TimeVault Privacy Policy

Last updated: July 2, 2026

TimeVault is a Shopify app published by Sizzle (“Sizzle,” “we,” “us,” or “our”). This policy explains what information the app accesses, how we store and use it, and the choices you have. It applies to merchants who install TimeVault on their Shopify store.

TimeVault creates daily and on demand backups of a store's core content, such as products, collections, theme code, pages and blogs, and metafields. It stores point in time snapshots so you can restore a prior version. Restores are diff based and do not delete content created after the backup point.

Summary

In short: TimeVault backs up your own store content and nothing about your shoppers. We request no customer or order permissions, so we never access shopper names, emails, addresses, or orders. Your data is stored in the United States, we use only three service providers (Supabase, Netlify, and Shopify), and we run no tracking or advertising cookies. When you uninstall, your stored data is fully deleted about 48 hours later.

Information we access and store

TimeVault is a backup tool, so the data it stores is your own store content, captured so you can restore it later. Specifically:

  • Store content that we back up: products and variants, collections, theme code, pages and blogs, and metafields. This is content you create and control in your Shopify admin. The only field that contains a person's name is the author of a blog post, which is store content you author, not information about a shopper.
  • App metadata that we generate to run the service: version history, backup run records, and billing state.

We store point in time snapshots as content addressed binary blobs keyed by their SHA-256 hash, along with the metadata needed to organize and restore them.

Information we do not collect

TimeVault does not access, process, or store any customer or shopper personal data. The app requests no customer or order permissions from Shopify, so it has no API access to shopper names, email addresses, mailing addresses, payment details, or order records. We do not run analytics or profiling, and we do not sell or share data for advertising.

Shopify permissions we request

TimeVault requests only the permissions it needs to back up and restore your store content. These are limited to merchant content and include no customer or order scopes:

  • read_products and write_products
  • read_content and write_content (pages, blogs, and metafields)
  • read_themes and write_themes

How we use your information

We use the information described above only to provide the TimeVault service: to create backups, to keep version history so you can browse and restore prior snapshots, to perform restores you request, and to manage your subscription and billing status. We do not use your content for any other purpose.

Cookies

TimeVault is a standard embedded Shopify app built with Remix, Polaris, and App Bridge. It sets only the functional session cookies required by Shopify's authentication and embedded app framework. It uses no analytics, advertising, or tracking cookies.

TimeVault adds nothing to your storefront. There is no script tag, web pixel, or theme app extension, and nothing the app installs runs for your end shoppers. The app is used only by you inside the Shopify admin.

Where your data is stored

All persistent data and processing takes place in the United States (AWS US East, us-east-1). We store metadata and version records in a Supabase Postgres database and store content blobs in Supabase Storage. The application and its scheduled and background functions run on Netlify.

Service providers

We keep our list of service providers small. The following third parties process data on our behalf or as part of delivering the service:

  • Supabase: database and object storage, hosting the metadata and the backed up content blobs.
  • Netlify: application hosting and scheduled and background functions.
  • Shopify: the source of your store content and the processor of all billing through the Shopify Billing API.

We use no other subprocessors. There is no separate analytics, error tracking, email, logging, or payment provider. All outbound network requests from the app go only to Shopify or Supabase.

Billing

Billing for TimeVault is handled entirely through Shopify using the Shopify Billing API. We do not use an external payment processor, and we do not receive or store your payment card details.

Data retention and deletion

While TimeVault is installed, it keeps your full backup history. There is no automatic pruning and no age based deletion on any plan. Billing limits may gate new backup runs, but restoring an existing backup is never gated.

When you uninstall the app, your session records are deleted immediately. Backup data is retained briefly so that a quick uninstall followed by a reinstall does not lose your history. Shopify then sends a shop redaction request about 48 hours after uninstall, at which point we permanently erase all stored data for your shop. This deletes your shop record and everything linked to it (backups, versions, billing state, and restore records), removes session data, and garbage collects any orphaned content blobs. Effective retention after uninstall is therefore about 48 hours, followed by complete deletion.

Shopify compliance webhooks

TimeVault implements all three of Shopify's mandatory privacy webhooks:

  • customers/data_request: because we store no customer data, there is nothing to return. We log the request.
  • customers/redact: no operation, since there is no customer data to redact. We log the request.
  • shop/redact: we actively purge all stored data for the shop as described above.

Your rights

Because the data TimeVault stores is your own store content, you remain in control of it. You can restore or review your backups at any time inside the app, and you can trigger deletion of all your stored data by uninstalling TimeVault, which leads to complete erasure about 48 hours later through Shopify's shop redaction process.

Depending on where you or your customers are located, data protection laws such as the GDPR and the CCPA may give additional rights, such as the right to access, correct, or delete personal data. Since TimeVault does not collect shopper personal data, these requests are limited in scope, but you can contact us at any time and we will assist. Under the GDPR, Sizzle acts as a processor of the store content you choose to back up, and you act as the controller of that content.

Security

We take reasonable measures to protect the data we store. Content is stored as content addressed blobs keyed by SHA-256 hash on managed infrastructure provided by Supabase and Netlify, and access is limited to the app's own functions. No method of storage or transmission is completely secure, so while we work to protect your data we cannot guarantee absolute security.

International users

TimeVault stores and processes data in the United States. If you install the app from outside the United States, you understand that your store content will be transferred to and processed in the United States.

Children

TimeVault is a business tool for Shopify merchants and is not directed to children. We do not knowingly collect personal information from children.

Changes to this policy

We may update this policy from time to time. When we make material changes, we will update the date at the top of this page. Your continued use of TimeVault after an update means you accept the revised policy.

Contact

If you have questions about this policy or how TimeVault handles data, contact us atcontact@sizzle.so.