmission or storage is completely secure, but we work to protect your information and to notify you of any eligible data breach as required by law.

Your rights

You can ask us to access, correct or delete the personal information we hold about you, and (where the GDPR applies) to restrict or object to certain processing or to request portability. To make a request, email us at matt@shiney.studio.

If your data is held by a merchant who uses our app, you may need to contact that merchant directly, as they control the data.

Complaints

If you have a concern about how we handle your information, please contact us first so we can try to resolve it. You also have the right to complain to the Office of the Australian Information Commissioner (oaic.gov.au), or, in the EU/UK, to your local data protection authority.

Children

Our apps and site are intended for businesses and are not directed at children. We do not knowingly collect personal information from children.

Changes to this policy

We may update this policy from time to time. We will change the “Last updated” date above and, for material changes, take reasonable steps to notify affected merchants.

Contact us

For any privacy question or request, email matt@shiney.studio.