Shopify Data Policy

Raechal.ai · Addendum to the main Privacy Policy

1. Scope

This Shopify Data Policy governs how Raechal AI (the “Company”, “we”, “us”) handles data received from the Shopify platform when a merchant installs and uses the Raechal AI Shopify app. It is an addendum to the main Raechal AI Privacy Policy and to Shopify's API License and Terms of Use. In the event of conflict between this policy and the main Privacy Policy specifically for Shopify-sourced data, this addendum prevails.

2. What we receive from Shopify

When a merchant installs Raechal AI via Shopify OAuth, we receive only what the requested scopes authorize:

Shop identifiers: myshopify domain, primary domain, shop ID, shop name, owner email (from the install handshake), and locale.
Encrypted access token: the offline Admin API token Shopify issues at install, stored encrypted at rest with Fernet symmetric encryption.
Product catalog data: titles, descriptions, handles, SEO meta fields, tags, and image alt text — fetched on demand via the Shopify Admin API using read_products / write_products.
Content / Online Store data: blog posts, pages, and theme content the merchant explicitly asks the agent to audit or edit, via read_content / write_content.
Subscription & usage events: via Shopify-issued webhooks for app_subscriptions/update, shop/update, app/uninstalled, and app/scopes_update.

3. What we do NOT collect

Raechal AI intentionally limits the scopes it requests so the following categories are never accessed:

Customer (buyer) personal data: we do not request read_customers. No buyer names, emails, phone numbers, or addresses are pulled into our systems.
Order data: we do not request read_orders or read_all_orders. No line items, shipping addresses, payment details, or order history.
Payment information: all billing is handled by Shopify's Billing API. Card numbers and payment instruments are never exposed to us.
Inventory locations, draft orders, gift cards, discounts beyond what is exposed by the content / product scopes above.

4. How we use Shopify data

Run SEO audits on product pages, blog posts, and content pages the merchant authorizes.
Generate meta titles, meta descriptions, image alt text, and on-page copy edits — only when the merchant confirms the action through the agent UI.
Provide the merchant with reversible “restore points” before any write action so changes can be rolled back.
Track billable usage (chat messages, audits, fixes) for the active subscription plan.

We do not sell Shopify-sourced data, do not use it to train third-party foundation models, and do not share it with advertisers or data brokers.

5. Mandatory compliance webhooks

Per Shopify App Store policy, Raechal AI implements and responds to the three mandatory data-protection webhooks. Every delivery is authenticated by HMAC-SHA256 over the raw request body against our app secret; invalid signatures are rejected with HTTP 401 before any handler logic runs.

customers/data_request: Because we do not store buyer data, this webhook is acknowledged with an audit log entry and a 200 response. There is no buyer data to return.
customers/redact: Same rationale — no buyer records exist on our side, so the redaction is a no-op acknowledged with an audit log and a 200 response.
shop/redact: Fires 48 hours after a merchant uninstalls Raechal AI. On receipt we wipe the encrypted access token, deactivate the store record, reset its billing plan to free, clear usage counters, and stop all background processing for that shop within 30 days as required.

6. Data retention

Active stores: shop-level data (domain, encrypted token, usage counters, agent conversation history) is retained while the subscription is active.
Uninstalled stores: on shop/redact (48 hours after uninstall) the encrypted access token is wiped and the store is deactivated. Conversation history and audit logs are purged within 30 days.
Legal hold: we may retain limited audit metadata (shop ID, timestamps, action type) where required for tax, fraud, or legal compliance, with all other fields redacted.

7. Subprocessors

Shopify-sourced data may be processed by the following vetted subprocessors:

OpenRouter / model providers — for running the SEO agent and content generation. We send only the content the merchant explicitly asks the agent to act on; raw shop tokens are never transmitted.
Cloud infrastructure — for database, object storage, and compute. Data is encrypted in transit (TLS) and at rest.
Shopify itself — for billing (Subscription Billing API), product / content reads and writes, and webhook delivery.

8. Security

Access tokens stored encrypted at rest using Fernet (AES-128-CBC + HMAC-SHA256).
All Shopify Admin API calls go over TLS 1.2+.
Every webhook is HMAC-verified before processing; invalid signatures return 401.
Internal admin access is role-gated and auditable.

9. Merchant data rights

Merchants can exercise their rights under GDPR, CCPA, and India's DPDP Act by emailing info@raechal.ai from the email associated with the Shopify store owner account. Requests covered include: access to all data we hold about the shop, correction, portability, deletion, and the right to lodge a complaint with a supervisory authority.

We respond to all merchant data requests within 30 days of receipt, per Shopify's requirements.

10. International transfers

Shopify-sourced data may be processed in jurisdictions outside the merchant's country, including the European Economic Area, the United Kingdom, the United States, and India. Cross-border transfers rely on the Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework.

11. Changes to this policy

Material changes will be posted on this page with a new effective date. The current effective date is at the bottom of the page.

12. Contact

Privacy questions, data requests, or security disclosures related to the Shopify integration: info@raechal.ai.