Privacy Policy

Effective date: April 14, 2026  ·  Last updated: April 14, 2026

This Privacy Policy explains how Hollis Technologies, Inc. (“Hollis Technologies,” “we,” “us,” or “our”) collects, uses, stores, and shares information when you use our applications, websites, and services. It applies to all products we develop and distribute, including apps available on the Shopify App Store.

1. Who We Are

Hollis Technologies, Inc. is a software company that builds applications for e-commerce merchants, including apps distributed through the Shopify App Store. Our registered contact email is privacy@hollistechnologies.com.

We act as a data processor on behalf of merchants who install our apps (our customers), and as a data controller for information we collect directly through our websites and support channels.

2. Applications Covered by This Policy

This policy covers all current and future Hollis Technologies applications, including but not limited to:

  • PO Flow — Purchase order management for Shopify merchants
  • Hollis AI — AI assistant for Hollis Technologies apps
  • Any other applications we may release in the future

Each application may collect different categories of data depending on its functionality. App-specific data practices are described in Section 4 below.

3. Information We Collect

3.1 Information from Merchants (App Users)

When a merchant installs one of our Shopify apps, we receive access to certain data from their Shopify store as authorised by the permissions granted during installation. This may include:

  • Store information — store name, domain, email address, country, currency, and timezone
  • Products and inventory — product names, variants, SKUs, prices, inventory levels, and locations
  • Orders — order numbers, line items, fulfilment status, and totals (not customer payment information)
  • Billing information — subscription plan details managed through Shopify Billing (we do not store payment card details)

We only request the minimum permissions necessary for each application to function. We do not request access to customer personal information, payment details, or other sensitive data unless it is strictly required for core app functionality.

3.2 Information You Provide Directly

We collect information you provide when you:

  • Contact our support team through in-app forms or email
  • Submit feedback, bug reports, or feature requests
  • Connect third-party services (such as QuickBooks Online or Slack) to our apps
  • Create supplier, product, or operational records within our apps

3.3 Information Collected Automatically

When you use our apps or visit our websites, we may automatically collect:

  • Usage data — pages visited, features used, actions taken, and session duration
  • Technical data — browser type, operating system, IP address, and device identifiers
  • Error logs — crash reports and error data used to diagnose and fix issues

3.4 Information from Third-Party Integrations

When you connect our apps to third-party services, we receive data from those services as authorised by you. For example:

  • QuickBooks Online — vendor records, account IDs, and sync tokens necessary to create and update purchase orders and bills
  • Slack — workspace name, bot token, and channel information necessary to deliver notifications

We store only the minimum data required from each third-party integration to provide the connected functionality.

4. App-Specific Data Practices

PO Flow

Data TypePurposeRetention
Purchase orders and line itemsCore app functionality — creating, tracking, and receiving purchase ordersRetained while the app is installed; deleted within 30 days of shop data redact request
Supplier recordsSupplier management and PO associationSame as above
Receipt and activity logsAudit trail and inventory trackingSame as above
QuickBooks tokensOAuth tokens to sync POs to QuickBooks OnlineDeleted on disconnection or shop redact
Slack tokensBot token to deliver Slack notifications via Hollis AIDeleted on disconnection or shop redact
Shop settings and preferencesStoring user configuration such as PO number format, email settings, and approval rulesSame as above

Hollis AI

Data TypePurposeRetention
Shop domain and merchant contextIdentifying which merchant is using the AI assistant and providing relevant responsesRetained while the service is active
Conversation historyProviding context for multi-turn AI conversationsSession-based; not stored long-term
Slack installation dataDelivering notifications and enabling two-way Slack communicationDeleted on disconnection

5. How We Use Information

We use the information we collect to:

  • Provide, operate, and improve our applications and services
  • Process and fulfil subscription billing through Shopify Billing
  • Respond to support requests and communicate about your account
  • Sync data with third-party services you have connected (QuickBooks, Slack, etc.)
  • Monitor app performance, diagnose errors, and fix bugs
  • Comply with legal obligations and enforce our terms
  • Protect the security and integrity of our systems

We do not sell your data. We do not use merchant or customer data for advertising purposes. We do not share data with third parties except as described in Section 6.

6. How We Share Information

We may share information with:

  • Service providers — companies that help us operate our services, including hosting providers (Railway), database services, email delivery services (Resend), and analytics tools. These providers are bound by data processing agreements and may only use data to provide services to us.
  • Third-party integrations — when you connect your account to services like QuickBooks Online or Slack, we share the minimum data necessary to provide the integration. Your use of those services is governed by their own privacy policies.
  • Shopify — as a Shopify app developer, we operate within Shopify's platform and are subject to Shopify's Partner Program Agreement. Shopify may have access to data about app installations and usage as described in Shopify's Privacy Policy.
  • Legal requirements — we may disclose information if required by law, court order, or to protect the rights, safety, or property of Hollis Technologies, our customers, or others.
  • Business transfers — if Hollis Technologies is acquired, merges with another company, or transfers assets, your information may be transferred as part of that transaction. We will notify affected users before data is transferred and subject to a different privacy policy.

