Last Updated
Feb 25, 2026
Browse Legal pages
PuppetVendors ("the App", "we", "us", or "our") provides multi-vendor marketplace management, vendor commissions and payouts, consignment management, and e-commerce related reporting ("the Service") to business owners ("Merchants", "you", or "your") who use Shopify to power their online stores. This Privacy Policy describes how personal information is collected, used, stored, shared, and protected when you install or use the App in connection with your Shopify-supported store.
This Privacy Policy applies to information we collect through the Shopify APIs, directly from Merchants, from Merchants' vendors and sellers, and through our website at puppetvendors.com. By installing or using the App, you agree to the practices described in this Privacy Policy.
PuppetVendors operates as a data processor on behalf of the Merchant (data controller) with respect to end-customer and vendor personal data processed through the Service. For data collected directly from Merchants (such as account and billing information), PuppetVendors acts as a data controller.
1. Information We Collect
1.1 Information Collected Through Shopify APIs
When you install the App, we access certain information from your Shopify account through Shopify's APIs. The specific data accessed depends on the API scopes you authorize during installation:
Store Information:
Store name, domain, and store ID
Contact information (email address and phone number)
Store currency, timezone, and locale settings
Shopify plan information
Order Data (read_orders, write_orders, read_all_orders, read_draft_orders, write_draft_orders):
Order details including order number, line items, quantities, prices, and discounts
Customer shipping and billing information associated with orders
Order fulfillment status and tracking information
Historical order data for commission and payout calculations
Draft order creation and management for vendor-initiated orders
Product Data (read_products, write_products):
Product titles, descriptions, images, variants, and pricing
Product collections and tags
Vendor-assigned product information
Product creation and updates on behalf of vendors
Inventory Data (read_inventory, write_inventory, read_locations):
Inventory levels and locations
Cost-per-item values used for profit calculations
Inventory adjustments and stock management across locations
Fulfillment Data (read_fulfillments, write_fulfillments, read_assigned_fulfillment_orders, write_assigned_fulfillment_orders, read_merchant_managed_fulfillment_orders, write_merchant_managed_fulfillment_orders, read_third_party_fulfillment_orders, write_third_party_fulfillment_orders):
Fulfillment status and tracking information
Fulfillment order assignments and routing
Vendor fulfillment workflows including merchant-managed, assigned, and third-party fulfillment orders
Shipping Data (read_shipping, write_shipping):
Shipping rates, zones, and carrier configurations
Shipping label and tracking information
Theme and Publication Data (write_themes, write_files, read_publications, write_publications):
Theme modifications for app integration (e.g., embedding vendor-facing components)
File uploads for vendor product images and assets
Publication channel management for vendor product visibility
Script Tags (read_script_tags, write_script_tags):
Script tag installation for app functionality within the storefront
Additional scopes may be requested as the Service evolves to support new features. You will be notified of any new scope requests through Shopify's standard authorization flow.
For a complete reference on Shopify API scopes, visit: https://shopify.dev/docs/api/usage/access-scopes
1.2 Information Collected Directly from Merchants
Account registration information (name, email address, business name)
Communication preferences
Support inquiries and correspondence
Feature requests and feedback
1.3 Information Collected from Vendors and Sellers
When Merchants invite vendors or sellers to use the Service, we collect:
Vendor name, email address, and contact information
Vendor business information and tax identifiers (if provided by the Merchant)
Payout and payment information as configured by the Merchant
Vendor product and sales data within the platform
Merchants are responsible for ensuring they have the appropriate legal basis and consent to share vendor information with PuppetVendors for processing through the Service.
1.4 Information Collected Automatically
When you access the App or our website, we may automatically collect:
Log data: IP address, browser type and version, operating system, referring/exit pages, date/time stamps, and clickstream data
Device data: Device type, screen resolution, and unique device identifiers
Usage data: Features accessed, actions taken within the App, session duration, and interaction patterns
Cookies and similar technologies: We use cookies, web beacons, and pixels to maintain session state, remember preferences, and analyze usage patterns. See Section 8 (Cookies) for details.
