← penduluminvoices.com

Privacy policy

Effective May 19, 2026 · Last updated May 19, 2026

This policy explains how Pendulum (the “Service”) collects, uses, stores, and discloses information from Shopify merchants who install Pendulum and from the end customers whose data flows through the merchant’s store. We use plain language wherever possible.

Pendulum is operated by Alchemy Merch LLC (“we,” “us,” “our”), located at 19924 E Vallejo St, Queen Creek, AZ 85142, United States. If you have questions about this policy or how your data is handled, contact us at support@penduluminvoices.com.

Roles: who is the controller

For data about merchants who install Pendulum (your shop domain, owner email, billing status, etc.) we act as a data controller.

For data about end customersthat flows through a merchant’s Shopify store (customer name, email, order details), we act as a data processor on behalf of the merchant, who is the controller. End customers who want to exercise rights over their data should contact the merchant first. We support all GDPR-mandated data subject requests routed via Shopify’s compliance webhooks (see below).

Information we collect

From merchants on install

  • Shop domain (e.g. your-store.myshopify.com)
  • Shopify offline access token, encrypted at rest with AES-256-GCM
  • OAuth-granted scopes (currently read_orders and read_draft_orders)
  • Plan status and billing subscription ID returned by Shopify Managed Pricing
  • Brand settings you configure: logos, colors, company name, address, email, phone, footer text, documents URL
  • Email templates and reminder schedules you configure
  • Webhook endpoint URLs you configure (Pro plan only)

About your customers (as a processor for you)

  • Customer name and email address as they appear on Shopify orders and draft orders
  • Order metadata: order name (e.g. #1042), amount, currency, due date, paid date, status
  • Shopify order and draft-order IDs and the Shopify-hosted invoice URL
  • Reminder send history: which template was sent, when, to whom, the Postmark message ID, delivery status

We do not collect payment card numbers, bank account numbers, or any other payment instrument data. Payment processing remains entirely within Shopify and Shopify Payments / Stripe / the merchant’s chosen processor.

Automatically collected

  • Standard server logs (IP address, user agent, request path, timestamp) retained for up to 30 days for security and abuse prevention
  • Outbound webhook delivery history (status code returned by your endpoint, truncated response body) retained as long as the endpoint exists

How we use information

We use the information above strictly to operate the Service for you:

  • Generate branded invoice PDFs from your Shopify orders and draft orders
  • Send reminder emails to your customers on the cadence you configure
  • Display your invoice and reminder activity in the embedded dashboard
  • Bill you through Shopify Managed Pricing and enforce plan limits
  • Respond to support requests you send us
  • Detect and prevent abuse of the Service
  • Comply with our legal obligations

We do not sell your data or your customers’ data. We do not use the data for marketing to your customers or for training machine learning models. We do not share the data with advertisers.

Sub-processors

We use the following sub-processors to operate the Service. Each is contractually bound to confidentiality and to processing data only on our instructions.

Sub-processorPurposeLocation
SupabasePostgres database hosting (merchant + customer data)United States (us-east-1)
PostmarkTransactional email delivery for reminder emailsUnited States
VercelWeb application hosting and edge networkGlobal (primary: United States)
ShopifySource of merchant + customer data, billing via Shopify Managed PricingCanada / United States
CloudflareEmail routing for the @penduluminvoices.com domain (forwards inbound mail to a single mailbox we monitor)Global

If we add or change a sub-processor we will update this page. Material changes that introduce new categories of data sharing will be communicated in-app or by email before they take effect.

Data retention

We retain merchant and customer data for as long as the merchant has Pendulum installed on their Shopify store, plus a short window after uninstall for backup integrity. Specific retention windows:

  • Active installs: data retained for the lifetime of the install
  • After uninstall: we receive Shopify’s shop/redact webhook 48 hours after uninstall and delete all merchant and customer data within 48 hours of receipt (96 hours total)
  • On customers/redact: we delete the requested customer’s record, their invoices, and reminder send history within 30 days
  • Server logs: retained 30 days for security and abuse prevention, then deleted
  • Outbound webhook delivery history: retained as long as the endpoint exists. Deleted with the endpoint.

GDPR webhooks (Shopify mandatory)

Pendulum subscribes to all three GDPR-mandatory webhooks defined by Shopify. They are handled at /api/webhooks/compliance.

  • customers/data_request: within 30 days, we compile and deliver a copy of the requested customer’s data via the merchant
  • customers/redact: within 30 days, we delete the customer’s data and all associated invoices and reminder sends from our systems
  • shop/redact: within 48 hours of receipt (sent by Shopify 48 hours after uninstall), we delete all of the merchant’s data including their offline access token, brand settings, invoices, reminder history, webhook endpoints, and outbound delivery history

We log the receipt of every compliance webhook and verify the Shopify HMAC signature before acting.

Your rights

Subject to applicable law (including GDPR for EEA / UK residents and CCPA / CPRA for California residents), you have the following rights regarding your data:

  • Access: request a copy of the data we hold about you
  • Correction: request that inaccurate data be corrected
  • Deletion: request that we delete your data (subject to legal retention requirements)
  • Portability: request your data in a structured, machine-readable format
  • Objection: object to specific processing activities
  • Withdraw consent: where processing is based on consent, withdraw it at any time

If you are an end customer whose data flows through a merchant’s Shopify store, contact the merchant first. The merchant is the data controller. We support all such requests when they are routed via Shopify’s compliance webhooks above.

If you are a merchant, email support@penduluminvoices.com. We respond within 30 days.

EEA / UK residents have the right to lodge a complaint with a supervisory authority. Greg can also be contacted as the Alchemy Merch privacy point of contact at the email above.

International data transfers

Our infrastructure and our primary sub-processors are based in the United States. If you are located outside the United States, your data will be transferred to and processed in the United States.

Where required by law (notably for transfers from the EEA / UK / Switzerland), we rely on the Standard Contractual Clauses approved by the European Commission and additional safeguards as offered by our sub-processors.

Security

We take security seriously. Concrete measures:

  • Shopify offline access tokens are encrypted at rest with AES-256-GCM. The encryption key is held only in Vercel environment variables, never committed to source control
  • All traffic between Pendulum and Shopify, between Pendulum and merchants, and between Pendulum and customers is encrypted in transit via TLS 1.2 or higher
  • Database access is restricted to the application using a service-role key. Direct database access is limited to two named administrators
  • Outbound webhook URLs must use HTTPS. We sign every outbound payload with HMAC-SHA256 so receiving systems can verify authenticity
  • Every Shopify webhook is verified against the Shopify HMAC signature before processing
  • Multi-tenant isolation is enforced in every database query by scoping on shop_id

No system is perfectly secure. If you become aware of a security issue, please email support@penduluminvoices.com and we will respond within 48 hours.

Cookies and tracking

The embedded Pendulum app inside Shopify admin uses session cookies set by Shopify to authenticate the merchant. We do not set our own tracking cookies on the embedded app.

The marketing site at penduluminvoices.com does not use third-party analytics or advertising cookies. The only cookies the marketing site may set are functional cookies necessary for the site to operate (e.g. preference cookies).

Children

Pendulum is a business-to-business tool for Shopify merchants. We do not knowingly collect personal information from children under 16. If you believe a child has provided us information through a merchant’s store, please contact us and we will delete it.

Changes to this policy

We may update this policy from time to time. Material changes that affect how we collect, use, or share data will be announced in-app or by email at least 14 days before they take effect. The “Last updated” date at the top of this page reflects the most recent revision.

Contact

Questions, complaints, or data subject requests: