TCGSync
Contact usWaitlist

Privacy Policy

Effective date: 19 May 2026. Last updated: 20 May 2026.

This Privacy Policy explains how TCGSync ("TCGSync", "we", "our", or "us") collects, uses, stores, and discloses personal data when a Shopify merchant installs or uses the TCGSYNC2 Shopify application (the "App") and the associated TCGSync web platform at https://tcgsync.com and https://enterprise.tcgsync.com (together, the "Service").

1. Who We Are

TCGSync provides inventory, order management, and synchronisation software for trading-card retailers. The App connects a merchant's Shopify store to their TCGSync workspace so that products, inventory, orders, customers, locations, and fulfilment data can remain in sync.

TCGSync is a UK-based business operating from the following business address:

TCGSync
13 West Street
Barnsley, South Yorkshire
United Kingdom, S70 5PF

For privacy questions, data subject requests, or data processing questions, contact privacy@tcgsync.com.

2. Our Data Protection Roles

For personal data belonging to a merchant's customers, we normally act as a data processor acting on the merchant's instructions. The merchant is the controller of that customer data. For personal data belonging to the merchant or their staff, such as account and support contact details, we act as a controller.

3. Data We Collect From Shopify

When a merchant installs the App and grants Shopify access scopes, we may receive Shopify API data and Shopify webhook payloads that are needed to provide the sync service. This can include Shopify shop identifiers, product and inventory identifiers, order identifiers, customer identifiers, order line items, prices, tax and fulfilment status, payment status, shipping and billing addresses, and customer contact details such as name, email address, and phone number.

We only request protected customer data and protected customer fields where they are needed for the App's functionality and where the merchant has approved the relevant Shopify access scopes. The App does not collect payment card numbers, CVVs, government identifiers, health, biometric, or special-category data from Shopify.

4. Data We Collect From Merchants

We collect merchant account data needed to operate the Service, including the Shopify shop domain, Shopify-issued OAuth access tokens and scopes, TCGSync account email address, TCGSync user ID, account settings, support communications, and webhook delivery audit records such as timestamp, topic, webhook ID, and success or failure status.

Server logs may include IP address, user agent, request path, and response code. We keep these logs for security, abuse prevention, and debugging.

5. How We Use Data

We use personal data only for the following purposes:

  • Providing the App and Service to the merchant.
  • Forwarding and processing verified Shopify events in TCGSync.
  • Matching Shopify customers, orders, products, locations, and inventory to TCGSync records.
  • Deduplicating, retrying, debugging, and auditing webhook deliveries.
  • Securing the Service, preventing abuse, and investigating incidents.
  • Complying with legal obligations and lawful requests.

We do not sell, rent, or trade personal data. We do not use merchant customer data for advertising, profiling, unrelated analytics, or training machine-learning models. The App does not place tracking cookies or tracking pixels on a merchant's storefront.

6. Legal Bases

For merchant account data, we process data where necessary to perform our contract with the merchant, to comply with legal obligations, and for our legitimate interests in securing, operating, and improving the Service. For customer personal data processed through Shopify on behalf of a merchant, the merchant determines the lawful basis and we process that data as processor under the merchant's instructions.

7. Service Providers And Sharing

We share personal data only where necessary to provide and secure the Service. Our main infrastructure and platform providers include MongoDB Atlas for database hosting, Cloudflare for edge security and DDoS protection, Hostinger for application hosting, and Shopify as the platform that sends and receives Shopify app data. We require service providers to protect personal data using appropriate contractual, technical, and organisational safeguards.

We may also disclose data where required by law, regulation, court order, or a lawful request from a supervisory authority.

8. Retention And Shopify Privacy Webhooks

We keep personal data only for as long as needed to provide the Service, meet legal obligations, resolve disputes, and maintain security records. Current retention periods are: server logs for 30 days; webhook idempotency records for 30 days; OAuth tokens and shop-to-TCGSync link records until the App is uninstalled or the link is revoked; install, uninstall, and scope-change audit records for up to 12 months; and synced customer or order records for the lifetime of the merchant's TCGSync account unless deleted earlier under a Shopify privacy request, merchant instruction, or account closure.

Shopify requires apps to respond to the mandatory privacy webhooks customers/data_request, customers/redact, and shop/redact. When we receive a valid Shopify privacy webhook, we locate the relevant Shopify shop or customer data and provide, delete, or redact the data as required. When a merchant uninstalls the App, we revoke the Shopify connection, remove active Shopify session data, mark the shop as uninstalled, and delete or redact Shopify-originating data after the relevant Shopify privacy webhook or merchant instruction.

9. Security

We use technical and organisational safeguards designed to protect personal data, including TLS for data in transit, database encryption at rest, encrypted backups where available from our infrastructure providers, HMAC verification for Shopify webhooks, OAuth-based authentication, environment-variable secret storage, restricted production access, multi-factor authentication for privileged access, logging of security-relevant events, and Cloudflare network protections.

If we become aware of a personal-data breach affecting a merchant or their customers, we will notify the affected merchant without undue delay and, where legally required, notify the relevant supervisory authority.

10. Data Subject Rights

Depending on where you are located, you may have rights to access, correct, erase, restrict, object to, or receive a portable copy of your personal data. You may also have the right to complain to the UK Information Commissioner's Office at https://ico.org.uk or to your local supervisory authority.

If you are a customer of a Shopify merchant, please send your request to the merchant first because the merchant controls your customer data. We will assist the merchant in responding to valid requests.

11. Merchant Responsibilities

Merchants are responsible for ensuring that they have a lawful basis to process customer personal data and to connect Shopify with TCGSync. Merchants are also responsible for publishing any privacy disclosures required on their storefronts and for configuring the App only for lawful business purposes. Our Data Processing Addendum applies where we process customer personal data on behalf of a merchant and is available from dpa@tcgsync.com.

12. International Transfers

We aim to keep primary application data in the UK or EEA where practical. Some providers, such as Cloudflare and Shopify, may process data using global infrastructure. Where personal data is transferred outside the UK or EEA, we rely on appropriate safeguards such as data processing agreements, the UK International Data Transfer Agreement, the UK Addendum, and/or EU Standard Contractual Clauses where applicable.

13. Children

The Service is intended for business use by merchants and is not directed at children under 16. We do not knowingly collect personal data from children through the Service.

14. Changes

We may update this Privacy Policy from time to time. We will publish updates on this page and change the "Last updated" date above. Material changes will be notified to merchants by email or through the Service where practical.

15. Contact

Privacy: privacy@tcgsync.com
Data Processing Addendum: dpa@tcgsync.com
Business address: TCGSync, 13 West Street, Barnsley, South Yorkshire, United Kingdom, S70 5PF