2. How We Use Your Information
We use the information we collect for the following purposes:
To provide and operate the Service:
Processing vendor commissions and payout calculations
Synchronizing products, orders, and inventory between your Shopify store and the vendor portal
Generating sales reports and analytics
Managing vendor accounts and permissions
To maintain and improve the Service:
Monitoring performance and diagnosing technical issues
Developing new features and functionality
Analyzing usage patterns to improve user experience
Conducting aggregated and anonymized analytics
To communicate with you:
Sending transactional notifications related to your account and the Service
Providing customer support
Sending product updates, feature announcements, and service-related notices
Sending marketing communications (only with your consent, and you may opt out at any time)
To ensure security and compliance:
Detecting and preventing fraud, abuse, and security incidents
Enforcing our Terms of Service
Complying with legal obligations and responding to lawful requests
3. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data on the following legal bases:
Contract performance: Processing necessary to provide the Service you have requested, including order processing, commission calculations, and vendor management.
Legitimate interests: Processing necessary for our legitimate business interests, such as improving the Service, ensuring security, and communicating service updates, where these interests are not overridden by your rights.
Consent: Where we rely on your consent for processing (such as marketing communications), you may withdraw consent at any time by contacting us at support@puppetvendors.com or using the unsubscribe mechanism in our communications.
Legal obligation: Processing necessary to comply with applicable laws and regulations.
4. How We Share Your Information
We do not sell, rent, or trade your personal information to third parties. We may share your information only in the following circumstances:
4.1 Service Providers and Sub-Processors
We share information with third-party service providers who assist us in operating the Service. These providers are contractually bound to use your data only for the purposes of providing services to us and are subject to confidentiality and data protection obligations. Current service providers include:
DigitalOcean - Application hosting (United States/Global)
Amazon Web Services (AWS) - File storage and CDN (United States/Global)
MongoDB Atlas - Database management (United States/Global)
We may add, replace, or change service providers at any time to improve the Service. We will update this list accordingly and provide notice as described in our Terms of Service.
4.2 Shopify
The App operates on the Shopify platform. Shopify may collect and process Merchant Data in accordance with the Shopify Terms of Service and Shopify Privacy Policy. PuppetVendors does not control Shopify's data practices.
4.3 Legal Requirements
We may disclose your information if required to do so by law or in good faith belief that such disclosure is necessary to:
Comply with applicable laws, regulations, or legal process
Respond to a subpoena, court order, or other lawful government request
Protect and defend the rights, property, or safety of PuppetVendors, our users, or the public
Enforce our Terms of Service
4.4 Business Transfers
In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email or prominent notice within the App before your information becomes subject to a different privacy policy.
4.5 Aggregated and Anonymized Data
We may share aggregated or anonymized data that cannot reasonably be used to identify you. This data may be used for industry analysis, benchmarking, and improving the Service.
5. International Data Transfers
Your information may be transferred to and processed in countries other than the country in which you reside, including Singapore, the United States, and other jurisdictions where our service providers operate. These countries may have data protection laws that differ from those in your jurisdiction.
If you are located in the EEA, United Kingdom, or Switzerland, we ensure that international transfers of personal data are protected by appropriate safeguards, including:
Standard Contractual Clauses (SCCs) approved by the European Commission
Transfers to countries recognized as providing adequate data protection
Other legally recognized transfer mechanisms
By using the Service, you acknowledge and consent to the transfer of your information to these jurisdictions.
6. Data Retention
We retain your information for as long as necessary to provide the Service, comply with our legal obligations, resolve disputes, and enforce our agreements. Specific retention periods are as follows:
Merchant account data: Retained for the duration of your use of the Service. Upon uninstallation of the App, account data is deleted within thirty (30) days, unless retention is required by law.
Order and transaction data: Retained for the duration of your use of the Service and deleted within thirty (30) days of App uninstallation, unless retention is required for legal, tax, or compliance purposes.
Vendor data: Retained for the duration of the Merchant's use of the Service. Deleted within thirty (30) days of App uninstallation.
Log and usage data: Retained for up to twelve (12) months for analytics and security purposes.
Aggregated and anonymized data: May be retained indefinitely as it cannot be used to identify any individual.
When data is deleted, we use commercially reasonable methods to remove it from our active systems. Residual copies may exist in backup systems for a limited period before being overwritten.
7. Data Security
We implement commercially reasonable technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:
Encryption of data in transit (TLS/SSL) and at rest
Access controls and authentication requirements
Regular security assessments and monitoring
Incident response procedures
However, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security, and you acknowledge and accept the inherent risks of transmitting data over the internet. PuppetVendors shall not be liable for any unauthorized access, data breach, or security incident that occurs despite our commercially reasonable security measures.
8. Cookies and Tracking Technologies
We use the following types of cookies and similar technologies:
Essential cookies: Required for the App to function properly, including session management and authentication. These cannot be disabled.
