Soryk
Privacy Policy
Last updated: 25 June 2026
1. Who we are
Soryk is a Shopify application that helps B2B merchants manage their field sales agents and wholesale buyers. The application is operated by Soryk (the “Company”, “we”, “us”). This Privacy Policy explains how we handle personal data when you install our Shopify app, when an agent uses the Soryk mobile app, or when a wholesale buyer interacts with a merchant through Soryk.
2. Our role under the GDPR
For all merchant, agent, customer and order data, the Shopify merchant who installs Soryk is the data controller. Soryk acts as a data processor on the merchant's behalf, strictly to provide the contracted service. The merchant's existing Data Processing Addendum with Shopify continues to govern the underlying records.
3. What data we process — and where it lives
Soryk is designed to be Shopify-native: the source of truth for every business record (agents, companies, orders, draft orders, quotes, visit reports, configuration) is a Shopify customer, order, draft order or app-owned metaobject on the merchant's own Shopify store. Soryk reads and writes these records on demand through Shopify's Admin API. The categories of data we handle include:
- Agent identity (email, name, locale, role, push-notification preferences) — stored as Soryk-owned metaobjects on the merchant's Shopify store.
- Wholesale buyer / company contacts — stored on the merchant's Shopify Companies records, read by Soryk to populate draft orders.
- Orders, draft orders, quotes, visit reports — stored as native Shopify objects or app-owned metaobjects on the merchant's store.
- Push-notification subscription endpoints — stored inside the relevant agent metaobject so that push messages can be delivered to the agent's device. The endpoint is removed when the agent disables notifications, signs out, or is deleted.
- Operational keys held briefly in our key-value cache (see section 4) — the encrypted Shopify offline access token per shop, short-TTL idempotency keys for agent-side mutations, and short-TTL anonymous analytics caches keyed on shop domain.
4. Data retention
Soryk's own infrastructure holds only operational data, with the following retention model: (a) the encrypted Shopify offline access token per installed shop persists for the lifetime of the installation and is deleted when the merchant uninstalls the app; (b) idempotency keys for agent-side mutations carry a 48-hour TTL and expire automatically; (c) analytics response caches carry a 60-second TTL on live-period queries and a 5-minute TTL on past custom-range queries. We do not retain personal data of agents, buyers or end customers beyond the duration needed to serve a request; the durable record always lives on the merchant's Shopify store. When the merchant uninstalls the app, every Soryk-owned metaobject on the merchant's store is deleted as part of the uninstall handler, and the offline access token is purged from our cache. The Shopify-mandated `shop/redact` webhook (which fires 48 hours after uninstall) re-confirms this cleanup.
5. Authentication tokens
To keep agents and buyers signed in across sessions, Soryk issues short-lived authentication tokens (JWTs). These tokens are stored on the user's device (in the mobile app's secure storage, or in an HttpOnly cookie on the web) and are never persisted on Soryk infrastructure beyond the duration of an HTTP request. The token contains only the user's identifier and expiry, no personal information. One-time login codes (OTPs) and magic-link tokens are likewise stateless JWTs: the verifier proof is contained within the token itself, with a short expiry, and nothing is written to a server-side database.
6. Sub-processors
Soryk relies on the following sub-processors to deliver the service. A full and current list is also available at /subprocessors.
- Shopify (Shopify International Limited, Ireland) — primary data store for all merchant, agent, buyer and order records.
- Vercel Inc. (United States, EU edge presence) — hosting and global edge delivery of the Soryk web surfaces and the API consumed by the mobile app. Vercel sees HTTP traffic in transit but does not retain Soryk-managed records.
- Upstash Inc. (serverless Redis, EU region) — short-lived key-value cache used for the encrypted Shopify offline access token per shop, idempotency keys for agent-side mutations (48h TTL), and analytics response caches (60s–5min TTL). Upstash never receives end-customer personal data.
- Resend Inc. (United States) — transactional email delivery for one-time login codes, magic-link invitations, quote share emails and order confirmations. Resend receives the recipient email address and message body for the time needed to deliver the message.
- Google Maps Platform — Places Autocomplete API used by the “suggest a new company” and “suggest a new location” flows in the agent app. The address fragment typed by the agent is sent to Google for autocomplete; no end-customer record is sent.
- Web Push services — to deliver browser/mobile push notifications to agents, Soryk relies on the push services operated by the user's browser/OS vendor (Apple Push Notification service, Firefox Autopush, Mozilla Autopush, Google Firebase Cloud Messaging, depending on the device). Only the encrypted notification payload and the push subscription endpoint are exchanged with these services.
- Sentry (Functional Software, Inc.) — error and performance monitoring. Sentry is configured with PII scrubbing (email and phone-number patterns are replaced before any event leaves the device or server) and Session Replay is force-disabled.
7. Communications
Soryk sends only transactional emails (one-time login codes, order confirmations, quote share notifications). We do not send marketing emails from the Soryk app and we do not use the contacts on a merchant's store for any purpose beyond delivering those transactional messages on the merchant's behalf.
8. Cookies
The Soryk marketing website (soryk.co) uses only essential cookies required to keep a session alive when previewing the app. We do not use third-party advertising cookies and we do not run analytics that profile individual visitors. The Soryk mobile app does not use cookies at all — authentication is handled via the secure-storage mechanism described above.
9. Your rights and how to exercise them
If you are an agent, buyer or end customer of a merchant who uses Soryk, the merchant is the controller for your data and is the primary point of contact for access, rectification, erasure, restriction, portability and objection requests under the GDPR. Because Soryk does not retain your personal data, deletion typically requires action by the merchant on their Shopify store. You can also contact Soryk to assist with such a request at info@soryk.co.
10. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes to the service or to legal requirements. The effective date at the top of this page indicates when the latest version was published. Material changes will be communicated to merchants in-app before they take effect.