Listable by SUPERCOM

Privacy Policy

Effective date: 2 March 2026  ·  Last updated: 2 March 2026

1. Introduction

Welcome to Listable ("the App"), a Shopify application developed and operated by SUPERCOM ("we", "us", or "our"). This Privacy Policy explains how we collect, use, disclose, and safeguard information when you install or use Listable through the Shopify platform.

By installing or using Listable, you agree to the collection and use of information in accordance with this policy. If you do not agree, please uninstall the App and cease use immediately.

This policy applies to two audiences: merchants (Shopify store owners and their staff who install and use the App) and end-users (customers of those merchants whose data may be processed by the App).

2. Information We Collect

2.1 Merchant Information

When you install Listable, we receive and store information from Shopify, including:

  • Store URL and myshopify domain
  • Store owner name and email address
  • Store locale, currency, and timezone
  • Shopify plan type
  • Access tokens granted to us via the Shopify OAuth installation flow

2.2 Customer & End-User Data

Depending on the features you use within Listable, we may access or process the following data about your store's customers via the Shopify API:

  • Customer names, email addresses, and phone numbers
  • Shipping and billing addresses
  • Order history and product preferences
  • Any customer-facing data relevant to the App's functionality

This data is accessed solely to provide the features you have enabled within the App.

2.3 Usage & Log Data

We automatically collect certain technical information when you use the App, including:

  • IP addresses and browser/device information
  • Pages viewed within the App and interaction timestamps
  • Error logs and performance metrics

This data is used to maintain and improve the App and is not linked to individual end-user identities.

3. Shopify API & Scope Disclosures

Listable requests the minimum Shopify API permission scopes necessary to deliver its features. Below is a summary of the scopes requested and why each is needed:

  • read_products / write_products — to read and manage product listings in accordance with the App's core listing functionality.
  • read_orders — to display order-related data where required by App features.
  • read_customers — to associate customer data with relevant App workflows where enabled by the merchant.

We will never request scopes beyond what is necessary. If scope requirements change with new features, we will update this policy and notify merchants accordingly.

4. How We Use Information

We use the information we collect to:

  • Provide, operate, maintain, and improve the Listable App and related services
  • Process and fulfil your requests for features within the App
  • Send transactional communications (e.g. billing notifications, critical service updates)
  • Monitor and analyse usage patterns to improve user experience
  • Detect, investigate, and prevent fraudulent or illegal activity
  • Comply with applicable legal obligations

We do not use merchant or customer data to send unsolicited marketing communications without your explicit consent.

5. Information Sharing & Disclosure

We do not sell your personal data or your customers' personal data to third parties. We may share information in the following limited circumstances:

  • Service providers: Trusted third-party vendors who assist us in operating the App (e.g. hosting providers, analytics platforms, error tracking services). These parties are bound by confidentiality obligations and may only process data as directed by us.
  • Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you before your data is transferred and becomes subject to a different privacy policy.
  • Legal requirements: We may disclose data where required to comply with applicable law, regulation, legal process, or enforceable governmental requests.
  • Protection of rights: We may disclose data to enforce our Terms of Service or to protect the rights, property, or safety of SUPERCOM, our merchants, or others.

6. Data Retention & Deletion

We retain merchant data for as long as your App subscription is active or as needed to provide the services. Upon uninstalling Listable from your Shopify store, we will delete or anonymise all associated merchant and customer data within 30 days, unless we are required to retain it for legal or compliance purposes.

Shopify Mandatory GDPR Webhooks

In compliance with Shopify's GDPR requirements, Listable implements the following mandatory webhook endpoints:

  • customers/data_request — When a merchant submits a customer data request, we will provide a copy of all personal data we hold for that customer within 30 days.
  • customers/redact — When a merchant or customer requests erasure of customer data, we will delete all associated personal data from our systems within 30 days.
  • shop/redact — When a merchant uninstalls the App and requests store data deletion, we will permanently delete all store and customer data associated with that shop within 30 days.

7. GDPR — Rights of EU/EEA Data Subjects

If you are located in the European Union or European Economic Area, you have the following rights under the General Data Protection Regulation (GDPR):

  • Right of access — Request a copy of the personal data we hold about you.
  • Right to rectification — Request correction of inaccurate or incomplete personal data.
  • Right to erasure ("right to be forgotten") — Request deletion of your personal data where there is no compelling reason for continued processing.
  • Right to data portability — Receive your personal data in a structured, commonly used, machine-readable format.
  • Right to restriction — Request that we restrict the processing of your personal data in certain circumstances.
  • Right to object — Object to processing based on legitimate interests or for direct marketing purposes.

Our legal basis for processing merchant personal data is the performance of a contract (Art. 6(1)(b) GDPR). For end-user data processed on behalf of merchants, we act as a data processor and the merchant acts as data controller.

To exercise any of these rights, contact us at support@listable.dev.

8. CCPA / CPRA — California Residents

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

  • Right to know — Request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months.
  • Right to delete — Request deletion of personal information we have collected from you, subject to certain exceptions.
  • Right to opt-out of sale or sharing — We do not sell or share personal information for cross-context behavioural advertising.
  • Right to non-discrimination — We will not discriminate against you for exercising your CCPA/CPRA rights.

To submit a request, please email support@listable.dev.

9. Data Security

We implement industry-standard technical and organisational security measures to protect your data, including:

  • TLS/SSL encryption for all data in transit
  • Encryption of data at rest
  • Strict access controls and least-privilege access for our team
  • Regular security reviews and vulnerability assessments

While we take every reasonable precaution, no method of transmission over the internet or electronic storage is 100% secure. In the event of a data breach that affects your rights and freedoms, we will notify affected parties as required by applicable law.

10. Cookies & Tracking Technologies

Listable operates primarily within the Shopify Admin and uses Shopify's session tokens (via Shopify App Bridge) for authentication rather than traditional browser cookies. We may use minimal analytics or error-tracking scripts that set cookies to help us understand usage and fix issues. We do not use cookies for advertising purposes.

11. Children's Privacy

Listable is not directed at or intended for use by children under the age of 13. We do not knowingly collect personal information from children. If we become aware that a child under 13 has provided us with personal information, we will take steps to delete it promptly. If you are a parent or guardian and believe your child has provided data to us, please contact us at support@listable.dev.

12. International Data Transfers

SUPERCOM operates from and stores data on servers that may be located outside your country of residence, including in the United States. If you are located in the European Union or another jurisdiction with data transfer restrictions, we ensure appropriate safeguards are in place for cross-border transfers, such as Standard Contractual Clauses (SCCs) approved by the European Commission.

13. Exercising Your Rights

To submit a data access, rectification, deletion, or portability request, you can do this by simply uninstalling the app, as we comply with Shopify's data protection requirements. Alternatively, please email us at support@listable.dev with the subject line "Privacy Request" and include your Shopify store URL and a description of your request. We will respond within 30 days of receiving a verifiable request.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify merchants via email or an in-app notification. We encourage you to review this policy periodically.

15. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We are committed to working with you to resolve any complaints or concerns about your privacy in a fair and timely manner.