Privacy Policy

ShieldKit is a Shopify Embedded App that scans Shopify stores for Google Merchant Center compliance issues and surfaces AI-search visibility tools. This policy describes what data ShieldKit collects, how we use it, who we share it with, and how merchants can request deletion. Plain English first, then specifics.

Who runs ShieldKit

ShieldKit is built by Plucore. Questions about this policy or your data can go to hello@shieldkit.app.

Shopify scopes we request

ShieldKit follows the principle of least privilege. The exact scopes requested at install are:

• read_products — read product titles, descriptions, variants, images, and metafields to run compliance checks (data quality, image hosting, structured data).
• write_products — used only on Shield Max to write GTIN, MPN, and brand metafields back to your products via the GTIN/MPN/Brand Auto-Filler. We never modify product titles, descriptions, prices, inventory, or images.
• read_content — read your shop's pages and blog content (e.g. About, Contact pages) to run the contact-information and business-identity-consistency checks.
• read_legal_policies — read your published refund, shipping, privacy, and terms policies to run policy-completeness checks.
• read_themes, write_themes — read theme structure for the JSON-LD schema theme-app-extension and (Shield Max) install schema blocks. We do not modify theme template files beyond adding/removing our own app blocks.
• read_shipping, read_locations — read shipping zones and store locations to run the shipping-policy check and contact-information check.

About the "View customer data" install prompt

At install, Shopify shows a "View customer data" disclosure listing device and activity data, geolocation, IP address, browser, and operating system. Shopify auto-generates this disclosure because ShieldKit declares an App Proxy (the /apps/llms-txt endpoint that powers the optional Shield Max llms.txt feature). When a storefront visitor (or an AI crawler) requests /apps/llms-txt, Shopify forwards the request to ShieldKit's server along with the visitor's IP, User-Agent, and other HTTP request metadata. This is what Shopify is disclosing.

We do not request read_customers, read_orders, or any other order/customer scope. We never receive your customers' names, emails, addresses, order history, or payment details. The "customer data" referenced in the prompt is the request metadata described in the next section.

Data we collect

When you install ShieldKit on your Shopify store, we collect and store:

• Shopify OAuth tokens. Encrypted with AES-256-GCM before being written to our database. Used solely to make Shopify Admin API calls on your store's behalf.
• Shop metadata. Domain, shop name, billing address country, currency, primary locale — read from the Shopify Admin API at scan time so we can run compliance checks against your store's configuration.
• Public storefront pages. During a compliance scan we fetch your store's homepage, up to three product pages, the cart page, and pages referenced by your published policies. We parse the HTML to detect compliance signals (payment icons, structured data, contact info). We retain the parsed signals as part of the scan record; we do not retain full page HTML.
• Scan results. Compliance scores, individual check results, the URLs we fetched, parsed signals, and any violation details we surfaced. Linked to your shop ID.
• Billing state. Plan tier, billing cycle, Shopify subscription identifier, subscription start time. We do not see or store credit card details — Shopify handles all payment data via Shopify Managed Pricing.
• Merchant-supplied content. Anything you type into the app: AI-policy-generator inputs, GMC re-review appeal letter inputs, Pro settings (logo URL, support email, social URLs, search URL template) stored in pro_settings, AI bot allow/block preferences.
• AI-generated artifacts. The HTML store policies and appeal letters Claude generates for you, stored alongside your merchant record so you can return to them later.
• Schema enrichment audit log (paid plans). When the GTIN/MPN/Brand Auto-Filler writes metafields to your products, we log which product and which fields were written for diagnostic purposes.
• Lead email. The shop owner's email address (read from shop.email via the Shopify Admin API) is stored once at first scan in our leads table to send the weekly health digest and (rarely) product update emails.
• App Proxy request logs (llms.txt endpoint only). When a storefront visitor or AI crawler requests /apps/llms-txt, we log the request's User-Agent, the identified crawler name (if recognised), and a privacy-preserving IP hash. The IP is truncated before hashing — for IPv4 we drop the last octet, for IPv6 we drop the last 64 bits — so the hash identifies a /24 or /64 network rather than a specific household. We never receive the visitor's name, email, or any identifying information beyond what their browser sends in HTTP headers.