Analytics cookies: Used to understand how you interact with the App, which features are most used, and to identify performance issues. These help us improve the Service.
Preference cookies: Used to remember your settings and preferences within the App.
We do not use advertising or tracking cookies within the App. We do not track Merchants' end customers or use their data for advertising purposes.
You can manage cookie preferences through your browser settings. Disabling certain cookies may affect the functionality of the App. For more information about cookies, visit http://www.allaboutcookies.org.
9. Your Privacy Rights
9.1 Rights Under GDPR (EEA, UK, Switzerland)
If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights:
Right of access: Request a copy of the personal data we hold about you.
Right to rectification: Request correction of inaccurate or incomplete personal data.
Right to erasure: Request deletion of your personal data, subject to legal retention requirements.
Right to restriction: Request restriction of processing of your personal data.
Right to data portability: Request a copy of your personal data in a structured, machine-readable format.
Right to object: Object to processing based on legitimate interests or for direct marketing purposes.
Right to withdraw consent: Where processing is based on consent, withdraw consent at any time.
Right to lodge a complaint: File a complaint with your local supervisory authority.
9.2 Rights Under CCPA/CPRA (California Residents)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
Right to know: Request information about the categories and specific pieces of personal information we have collected about you.
Right to delete: Request deletion of your personal information.
Right to opt out of sale: We do not sell your personal information. If this changes, we will provide an opt-out mechanism.
Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.
9.3 Rights Under Other US State Privacy Laws
Residents of Virginia, Colorado, Connecticut, Utah, and other states with applicable consumer privacy laws may have similar rights to access, delete, correct, and opt out of certain processing of their personal data. To exercise these rights, contact us using the information in Section 13.
9.4 Rights Under Singapore PDPA
If you are located in Singapore, you have rights under the Personal Data Protection Act (PDPA), including the right to access and correct your personal data, and to withdraw consent for the collection, use, or disclosure of your personal data.
9.5 Exercising Your Rights
To exercise any of these rights, please contact us at support@puppetvendors.com. We will respond to verified requests within the timeframes required by applicable law (generally within 30 days for GDPR and 45 days for CCPA).
For requests related to end-customer personal data processed on behalf of Merchants, please direct your request to the relevant Merchant. As a data processor, PuppetVendors processes this data under the Merchant's instructions and will assist the Merchant in fulfilling such requests.
10. Shopify Data Compliance
PuppetVendors complies with Shopify's mandatory privacy requirements, including:
Customer data request webhook: When a Merchant's customer requests their data, we process the request and provide the relevant data we hold.
Customer data erasure webhook: When a Merchant's customer requests erasure of their data, we delete the relevant personal data from our systems.
Shop data erasure webhook: When a Merchant uninstalls the App and requests erasure, we delete all shop data within thirty (30) days.
These compliance mechanisms are implemented in accordance with Shopify's Partner Program Agreement and API Terms of Use.
11. Children's Privacy
The Service is not directed to individuals under the age of 16 (or the applicable age of consent in your jurisdiction). We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child without appropriate consent, we will take steps to delete that information promptly. If you believe we have collected information from a child, please contact us at support@puppetvendors.com.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes to our practices, the Service, or applicable laws. We will update the "Last updated" date at the top of this Privacy Policy. For material changes, we will make reasonable efforts to notify you via email or through the App. Continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.
13. Contact Us
If you have questions about this Privacy Policy, our data practices, or wish to exercise your privacy rights, please contact us:
PuppetVendors Operated by Panther Commerce Pte. Ltd.
Email: support@puppetvendors.com Website: https://www.puppetvendors.com
For GDPR-related inquiries, you may also contact our data protection team at support@puppetvendors.com.
14. Limitation of Liability
PuppetVendors shall not be liable for any damages, losses, or claims arising from:
The processing of personal data by Merchants or their vendors in violation of applicable data protection laws.
The accuracy, completeness, or legality of data provided by Merchants or their vendors.
Data breaches or security incidents at third-party service providers, including Shopify, DigitalOcean, AWS, or MongoDB Atlas.
Merchants' failure to comply with their obligations as data controllers, including obtaining necessary consents and fulfilling data subject requests.
Any unauthorized access to or loss of data that occurs despite PuppetVendors's commercially reasonable security measures.
Merchants are solely responsible for ensuring their use of the Service, including the collection and processing of vendor and end-customer data, complies with all applicable data protection laws in their jurisdiction.
Browse Legal pages
