Baseify
Legal

Privacy Policy

What we process, why, and the controls you have over it.

Effective June 26, 2026

This Privacy Policy explains how Baseify (“Baseify”, “we”, “us”), an application operated by Rush Commerce, handles information when you install and use it on your Shopify store. Baseify performs a one-way, read-only sync of your Shopify data into a Baserow database that you own and control. Baseify never writes back to Shopify.

The short version

Your store data flows through Baseify into your own Baserow. We keep only what we need to make that sync reliable — encrypted connection tokens, your sync configuration, ID-to-row mappings, and short-lived event records. We don’t sell your data, and uninstalling deletes it.

1. Our role: controller and processor

For the store data we sync on your behalf (for example product, order, customer, fulfillment and inventory records), you, the merchant, are the data controller and Baseify acts as a data processor following your instructions — namely, the syncs and field mappings you configure. You are responsible for having a lawful basis to copy that data, including any personal data of your own customers, into your Baserow instance.

For a small amount of account and operational data (described below) that we need to run the service, Baseify is the controller.

2. Information we process

a. Shopify store data (read-only, in transit)

When you enable a sync, Baseify reads the corresponding records from the Shopify Admin API and writes them into your Baserow database. Depending on which resources you choose to sync, this can include data such as products and variants, collections, orders and line items, draft orders, fulfillments, locations, inventory levels, and customer personal data (for example name, email, phone, and shipping/billing addresses contained in customers and orders).

This data is processed transiently to perform the sync. The authoritative copy is written to your Baserow instance; Baseify does not retain a long-term copy of these full records (see retention below).

b. Connection & configuration data we store

  • Shopify session & offline access token for your shop, plus your .myshopify.com domain, used to authenticate API calls.
  • Baserow connection details — base URL and a Baserow database token, and optionally Baserow account credentials you provide for in-app schema browsing. All Baserow secrets are encrypted at rest with AES-256-GCM; only the last four characters and status are ever shown back to you.
  • Sync configurations & field mappings you create.
  • Record mappings — a mapping between each Shopify record’s ID and the corresponding Baserow row ID, so updates and deletes are deterministic.
  • Event records — a short-lived queue of recent sync events, which may include a snapshot of the fetched record, used to process changes reliably and to power retries and the event log.
  • Webhook registrations and basic operational logs (with secrets redacted).

c. Billing data

Your subscription is handled by Shopify Billing. Baseify does not receive or store your payment card details; Shopify processes payment and charges appear on your Shopify invoice.

3. How we use information

  • To operate the sync you configured and keep Baserow current.
  • To make syncing reliable — queuing, de-duplication, ordering, retries, and the event log.
  • To secure the service and prevent abuse.
  • To provide support when you contact us.
  • To manage your subscription through Shopify.

We do not sell your data or your customers’ data, and we do not use it for advertising.

4. Legal bases (GDPR / UK GDPR)

Where applicable, we rely on: performance of a contract (providing the app you installed); our legitimate interests in operating, securing and improving the service; and compliance with legal obligations. As the controller of the store data you sync, you are responsible for establishing the appropriate lawful basis to process your customers’ personal data.

5. Sharing & subprocessors

We share data only with the infrastructure providers needed to run Baseify, and with the destinations you choose:

  • Shopify — the source platform you authorize us to read from.
  • Baserow (Baserow Cloud or your self-hosted instance) — the destination you select and control; your synced data is stored there under your account.
  • Neon — managed PostgreSQL hosting for our application database (connection config, mappings, event queue).
  • Vercel — application hosting and content delivery.

We may also disclose information if required by law. A current list of subprocessors is available on request at tommy@tommyrush.dev.

6. International transfers

Our infrastructure providers may process data in the United States and other countries. Where required, transfers are covered by appropriate safeguards such as Standard Contractual Clauses. Note that if you choose Baserow Cloud or a self-hosted instance, the storage location of your synced data is determined by your Baserow setup.

7. Data retention & deletion

  • Connection & configuration data is retained while the app is installed.
  • Event records are short-lived and pruned on an ongoing basis once processed; they are not a long-term store of your records.
  • On uninstall / shop deletion (Shopify’s shop/redact webhook), we purge all of our data for your shop — tokens, configuration, mappings, event records, webhook registrations and sessions. The data already written to your Baserow remains yours and is left intact.
  • Customer redaction (Shopify’s customers/redact webhook): we delete that customer’s (and their orders’) synced rows from Baserow and scrub our local mappings and event snapshots for that customer.
  • Customer data requests (Shopify’s customers/data_request webhook): we acknowledge the request and report the limited data we hold (mappings and recent event snapshots), since the substantive customer data lives in your Baserow.

8. Security

  • Baserow tokens and credentials are encrypted at rest (AES-256-GCM).
  • Every Shopify webhook is HMAC-verified; embedded requests are authenticated with Shopify session tokens.
  • Data is transmitted over TLS, and every query is scoped to your shop for tenant isolation.
  • Secrets live only in server environment variables and are redacted from logs.

No method of transmission or storage is 100% secure, but we work to protect your information using industry-standard measures.

9. Protected customer data

Syncing Orders or Customers involves Shopify Protected Customer Data and is governed by Shopify’s Protected Customer Data requirements. We process this data only to perform the syncs you configure, minimize what we retain, and apply the safeguards described here. You remain responsible for using such data in compliance with applicable law and with Shopify’s requirements.

10. Cookies

This public website uses only what is necessary to serve the pages; it does not run third-party advertising trackers. The embedded Shopify app authenticates with Shopify session tokens rather than third-party cookies.

11. Children

Baseify is a business tool and is not directed to children. We do not knowingly collect personal data from children.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be reflected by updating the “Effective” date above and, where appropriate, by notice within the app.

13. Contact

For privacy questions, data requests, or to request our current subprocessor list, contact Rush Commerce at tommy@tommyrush.dev. This policy is governed by the laws of the State of New York, United States.