Privacy Policy
Last updated: May 27, 2026
QuotePilot is a Shopify app that helps merchants collect quote requests from customers, prepare PDF quotes, create Shopify draft orders, and send quote emails. This Privacy Policy explains how we collect, use, and protect your data when you use QuotePilot.
Data We Collect
Through Shopify APIs: When you install QuotePilot, we access your shop domain, store contact email, and product information (titles, variants, prices) through Shopify's REST and GraphQL APIs. We also access billing and subscription data via the Shopify Billing API. We request only the minimum scopes necessary: read_products, write_draft_orders, and write_app_proxy.
Directly from the merchant: We collect configuration data you provide through the QuotePilot admin, including quote notification email, logo URL, PDF footer text, email template, button style preferences, visibility settings, and form field configuration. We also collect usage counters (quote request volume, feature usage) to operate plan limits.
From merchants' customers: When a buyer submits a quote request through your storefront, we collect the information they provide on the quote form: email address, company name, country, message, requested product/variant details, and quantity. We also process customer actions on the public quote view (accept, decline, decline reason).
Cookies and similar technologies: QuotePilot uses a session cookie for admin authentication (Shopify session token) and a language preference cookie to remember your display language (English or Chinese). We do not use tracking cookies, advertising cookies, or analytics cookies on customer-facing pages.
How We Use Data
We use the collected data solely to provide and operate the QuotePilot service, and not for any other purpose. Specifically: creating and managing quote requests, generating PDF quote documents, creating Shopify draft orders, sending quote-related emails to customers, displaying quote history and activity logs, enforcing plan limits (free vs. Pro), providing merchant support, and maintaining app security and reliability. We do not use merchant or customer data for advertising, marketing, profiling, or training machine learning models.
Data Sharing
We do not sell, rent, or trade personal data. We do not share customer data with third parties except as necessary to operate the service.
Service providers: We share data with trusted third-party service providers that help us operate QuotePilot, including cloud hosting infrastructure, PostgreSQL database services, email delivery (Resend), and PDF generation (QuestPDF). All providers are contractually bound to process data only on our instructions and maintain appropriate security measures. A list of subprocessors is available upon request.
Data Retention & Deletion
Quote data is retained while the merchant actively uses QuotePilot, unless deletion is requested earlier. When a merchant uninstalls the app, we automatically trigger data cleanup and mark the store as uninstalled. We subscribe to and respond to Shopify's mandatory privacy webhooks: customers/data_request (returns all quote data held about a customer), customers/redact (anonymizes customer PII — email, company, country, message), and shop/redact (redacts all customer PII across the store and deletes settings). Merchants and their customers may request data access, correction, deletion, or restriction of processing at any time by contacting us.
Security
QuotePilot implements industry-standard security measures: all traffic is encrypted in transit using HTTPS/TLS, Shopify webhooks are verified using HMAC-SHA256 signatures before processing, production credentials and secrets are stored in encrypted environment variables and never logged, access to merchant data is authenticated via Shopify session tokens, and backend API access requires authenticated Shopify admin sessions with X-Api-Key header validation. Our database uses encrypted connections and access is restricted to the application servers.
Your Rights
Access: Request a copy of the personal data we hold about you or your customers.
Correction: Request that we correct any inaccurate or incomplete personal data.
Deletion: Request that we delete personal data. This is also triggered automatically when you uninstall the app or when Shopify sends GDPR compliance webhooks.
Restrict processing: Request that we limit how your data is processed.
Portability: Request that we export your data in a machine-readable format.
International Data Transfers
QuotePilot is operated from China. Data may be processed in the United States, Europe, or other regions where our cloud hosting and service providers operate. We ensure appropriate safeguards are in place for cross-border data transfers in compliance with applicable data protection laws, including standard contractual clauses where required. By using QuotePilot, you acknowledge that your data may be transferred internationally.
Children's Privacy
QuotePilot is intended for use by Shopify merchants and their business customers. It is not directed at children under the age of 13, and we do not knowingly collect personal information from children.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. Material changes will be communicated through the QuotePilot admin interface or via email to the merchant's configured notification email. The date at the top of this policy indicates when it was last revised. Continued use of QuotePilot after changes take effect constitutes acceptance of the updated policy.
Contact Us
If you have questions about this Privacy Policy, wish to exercise your data rights, or need to report a privacy concern, please contact us. Response time: within 24 hours on business days.
Email: oujiangyun@gmail.com
For jurisdictions that require a physical address, or for formal legal correspondence, you may also contact us at our registered business address, available upon request by emailing oujiangyun@gmail.com.