Legal
Security
Last updated: July 14, 2026
Restockly is built to keep your OpoShop store's data safe by design. Here's how.
Data isolation
Every record — subscriptions, waitlists, pre-orders, settings — is scoped to a single store. Every request is filtered by store ownership, so one merchant's data can never be read by another. There is no shared, cross-store view.
Access & authentication
- Merchant sessions are created only through OpoShop's secure OAuth code exchange — we never trust a raw token to mint a session.
- Session tokens carry a type claim so a refresh token can't be used to access data.
- The OpoShop access token we store is used only to call the OpoShop API for that store.
Shopper-facing safety
The public storefront endpoints (the “Notify me”, waitlist, and pre-order captures) are rate-limited, validate email format, and return the same generic response whether or not a store or item exists — so no one can enumerate who else subscribed or which stores use Restockly. We never return anyone else's data to a shopper.
Payments
Restockly never sees or stores payment card details. All checkout and payment happens inside OpoShop.
Reporting a vulnerability
Found a security issue? Please email brandon@tryfound.io with the details and we'll respond quickly. We appreciate responsible disclosure.