Blackout Dates
Add to Shopify →

Privacy Policy

Last updated: 1 April 2026

Overview

Blackout Dates (“the App”) is a Shopify app that lets merchants configure date-based scheduling for collection, local delivery, and postal orders — including blackout dates, per-product rules, delivery pricing, and calendar sync. This policy explains what information we collect when you install or use the App, how we use it, and your rights with respect to that data.

We keep this simple: we collect only what we need to run the service, we never sell your data, and we permanently delete all of your data within 48 hours of uninstall.

Information we collect

Merchant information

When you install the App through the Shopify App Store, Shopify provides us with:

  • Your shop domain (e.g. yourstore.myshopify.com)
  • An OAuth access token that allows the App to call the Shopify Admin API on your behalf
  • Session identifiers used to authenticate your admin session

App configuration data

Data you create while using the App:

  • Store-wide blackout dates and days of the week you have blocked
  • Store-wide settings: order cut-off time, preparation lead days, and minimum order value
  • Per-product availability rules: allowed dates, allowed weekdays, preparation days override, fulfilment type, and whether the date picker is enabled
  • Delivery method preferences (collection, local delivery, postal) and associated pricing rules (Pro)
  • Order booking counts per date and time slot, used to enforce per-slot order limits (Pro). These counts are stored against your shop domain and the relevant date/time slot; no customer identifiers are included.
  • A randomly generated calendar sync token used to authenticate the Pro calendar feed URL
  • Your current plan tier, stored to enforce feature access without querying the billing API on each request
  • If you connect Google Calendar or Microsoft Outlook: OAuth access tokens, refresh tokens, and token expiry timestamps for each connected service, used to push calendar events on your behalf

Customer data

The App requests the read_customers Shopify API scope. This is used solely by the Pro calendar sync feature, which reads customer names, email addresses, and phone numbers from orders to include in calendar event notes. These details are accessed transiently and are never stored in our database. However, if you have connected Google Calendar or Microsoft Outlook, this contact information is included in calendar events pushed to those services when an order is placed — see “Data sharing” below. Collection date selections entered by customers are written as order properties directly in Shopify and are never stored in our database.

How we use your information

  • To authenticate API requests to Shopify on your behalf
  • To display and enforce your configured blackout dates and product rules in the storefront date picker
  • To write collection date metadata to your Shopify orders (via the Shopify API)
  • To generate the Pro ICS calendar feed, which reads order data (including customer contact details) transiently to build calendar events
  • To push calendar events to Google Calendar or Microsoft Outlook automatically when an order is placed, if you have connected either service

We do not use your data for advertising, analytics, or any purpose beyond operating the App.

Data storage

Your data is stored in a PostgreSQL database hosted on Heroku (Salesforce). Heroku servers are located in the European Union (Ireland).

OAuth access tokens are encrypted at rest. Database backups are retained for a maximum of 7 days.

Data sharing

We do not sell, rent, or share your data with third parties except as described below:

  • Shopify — we call the Shopify Admin API using your access token to read products, read orders and customer contact details (name, email, phone — for the Pro calendar sync feature), and write order properties. Shopify's own Privacy Policy applies to data processed through their platform.
  • Heroku — our hosting and database provider. Data is processed under Heroku's Privacy Policy.
  • Google — if you connect Google Calendar, we push calendar events (including order dates and customer contact details: name, email address, and phone number if provided) to your Google Calendar account when orders are placed. This uses the Google Calendar API under Google’s Privacy Policy. We store your Google OAuth tokens to maintain this connection. You can disconnect at any time from the Calendar Sync settings page. Note that calendar events already pushed to Google Calendar before uninstall are not automatically removed; you can delete them directly from your Google Calendar.
  • Microsoft — if you connect Microsoft Outlook, we push calendar events (including order dates and customer contact details: name, email address, and phone number if provided) to your Outlook calendar when orders are placed. This uses the Microsoft Graph API under Microsoft’s Privacy Policy. We store your Microsoft OAuth tokens to maintain this connection. You can disconnect at any time from the Calendar Sync settings page. Note that calendar events already pushed to Outlook before uninstall are not automatically removed; you can delete them directly from your Outlook calendar.
  • Sentry — we use Sentry for error monitoring. Error reports may include your shop domain and contextual request data. These traces are retained according to Sentry’s own data retention policy (typically 90 days) and are not deleted when you uninstall the App.

We may disclose data if required by law or to protect our legal rights.

Data retention and deletion

Your data is retained for as long as the App is installed on your store.

When you uninstall the App, Shopify sends us an app/uninstalled webhook and we immediately delete your OAuth session. Shopify also sends a mandatory shop/redact webhook 48 hours after uninstall; upon receiving it we permanently delete all remaining data (blackout dates, product rules, store settings, slot booking counts, and any residual session records) associated with your shop.

You can also request deletion at any time by contacting us at privacy@blackoutdates.app.

Your rights

Depending on your location, you may have rights under applicable privacy law (including GDPR and CCPA) to:

  • Access the data we hold about your shop
  • Request correction of inaccurate data
  • Request deletion of your data
  • Object to or restrict certain processing

To exercise any of these rights, contact us at privacy@blackoutdates.app. We will respond within 30 days.

Changes to this policy

We may update this policy from time to time. When we do, we will revise the “Last updated” date at the top. Material changes will be communicated via the App or by email to the store owner. Continued use of the App after changes constitutes acceptance of the updated policy.

Contact

Questions about this policy? Reach us at privacy@blackoutdates.app.