Dibs

Privacy policy

Effective date: 2 July 2026

Dibs — Back in Stock Alerts (“we”, “us”, “the app”; the app registration is called Dibs) is a Shopify app operated by AskMario that lets shoppers subscribe to back-in-stock alerts for sold-out product variants and notifies them by email when stock returns. This policy explains what data we collect, how we use it, how long we keep it, and your rights.

What we collect

Dibs handles two kinds of data: information shoppers type into the storefront widget, and a narrow slice of your Shopify catalogue data.

  • Shopper subscriptions (from the widget): the email address a shopper enters, the product and variant they subscribed to, and consent metadata — the timestamp of the signup, the URL of the page it happened on, a hashed (non-reversible) form of the shopper's IP address, and the opt-in level (single or confirmed double opt-in).
  • Notification history: which alerts were queued, sent, delivered, or bounced for each subscription, with timestamps and unsubscribe status.
  • From the Shopify API: products and variants, inventory levels, and locations — the minimum needed to know when a watched variant comes back in stock.
  • Shop metadata and settings: your myshopify domain, widget and sender configuration, plan, and billing status mirrored from Shopify Billing.

What we never collect: we do not read Shopify customer records and we do not read order data. The only personal information in the system is what a shopper deliberately types into the “notify me” widget. We don't request the protected-customer-data scopes that would grant access to Shopify customer or order fields.

How we use it

  • To send a shopper one back-in-stock email for the variant they subscribed to, verified against live inventory at send time.
  • To show you delivery confirmation — queued, sent, delivered, bounced — for every restock alert.
  • To power the Demand Leaderboard and related analytics (subscribers waiting per variant, signups per day).
  • To honour unsubscribes and consent preferences immediately.
  • To keep legally required proof of consent.

We don't sell your data or your shoppers' data. We don't share it with advertisers. We don't use it to train ML models. Shopper emails are used only to deliver the alert they asked for — never added to any other list.

Where it's stored

  • Application data (subscriptions, consent records, inventory snapshots, settings) is stored in a Postgres database hosted by Neon in the European Union.
  • The application itself runs on Fly.io in Frankfurt, Germany (EU).
  • Email delivery is handled by Resend; the recipient address and message content pass through their systems to be delivered.

Retention & deletion

  • Unconfirmed signups (double opt-in pending) are purged after 72 hours.
  • Subscriber personal information is scrubbed 30 days after the notification is sent, or 30 days after unsubscribe — whichever comes first.
  • Consent records are kept for 3 years as legal proof of consent.
  • Delivery logs are kept for 12 months.
  • On uninstall, Shopify sends the shop/redact webhook about 48 hours later; all data for your shop is permanently purged within 30 days of receiving it.
  • You can request immediate deletion at any time by emailing info@askmario.co.za.

Roles under GDPR

For shopper data collected through your storefront, the merchant is the data controller and AskMario (via Dibs) is the data processor. We process your shop's data only on your documented instructions — installing the app and using its features constitutes that instruction — and only for the purposes described in “How we use it” above.

All hosting and storage is in the European Union (Fly.io Frankfurt, Neon EU). Where any transfer outside the EU/UK occurs via a subprocessor, we rely on the Standard Contractual Clauses (2021/914). We can provide a signed Data Processing Addendum (DPA) on request — email info@askmario.co.za.

Your rights

Because Dibs stores shopper email addresses, the Shopify GDPR/CCPA webhooks are actively honoured:

  • Customer data request: we compile every subscription, consent record, and notification log matching the shopper and deliver the export to the merchant within 30 days.
  • Customer redact: we hard-delete every matching record — email address, notification logs, consent metadata, hashed IP — within 30 days.
  • Shop redact: full deletion of all your shop's data within 30 days of the webhook (which fires about 48 hours after uninstall).

Shoppers can act directly too: every email we send contains a one-click unsubscribe link, honoured immediately. Shoppers and merchants may also request access, correction, or deletion by email at any time.

Security

  • All traffic is HTTPS-only.
  • OAuth tokens from Shopify are stored encrypted at rest in the database.
  • Shopper IP addresses are stored only as a one-way hash.
  • Access to the production database is limited to the engineering team.
  • Webhooks are verified using Shopify's HMAC signature; the storefront widget submits through Shopify's signed app proxy.

Cookies

The merchant-facing app runs as an embedded Shopify admin app; the cookies involved are the standard Shopify session cookies that authenticate you to your shop's admin. The storefront widget does not set tracking cookies, and we don't use third-party analytics that cookie your visit.

Subprocessors

  • Shopify Inc. — source of product/inventory/location data, hosting of the embedded admin frame, billing.
  • Fly.io — application hosting (Frankfurt, EU).
  • Neon — managed Postgres database hosting (EU).
  • Resend — email delivery.
  • Klaviyo — only if you enable the Klaviyo integration; subscriber email/phone and event data are then shared with your own Klaviyo account.
  • SMSPortal — only if you enable SMS alerts (South-African stores); subscriber phone numbers are shared to deliver the SMS.

Jurisdiction

AskMario is registered in the Republic of South Africa. Personal information processed under this policy is handled in line with both the EU General Data Protection Regulation (GDPR) and South Africa's Protection of Personal Information Act (POPIA, 2013). Data is hosted in the European Union; the cross-border transfer basis for South African processing is documented in our DPA. This policy is governed by the laws of the Republic of South Africa.

Changes to this policy

We'll update the effective date at the top of this page when this policy changes. Material changes will be communicated via the merchant contact email on file.

Contact

Privacy questions, deletion requests, DPA requests, or anything else — email info@askmario.co.za.