ShieldKit does not read your store's customer records, order history, addresses, or payment data. The Shopify scopes we request do not grant access to those resources. The GDPR customers/data_request and customers/redact webhooks return HTTP 200 immediately because we have nothing to return or delete.

How we use the data

• Run the 12-point compliance scan and generate fix instructions.
• Generate AI-assisted store policies and GMC appeal letters using Anthropic's Claude API. Inputs you provide are sent to Anthropic's API for inference; we do not retain them after the response is returned beyond the database row that stores the generated artifact.
• Run the GTIN/MPN/Brand Auto-Filler (paid plan) — write identifier metafields back to your products to satisfy Google Merchant Center's identifier requirements.
• Serve a cached llms.txt file at /apps/llms-txt for paid merchants so AI search agents can discover your products and policies. Requests to this endpoint are logged as described in "Data we collect" above.
• Submit the merchant's public storefront URL (and product page URLs) to Google's PageSpeed Insights API for the mobile performance check.
• Operate the app: authentication, billing reconciliation, error logging.

Data we share

We do not sell, rent, or share your data with third parties for marketing or any commercial purpose. The only third parties that touch your data are infrastructure subprocessors required to run the app:

• Supabase — primary database (PostgreSQL). All scan results, billing state, and encrypted OAuth tokens live here.
• Vercel — application hosting and Cron job execution.
• Anthropic — Claude API for AI policy generation and appeal letter drafting. Inputs you provide for these features are sent to Anthropic for inference.
• Resend — transactional email delivery for the weekly health digest.
• Google PageSpeed Insights — public storefront URLs are submitted to Google's PageSpeed API as part of compliance check #9. No private store data is sent.
• Shopify — for billing, webhooks, and the Admin API calls that drive the scanner.

Data retention

We retain data for as long as the app remains installed on your shop.

• When you uninstall ShieldKit, your Shopify session is deleted immediately and your merchant row is soft-deleted (marked with anuninstalled_at timestamp). Scans, violations, digest history, and webhook audit logs are kept for the 48-hour window Shopify gives merchants to reinstall before the GDPR shop/redact webhook fires.
• When the shop/redact webhook fires (typically 48 hours after uninstall), we hard-delete your merchant row and everything that cascades: scans, violations, billing history, Pro settings, digest email logs, AI-generated artifacts, schema enrichment records, and llms.txt request logs.
• App Proxy request logs (llms_txt_requests) for shops that uninstall are deleted in the same cascade. For shops that remain installed, we retain these logs indefinitely so the weekly digest can show you which AI crawlers have read your llms.txt.
• Database backups are retained for 7 days by Supabase. After 7 days a deleted record is gone from backups too.

Your rights

• Access: request a copy of the data we hold about your store by emailing hello@shieldkit.app.
• Deletion: uninstall the app — within 48 hours everything is hard-deleted by the Shopify shop/redact webhook. You can also email us to request immediate deletion.
• Correction: most settings are editable inside the app. For data you can't edit yourself (e.g. cached scan history), email us.
• GDPR / CCPA / UK GDPR: the rights above apply to residents of the EEA, UK, and California. Contact us at the email above to exercise them.

Security

Shopify OAuth tokens are encrypted at rest with AES-256-GCM before being written to the database. Database access uses Supabase's service role key, scoped server-side; the key never reaches the browser. Application traffic is HTTPS-only. We follow the principle of least privilege when requesting Shopify API scopes — see your store's Apps & sales channels page for the exact scopes ShieldKit requests.

Changes to this policy

We update this page when our practices change. Material changes will be highlighted in the app or via a one-time email to your shop owner address.