7. GDPR — Rights of EEA, UK, and Swiss Users

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR) and applicable local laws:

  • Right of access — you have the right to request a copy of the personal data we hold about you
  • Right to rectification — you have the right to request correction of inaccurate or incomplete data
  • Right to erasure — you have the right to request deletion of your personal data in certain circumstances
  • Right to restriction — you have the right to request that we restrict processing of your data in certain circumstances
  • Right to data portability — you have the right to receive your data in a structured, machine-readable format
  • Right to object — you have the right to object to processing based on legitimate interests
  • Right to withdraw consent — where processing is based on consent, you have the right to withdraw it at any time

To exercise any of these rights, contact us at privacy@hollistechnologies.com. We will respond within 30 days.

Our legal basis for processing personal data includes: performance of a contract (providing the services you have subscribed to), legitimate interests (operating and improving our services), and compliance with legal obligations.

8. CCPA / CPRA — Rights of California Residents

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) gives you specific rights regarding your personal information:

  • Right to know — you have the right to request disclosure of the categories and specific pieces of personal information we have collected about you
  • Right to delete — you have the right to request deletion of personal information we have collected, subject to certain exceptions
  • Right to correct — you have the right to request correction of inaccurate personal information
  • Right to opt out of sale or sharing — we do not sell or share personal information for cross-context behavioural advertising
  • Right to non-discrimination — we will not discriminate against you for exercising your CCPA rights

To submit a CCPA request, contact us at privacy@hollistechnologies.com or use the contact details in Section 13.

9. US State Privacy Laws

In addition to California, residents of the following states have privacy rights under applicable state laws: Virginia (CDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), Indiana, Kentucky, Rhode Island, and other states with enacted privacy legislation. These laws generally provide rights similar to those described above, including rights of access, correction, deletion, and opting out of certain data uses. To exercise these rights, please contact us using the details in Section 13.

10. Shopify Compliance Webhooks

All of our Shopify apps implement the mandatory compliance webhooks required by Shopify:

  • customers/data_request — upon receiving a request from a merchant on behalf of a customer, we will provide a report of any customer data we hold within 30 days
  • customers/redact — upon receiving a redact request, we will delete any personal data associated with the specified customer within 30 days
  • shop/redact — upon receiving a shop redact request (typically 48 hours after app uninstallation), we will delete all data associated with the merchant's store from our systems within 30 days

11. Data Security

We implement industry-standard security measures to protect your data, including:

  • Encryption of data in transit using TLS/HTTPS
  • Encryption of sensitive data at rest (OAuth tokens, API keys)
  • Access controls limiting who can access production data
  • Regular security reviews and dependency updates
  • Secure hosting infrastructure with automatic backups

No method of transmission or storage is 100% secure. If you believe your data has been compromised, please contact us immediately at security@hollistechnologies.com.

12. Data Retention

We retain data for as long as necessary to provide our services and comply with legal obligations:

  • App data — retained while your app subscription is active. Deleted within 30 days of a shop redact webhook or written deletion request.
  • Support communications — retained for up to 2 years to provide continuity of support
  • Billing records — retained for 7 years as required by financial regulations
  • Security logs — retained for up to 90 days
  • Third-party integration tokens — deleted immediately upon disconnection of the integration or shop redact

13. Cookies and Tracking

Our Shopify apps run within the Shopify Admin interface as embedded apps and do not independently set cookies in your browser beyond those required by Shopify's App Bridge for authentication. Our public websites at hollistechnologies.com may use cookies for analytics and session management. You can control cookie preferences through your browser settings.

14. Children's Privacy

Our services are not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us and we will delete it promptly.

15. International Data Transfers

Hollis Technologies is based in the United States. If you are located outside the United States, your data may be transferred to and processed in the United States, where data protection laws may differ from those in your country. Where required by applicable law (such as GDPR), we ensure appropriate safeguards are in place for international transfers, including standard contractual clauses where applicable.

16. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the effective date at the top of this page and, where appropriate, notify affected users by email or through in-app notification. Your continued use of our services after the effective date of any changes constitutes your acceptance of the updated policy.

17. Contact Us

If you have questions, concerns, or requests relating to this Privacy Policy or your personal data, please contact us:

We aim to respond to all privacy-related inquiries within 5 business days and will fulfil any legally required requests within 30 days.