Privacy Policy

1. Information we collect through Shopify’s APIs

When you install a ShopsPilot app on a Shopify store, we access store data only through the OAuth permissions you approve and Shopify’s APIs and webhooks.

• DescripAI: we request the read_products and write_products access scopes. Through the Admin API we read and update product-related data needed to generate and save listing content—for example product titles, descriptions, handles, SEO fields, variants, and product images (including image URLs we may send to our AI providers). We receive webhook payloads for app/uninstalled, app_subscriptions/update, and Shopify’s mandatory privacy compliance topics (customers/data_request, customers/redact, shop/redact) as configured for the app.
• Cod Shield Lite: depending on the permissions you grant, we may access orders, customers, and related fulfillment or messaging data to operate COD verification and related workflows described in that app’s listing.

2. Information we collect directly from merchants

• Account and installation data: shop domain (myshopify.com), encrypted OAuth access tokens, plan or subscription status, and billing-related identifiers and usage counters associated with Shopify’s billing APIs.
• Merchant contact details: we may store a merchant or shop contact email when Shopify or you provide it (for example during install or support), and any information you include when you email us or sign up for updates.
• App activity and AI inputs (DescripAI): product names and optional text you enter in the app, language and tone settings, and outputs we generate; we store generation history (including linked Shopify product IDs where applicable, image URLs, token usage metadata, and timestamps) to provide the service, enforce plan limits, and troubleshoot issues.
• Technical and security logs: server, request, and error logs (which may include IP addresses, user agents, timestamps, and API request metadata) for reliability, security, and abuse prevention. Short-lived OAuth state values may be held in our cache layer during installation flows.
• Website visitors: basic analytics such as pages viewed, approximate location, device type, and referrer, collected via privacy‑friendly analytics tools.

3. Information relating to merchants’ customers

DescripAI runs in the Shopify admin for merchants. We do not operate a buyer-facing storefront app, do not place cookies or trackers on your customers’ browsers for DescripAI, and do not log how end-customers browse your storefront for that app. Product copy we process may later appear on your storefront but is handled as merchant-controlled catalog content, not as us collecting personal data directly from buyers for our own purposes.

Cod Shield Lite may process customer or order-related personal data you authorize via Shopify for COD verification and messaging workflows. That processing is limited to providing those app features.

4. How we use information

We use personal and store data to provide, operate, secure, and improve the Services; to deliver in-app features you request; to handle billing and plan limits; to respond to support requests; and to comply with law and Shopify’s platform requirements. We do not sell personal information. We do not use merchant or store data for third-party advertising profiling or unrelated marketing beyond communicating about the Services (for example service announcements or billing), unless you separately agree (such as optional marketing emails you can opt out of).

• Deliver COD verification and related workflows for Cod Shield Lite.
• Provide AI-assisted listing features for DescripAI, including generating and suggesting product copy and SEO-related text from your catalog inputs.
• Monitor performance, detect abuse, and maintain the security of our Services.

5. How we share information

We do not sell your data. We may share limited information with:

• Service providers: such as hosting, infrastructure, database, and communication providers (for example, WhatsApp or messaging API providers for Cod Shield Lite) who help us deliver the Services.
• AI providers: for DescripAI, we use third-party model providers to process text and images you submit and return generated suggestions. Those providers act as subprocessors and receive only what is needed to fulfill each request (for example, product image and text prompts). Their use is governed by their terms and our agreements with them.
• Shopify: as required by the Shopify platform, to operate apps installed on your store and comply with their terms.
• Legal or safety reasons: if we believe disclosure is required by law, regulation, or to protect the rights, property, or safety of ShopsPilot, our users, or others.

6. Data retention

We retain information for as long as reasonably necessary to provide the Services, comply with legal obligations, resolve disputes, and enforce our agreements. Typical practices include:

• Shop and install records: while the app is installed and for a limited period after uninstall (for example to honor billing, disputes, security investigations, and backups), after which we delete or irreversibly anonymize data where feasible.
• DescripAI generations: stored in our database for service history, support, and usage accounting until deleted according to our retention schedule or when you request deletion subject to legal holds.
• OAuth state: short retention (on the order of minutes) in cache during authorization.
• Logs: rolled according to operational needs, often weeks to months unless extended for security or legal reasons.

Where possible, operational metrics are aggregated or anonymized over time.

7. Data security

We use reasonable technical and organizational measures to protect information, including access controls, encryption in transit where appropriate, and least‑privilege access for operational tools. No method of transmission or storage is fully secure, so we cannot guarantee absolute security.

8. Your choices and individual rights

Depending on where you or your customers are located, privacy laws may give individuals rights to access, correct, delete, or restrict processing of personal data, or to object to certain processing or to data portability. Merchants can contact us (section 12) to exercise rights relating to data we hold as a processor on their behalf, subject to verifying the request and applicable law.

• Email marketing: you can opt out of non-transactional emails by replying or using unsubscribe instructions when provided.
• Shopify apps: uninstalling a ShopsPilot app stops new data collection for that store. Residual data may remain in backups or logs for a limited period as described above.
• Shopify compliance webhooks: for customer personal data processed through our Shopify apps, we honor Shopify’s mandatory privacy webhooks (for example customers/data_request, customers/redact, shop/redact) as described in Shopify’s privacy law compliance documentation.

9. International transfers and where we operate

We and our subprocessors may store or process information in countries other than the country where you or your customers are located (including outside the European Economic Area or United Kingdom). Where required by law, we use appropriate safeguards for such transfers (for example standard contractual clauses or other mechanisms recognized by regulators).

If you need our legal entity name, registered office, or postal address for regulatory or contract purposes, contact us at the email in section 12; we will provide details where we are required to do so.

10. Children’s privacy

Our Services are not directed to children under 16, and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us so we can delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date above. The revised policy will apply from the date it is posted on this page.

12. How to contact us

If you have questions about this Privacy Policy, data practices, or rights requests, contact us at:

Email: [email protected]

Some jurisdictions require a physical or postal business address in a privacy notice. If you need ours, ask by email and we will provide it where applicable.