Skip to content
Dropshipped

Security

We only ask for the access needed to run your store workflow.

Dropshipped connects to Shopify so it can create branded listings and keep inventory, prices, and tracking accurate. Here is what we access and why.

OAuth, not passwords

You connect Shopify through OAuth. We never ask for your Shopify password.

Tokens encrypted

Shopify offline tokens are encrypted at rest and never printed in logs.

SOC 2 in progress

We are building toward SOC 2 controls as part of the production security roadmap.

Shopify access

The scopes we request.

read_products

Import product and variant details from Shopify when we need to match or update a listing.

write_products

Create or update products only when you take that action in Dropshipped.

read_inventory

Check current inventory item IDs and stock state for variant mapping.

write_inventory

Update stock counts when sync is enabled for a connected store.

read_orders

Read order data needed for tracking sync and reconciliation.

Data we access

Only what the workflow needs.

  • Your account and organization details
  • Connected Shopify store domain and granted scopes
  • Encrypted Shopify offline access token
  • Product, variant, inventory, and order data needed for import and sync
  • AliExpress product links, supplier SKUs, and imported product snapshots
  • Usage and billing events needed for subscriptions and image credits

Retention and deletion

We keep data while your account is active so imports, mappings, billing, and sync can work. You can disconnect Shopify anytime. You can also request deletion, and we will delete data unless we must keep limited records for legal or billing reasons.

Sub-processors

We will list hosting, database, email, billing, and AI providers on the sub-processors page before launch.

We never sell your data.

We never train AI on your store data.

We never create or rewrite products without your action.

We delete your data on request.

We never log Shopify access tokens.