IntroductionStockpile ("Stockpile", "the app", "we", "us") is a Shopify app developed by 9x9 Digital, a brand of The Desi Co Group Ltd, located at 124 City Road, London, United Kingdom. This policy explains what data the app collects when you install and use it on your Shopify store, how we use and share that data, and the choices you have. By installing Stockpile you agree to this policy. If you do not agree, please do not install or use the app.

1. What the app doesStockpile helps merchants manage purchasing, suppliers and stock — a back-room workspace for inventory and purchase orders. It mirrors your Shopify products, variants, inventory levels, locations and vendors into a single workspace; lets you record the suppliers you buy from and map the products you order from each one; create, send and track purchase orders; book in deliveries (receiving), including partial deliveries with batch references; set minimum and maximum reorder levels and auto-fill purchase orders from them; and writes received stock counts back to your Shopify inventory so your store stays in sync.

2. Information we collectWhen you install and use Stockpile, we collect and process: • Store information — your Shopify store domain, store ID, locations, and basic configuration needed to connect the app. • Staff/user account information — the name and email address of staff members who access the app, provided through our authentication provider (WorkOS). We use this to operate the app, provide support, and secure your account. • Product, inventory and catalog data — product and variant titles, SKUs, barcodes, vendor/brand names, product status, and per-location inventory levels, read from and written to your Shopify store. • Supplier and purchasing data — supplier names and business-contact details (such as a contact name and email address), payment and currency terms, the products you map to each supplier and their costs, and the purchase orders, line items and receiving records (including batch references and received dates) you create in the app. • Usage and log data — actions taken in the app, timestamps, sync and processing logs, and technical/diagnostic information used to operate, debug and improve the service. We do not request Shopify's protected customer data scopes, and we do not access, collect or store your customers' personal data or order records. Stockpile operates on your product, inventory, supplier and purchasing data — not on your store's customer or order records. Some supplier details you enter (for example a supplier contact's name and email) may be personal data relating to your suppliers. You are responsible for ensuring you have a lawful basis to provide this information to us; we process it only to operate the app's purchasing and supplier features on your behalf.

3. How we use informationWe use the information above to: • Provide the app's core functions — inventory mirroring, supplier and cost management, purchase order creation, sending purchase orders to suppliers, receiving deliveries, and minimum/maximum reorder auto-fill. • Keep your inventory in sync with Shopify — reading your catalog and stock levels, and writing received counts back to your store, via Shopify's APIs and webhooks. • Send purchase orders and related notifications to the supplier and recipient email addresses you specify. • Provide customer support and respond to your requests. • Maintain security, prevent abuse, and debug and improve the service. We do not sell your data, and we do not use it for advertising.

4. Third-party service providersTo operate the app we rely on the following infrastructure and platform providers: • Amazon Web Services (AWS) — application hosting and our PostgreSQL database (Amazon RDS), located in the United Kingdom (London region), where your store configuration, inventory mirror, supplier and purchase order data, and app session data are stored. • WorkOS — authentication and identity management (staff name and email, sign-in and session handling). • Postmark — transactional email delivery, used to email purchase orders and related notifications to the supplier and recipient addresses you specify. • Sentry and Axiom — error monitoring and logging, used to operate, debug and secure the service. • Shopify — the platform your store runs on, the source of the catalog and inventory data we mirror, and the destination for the inventory counts we write back. We share data with these providers only as needed to operate the app. We do not authorize them to use your data for their own independent purposes.

5. Data storage & securityYour store configuration, inventory mirror, supplier and purchasing data are stored in our PostgreSQL database hosted on Amazon RDS in the United Kingdom. We apply security best practices, including: • Encryption of data in transit (TLS) and encryption at rest provided by our hosting and storage providers. • Encryption at rest of the Shopify access tokens used to connect to your store. • Multi-tenant isolation enforced at the database level (PostgreSQL row-level security), so one store's data is scoped to that store and not exposed to another. • HMAC verification of all incoming Shopify webhooks. • Storage of API keys and credentials in managed secrets/environment configuration, never in code. • Validation of authenticated sessions on requests to the app. • Logging of actions and errors for operability and debugging. No method of transmission or storage is 100% secure, but we work to protect your information using commercially reasonable safeguards.

6. Data retentionWe retain your data for as long as the app is installed and as needed to provide the service. Staff account information (name and email) is held only as part of your authenticated app session. When you uninstall Stockpile, your app sessions are deleted, which removes this staff account information. If you uninstall Stockpile, we retain the operational business records associated with your store (such as supplier records, purchase orders, receiving history and reorder thresholds) so that your account can be restored if you reinstall, and to meet our legal and record-keeping obligations. When we receive a Shopify shop/redact request (sent by Shopify 48 hours after uninstall), or you ask us to delete your data, we delete the associated data in accordance with that request and applicable law. You can request deletion of your retained data at any time by contacting us at prabhav.pathak@9x9digital.com — see Section 8.

7. Shopify complianceStockpile honors Shopify's mandatory data-protection webhooks. When Shopify notifies us of a data request or erasure obligation (customers/data_request, customers/redact, shop/redact), and when your store uninstalls the app (app/uninstalled), we respond in accordance with those requirements. Because Stockpile does not process your customers' personal data, the customer-data webhooks generally return no customer information.

8. Your rightsDepending on your location (including under the GDPR and UK GDPR), you may have the right to access, correct, export, or delete personal data we hold about you, and to object to or restrict certain processing. To make a request, or for any privacy question, contact: Email: prabhav.pathak@9x9digital.com Postal: The Desi Co Group Ltd, 124 City Road, London, United Kingdom We will respond within the timeframes required by applicable law.

9. International transfersYour data is primarily processed in the United Kingdom and the European Economic Area. Some of the providers listed in Section 4 (for example WorkOS, Postmark, Sentry and Axiom) may process data in the United States or other countries. Where required, we rely on appropriate safeguards for such transfers (such as standard contractual clauses).

10. Children's privacyStockpile is a business tool not directed to children and is not intended for use by anyone under 16. We do not knowingly collect personal data from children.

11. Policy changesWe may update this policy from time to time. We will revise the "Last updated" date above and, where appropriate, notify you within the app. Continued use of Stockpile after changes take effect constitutes acceptance of the updated policy.

12. ContactThe Desi Co Group Ltd (9x9 Digital) 124 City Road, London, United Kingdom prabhav.pathak@9x9digital.com