Privacy Policy

Effective date: May 4, 2026 · Version 2.0

AI Catalog Score ("we", "our", "the app") is a Shopify application that audits product catalog data for AI shopping readiness, attributes incoming sessions to AI agents (ChatGPT, Gemini, Copilot, Perplexity, Claude, You.com, Le Chat, DeepSeek), and runs causal A/B experiments on catalog fixes. This policy explains exactly what data we access, why we need it, how we store it, and how we protect it.

1. Shopify API Scopes We Request

When you install the app, Shopify will prompt you to grant the following scopes. Each is justified below.

read_products

To read your product titles, descriptions, images, variants, metafields, tags, vendor, type, and pricing — the inputs to the AI Catalog Score audit. We do not read product data outside of audit operations triggered by you (manual audit run, scheduled re-audit, or webhook-driven re-audit on product update).

write_products

To apply fixes (title, description, SEO, tags, metafields, category) when you click "Apply Fix" or "Apply All Fixes". We never modify products without explicit merchant action — there is always a button click with a confirmation. Every write is logged in the AppliedFix table for audit and the contractual Score Guarantee.

read_orders

Required only for the per-agent AI Traffic Attribution dashboard (/app/agent-traffic). When an order arrives, we read three Shopify-provided fields to determine if the buyer came from an AI shopping agent:

• landing_site — the URL on your store the buyer first hit
• referring_site — the previous URL (where applicable)
• client_details.user_agent — to detect AI agent fingerprints (e.g. ChatGPT Crawler, GPTBot, ClaudeBot)

We do not read or store: customer name, email, phone number, billing/shipping address, or any payment information. The order is referenced only by Shopify's internal order ID and the AI agent attribution it generated.

2. Webhook Subscriptions

The app subscribes to the following webhook topics for real-time monitoring and lifecycle management. All webhooks are HMAC-signed and verified before processing.

• app/uninstalled — to trigger automatic deletion of all merchant data within 48 hours of uninstall.
• app/scopes_update — to re-prompt for consent if Shopify scope requirements change.
• products/update — to re-audit a product when it changes, so your score stays current without manual re-runs (Catalog Guardrails feature).
• orders/create — to capture AI-attributed sessions for the per-agent traffic dashboard and Performance pricing tier uplift computation. Only metadata fields listed under read_orders are extracted.

3. Data We Store

• Audit results — product scores per dimension, issues found, audit timestamps, and history (so you can see your improvement over time and the Score Guarantee can verify pre/post-fix deltas).
• Applied fixes — what was changed, when, by which fixer, and the resulting score delta. Required for the contractual Score Guarantee refund mechanic.
• AI Sessions — for orders attributed to an AI agent: agent identifier, landing path, order ID, order revenue, and order timestamp. Used by the per-agent Traffic dashboard, the Causal A/B experiment engine, and the Performance pricing tier billing.
• Causal experiment data — when you run an A/B experiment via the Experiments page, we store the treatment/control assignment, pre-window and post-window AI-session snapshots, and the computed Difference-in-Differences result with p-values. Aggregated, anonymized results may be published in our public A/B sharing community (opt-in only, k-anonymity ≥10 enforced).
• Score Guarantee consent — version of the Terms accepted, timestamp, and shop identifier (required for contractual enforceability).
• Performance pricing baseline — for shops on the Performance tier, the 30-day pre-switch AI-attributed revenue baseline used to compute monthly uplift charges.
• Session data — Shopify session tokens for embedded-app authentication.

4. Data We Do NOT Collect

• Customer personal information (name, email, phone, addresses)
• Payment, billing, or financial information
• Customer browsing or analytics data outside of order-attached referrer/user-agent fields
• Email addresses of your customers or your customers' contacts
• Cart abandonment, browsing history, or session-level behavioral data

5. Third-Party Services

The app relies on the following sub-processors, all bound by their own privacy policies:

• Anthropic (Claude API) — when you click "Generate with AI" or "Apply AI Fixes", product metadata (titles, descriptions, current scores) is sent to Anthropic's Claude API for optimization suggestion generation. Anthropic does not store or train on this data per their privacy policy. Customer information is never sent.
• Google Gemini API, OpenAI API — used by our internal Ground Truth pipeline to capture how AI agents respond to public shopping queries (e.g. "best running shoes under $100"). This pipeline does not send your products, your customer data, or any merchant-specific information to these APIs. It only sends generic public queries.
• Railway (hosting) — application server and Postgres database, hosted in the EU region.
• Shopify Billing API — for subscription management, refund issuance via the Score Guarantee, and Performance pricing tier usage charges.

6. Competitor Comparison Feature

When you use the Competitor Comparison feature (/app/compare), we fetch publicly available HTML from the URL you provide using a server-side request with a public user-agent. We do not store competitor data beyond the comparison session you initiated. We never fetch URLs that are private, password-protected, or behind authentication.

7. Data Security

• All data is transmitted over HTTPS / TLS 1.3.
• Database access is restricted to authenticated server-side processes; no direct external access.
• Webhooks are HMAC-SHA256 signed and verified before processing.
• Anthropic API keys, Shopify session tokens, and webhook secrets are stored in encrypted environment variables, never in source control.
• We follow Shopify's Built for Shopify security and performance best practices for embedded apps.

8. Data Retention & Deletion

When you uninstall the app:

• The app/uninstalled webhook fires immediately.
• All data tied to your shop (audits, applied fixes, AI sessions, experiments, consent records, baseline computations) is permanently deleted within 48 hours.
• You can also request immediate deletion at any time by emailing support@aicatalogscore.com with your myshopify.com domain — we will confirm deletion within 7 business days as required under Shopify's Privacy mandatory webhooks (shop/redact, customers/redact, customers/data_request).

9. GDPR & EU Compliance

For merchants and customers in the European Economic Area, the United Kingdom, and Switzerland:

• Legal basis for processing — performance of contract (the merchant's installation agreement) for all merchant data; legitimate interest (AI traffic attribution, fraud prevention) for derived analytics on order metadata.
• Data Processing Agreement (DPA) — available on request at support@aicatalogscore.com. Required for merchants accepting EU customers.
• Right of access, rectification, erasure, and portability — exercise via the email above. Response within 30 days as required under GDPR Articles 15-20.
• Data residency — Railway EU region (Frankfurt). Anthropic and OpenAI sub-processors operate in the US under Standard Contractual Clauses.
• Right to lodge a complaint — with your national supervisory authority (e.g. CNIL in France, ICO in the UK, Garante in Italy).

10. Your Rights as a Merchant

You can:

• Request a copy of all data we store about your shop (export delivered as JSON within 7 days).
• Request deletion of your data at any time without uninstalling.
• Uninstall the app from Shopify Admin to trigger automatic deletion within 48 hours.
• Opt out of the public A/B experiment sharing community at any time (opt-in is off by default).
• Disable individual webhooks via the Guardrails settings page.

11. Contact

For privacy questions, data requests, DPA requests, or formal disputes:

• Email: support@aicatalogscore.com
• GitHub Issues: github.com/Kingdompe/ai-catalog-score/issues

12. Changes to This Policy

We may update this policy as the app evolves (new features, new sub-processors, regulatory changes). Material changes will:

• Bump the Version number at the top.
• Be announced in-app on next load with a prompt to review.
• Apply prospectively only — historical data continues to be governed by the policy in force at the time of collection.

The current version is recorded above. The previous version (1.0, effective April 21, 2026) is available on request.