Privacy Policy

Effective date: April 17, 2026

This Privacy Policy describes how AI Storefront Optimizer ("we", "our", or "the App") collects, uses, stores, shares, and protects information when a Shopify merchant installs and uses the App. It applies to the App published on the Shopify App Store and hosted at iecyu9zanz.us-east-2.awsapprunner.com.

1. Who we are

AI Storefront Optimizer is a Shopify app that helps merchants make their product catalogs discoverable by AI shopping assistants. The App scans product data, identifies gaps, generates AI-assisted content, and publishes an llms.txt file that AI agents can read.

Data controller for App data: the App publisher, reachable at john@b2sell.com.

2. Information we collect

We only collect the information required to operate the App. We do not collect personal information about a merchant's end customers.

2.1 Shop and merchant account data

  • Shop domain (e.g., your-store.myshopify.com)
  • Shopify OAuth access tokens (offline tokens used to call the Shopify Admin API on the shop's behalf)
  • Shopify API scopes granted at install
  • Subscription plan and billing status for the App

2.2 Product catalog data

  • Product titles, descriptions, and handles
  • Product images and alt text
  • Metafields, tags, and product types
  • Variants, SKUs, and barcodes
  • Collections and catalog structure

2.3 Usage and diagnostic data

  • Counts of catalog scans, AI generations, and simulator queries
  • Plan-limit counters (daily and monthly)
  • Error logs and request metadata for debugging and abuse prevention

2.4 Customer personal data

The App does not access or store Shopify customer personal data (names, emails, addresses, orders, or payment information). If Shopify transmits a mandatory compliance webhook for a customer data request or redaction, the App responds with an empty payload because no such data is stored.

3. How we use information

  • Catalog scoring. Read product data through the Shopify Admin API to compute an AI-readiness score and identify gaps.
  • AI content generation. Submit product fields (titles, descriptions, images, metafields) to AWS Bedrock (Anthropic Claude models) to generate suggested titles, descriptions, alt text, product types, and structured data.
  • llms.txt publishing. Generate and expose an llms.txt file summarising the catalog so that AI shopping assistants can index it.
  • AI search simulator. Let merchants preview how AI tools interpret their catalog before publishing.
  • Plan enforcement. Track usage counters to enforce query and AI-generation limits per subscription plan.
  • Service operations. Monitor errors, prevent abuse, and improve reliability.

We do not sell merchant data. We do not use merchant data for advertising. We do not use merchant catalog data to train third-party foundation models; AWS Bedrock calls are made through Anthropic's API on AWS, which does not train on customer inputs.

4. Legal bases for processing (GDPR)

For merchants in the European Economic Area or the UK:

  • Contract. Processing is necessary to provide the App services the merchant has installed and is paying for.
  • Legitimate interests. Operating, securing, and improving the App and preventing abuse.
  • Legal obligation. Responding to Shopify compliance webhooks and lawful requests.

5. How we share information

We share information only with the sub-processors required to run the service:

  • Shopify Inc. – source of catalog data and platform for App distribution and billing.
  • Amazon Web Services (AWS). – hosts the App (App Runner), database (RDS PostgreSQL), cache (ElastiCache Redis), background processing (Lambda, SQS), object storage (S3), and logging (CloudWatch). Region: us-east-2.
  • AWS Bedrock (Anthropic Claude). – processes product fields to generate AI suggestions. Bedrock does not retain prompts or outputs to train models.

We do not share merchant data with advertisers, data brokers, or any party outside the list above. We may disclose data if required by law, court order, or to protect the rights, safety, or property of the App, merchants, or third parties.

6. Data retention

  • Shop records, access tokens, and catalog snapshots are retained while the App is installed.
  • When a merchant uninstalls the App, the app/uninstalled webhook triggers deletion of the shop's OAuth session and access token. Catalog and usage data are deleted within 30 days.
  • On receipt of Shopify's shop/redact webhook (48 hours after uninstall), any remaining shop data is purged.
  • Aggregate, non-identifying metrics may be retained for service analytics.
  • CloudWatch logs are retained for up to 30 days for debugging and security.

7. Security

  • All traffic is served over HTTPS (TLS 1.2+).
  • Shopify OAuth access tokens are encrypted at rest using application-level AES encryption before being stored.
  • Data at rest in AWS RDS, ElastiCache, and S3 is encrypted using AWS-managed keys.
  • Access to production infrastructure is restricted, audited, and requires multi-factor authentication.
  • The App validates Shopify webhook signatures (HMAC) before processing any webhook request.

No method of transmission or storage is 100% secure. If we become aware of a data breach that materially affects merchant data, we will notify affected merchants without undue delay and, where required, within 72 hours as required by GDPR Article 33.

8. International data transfers

The App is hosted in AWS region us-east-2 (United States). If a merchant is located outside the United States, data will be transferred to and processed in the United States. Transfers rely on Standard Contractual Clauses and AWS's data-transfer safeguards where applicable.

9. Your rights

Depending on the merchant's jurisdiction (GDPR, UK GDPR, CCPA/CPRA, and similar laws), the merchant may have the right to:

  • Access the data we hold about the shop
  • Request correction of inaccurate data
  • Request deletion of data
  • Request a copy of data in a portable format
  • Object to or restrict certain processing
  • Withdraw consent where processing is based on consent
  • Lodge a complaint with a supervisory authority (e.g., an EU data protection authority or the UK ICO)

To exercise any of these rights, email john@b2sell.com. We respond within 30 days.

California residents: we do not sell or share personal information as defined by the CCPA/CPRA.

10. Cookies and tracking

The App is an embedded Shopify admin app. It uses only the cookies required for Shopify session authentication and CSRF protection. It does not use advertising cookies, analytics cookies, or third-party tracking pixels on merchant-facing surfaces.

11. Children's privacy

The App is a business-to-business tool for Shopify merchants. It is not directed to children under 16 and does not knowingly collect data from them.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be posted on this page and the "Effective date" above will be updated. Continued use of the App after changes take effect means the merchant accepts the revised policy.

13. Contact

Questions, requests, or complaints about this policy or the App's data practices:

Email: john@b2sell.com