Your field data, that is, the actual values you entered into the field for any product or other content, is stored in Shopify along with all of your other data. Specifically, the data is stored in Metafields, using a namespace particular to Custom Fields (metafields.custom_fields.YOURNAMESPACE). When you see your data in the app's interface, it was pulled in real-time from Shopify and added to the form. We do not store your field values in any way. This means that the values you enter into this app are available outside of the app, if you need them and have your own developers, using the Metafields API. This also means that any questions regarding the privacy of the data you enter should be directed at Shopify.
If you use our export tool, we collect the information you've requested by asking Shopify to provide it back to us via the Metafields API in real-time. We then store that export file on our host for 24 hours. If you have questions regarding our host's privacy policies, please visit https://pantheon.io and also https://pantheon.io/blog/announcing-privacy-shield-framework-compliance
If you use our import tool, we do not permanently store your file. We parse the file and cache the data temporarily. Garbage collection on our system deletes your upload file within a few hours.
Your field definitions are stored in the app. Definitions are just your settings for the field, like if it's an HTML field and what you called it. The app uses these definitions to create the forms you use in the app, like the dropdowns or WYSIWYG fields.
If, for any reason, the Custom Fields app "goes down" your data will not be lost and your customers and visitors will not be impacted.
We are actively investigating the impact of GDPR on our application. Due to our application's real-time architecture and mitigating factors described above, we are not aware of any specific changes that need to be made in order to support GDPR. If you believe otherwise, please drop us a line.