Data and User Privacy

1. Overview

“ProductPilot - Bulk AI Product Optimization” (the “App”) is designed exclusively for merchants using the Shopify platform. We want to be fully transparent: we do not collect or process any “Protected Customer Data” (PCD) such as your shoppers’ personal info, orders, shipping addresses, or payment details. We only handle data necessary to provide the App’s core features (product image & metadata generation, subscriptions/credits management).

2. Data We Collect & Use

Here is a breakdown of what data we collect, why we collect it, and how we use it:

a) Merchant / Store-Admin Session Data

  • Shop domain (store identifier)

  • Access token (granting the App access to Shopify Admin API)

  • Scope of access (e.g., write_products, write_files)

  • User ID, first name, last name, email of the installing store-staff/admin user

  • Flags/roles (e.g., accountOwner, emailVerified)

  • Uninstall webhook: upon uninstall the session is deleted (via app/routes/webhooks.app.uninstalled.tsx).

Purpose: To authenticate the App with the merchant’s store, manage sessions, serve the App’s features, and support subscription/billing logic.

b) Product / Variant / Media Metadata

  • Metadata associated with products, variants, and media attachments (via Shopify Admin GraphQL reads/writes)

  • Tags and level strings (normalized)

  • AI-enhancement artifacts and metadata produced by the App

  • Subscription plan, App subscription ID, credit ledger (internal to the App)

Purpose: To enable the App to generate, update and manage enhanced images, metadata/tags for products/variants/media; to track merchant’s usage and credit balance; to manage subscriptions/credits.

c) External Services Involved

We use the following third-party services in the processing pipeline:

  • Shopify Admin API (scopes: write_products, write_files)

  • Wasabi S3 (storage of images/artifacts)

  • OpenAI (image/metadata processing)

  • Redis (queue / background jobs)

3. Customer / Order Data – What We Do Not Collect

We explicitly do not access the following:

  • Any customer records (e.g., names, emails, addresses, phones, IPs) of shoppers on the merchant store

  • Any order history or order-level details

  • Any personal identifiers of store shoppers

  • Any “Protected Customer Data” as defined by Shopify.

    Because we do not request the customer/order scopes (such as read_customers, read_orders) and there are no references to customers or their personal data in our code, you can trust that the App is only working with merchant and product/metadata level data.

4. Purpose Limitation

We use the collected data only for the purposes described above:

  • Generating and managing product images and associated metadata/tags

  • Managing subscription and credit balances for App usage

  • Providing support, authentication, and session management for merchants

    We do not use the data for any other purpose unless specifically disclosed and accepted by the merchant.

5. Data Retention & Deletion Policy

  • Merchant session data: Deleted promptly when the uninstall webhook is triggered.

  • Generated images, enhancement artifacts and metadata: Retained for a duration defined in your retention schedule (e.g., “we retain stored images and metadata for up to 12 months after last use or uninstall, unless otherwise requested by merchant”).

  • Subscription / credit ledger data: Retained as long as is necessary for billing/invoicing, dispute resolution, and compliance.

  • We regularly review and purge data that is no longer needed for the stated purpose.

6. Security

We implement appropriate technical and organisational measures to protect your data:

  • Access tokens and merchant session/profile fields are stored encrypted in our database.

  • We use secure HTTPS communication for API calls to Shopify, OpenAI, Wasabi, and Redis.

  • Access is restricted by role, audit logging is enabled, and we conduct periodic security reviews.

  • In the event of a data-breach, we will notify affected merchants in accordance with applicable laws and our incident response policy.

7. Third-Party Processors and International Transfers

We rely on subcontractors (“subprocessors”) including Wasabi (S3 storage) and OpenAI (AI image processing). These services may process data in jurisdictions outside your own region, and by using the App you acknowledge and accept that cross-border transfers may occur. We ensure that each subprocessor has appropriate data processing agreements (DPAs) in place.

8. Your Rights

Depending on your jurisdiction (e.g., under GDPR for EEA merchants), you have certain rights in respect of your data:

  • Right to access the data we hold about you (merchant/staff user)

  • Right to correct or update inaccurate data

  • Right to request deletion of your data (subject to legal/billing obligations)

  • Right to object to or restrict certain processing

  • Right to data portability (where applicable)

    If you wish to exercise any of these rights, please contact us at productpilotai@gmail.com.

9. Changes to This Policy

We may update this Data & User Privacy section from time to time (for example to reflect new services, subprocessors or legal requirements). When we make material changes we will notify you via our App’s dashboard or by email, and update the “Last Updated” date at the top of this policy.



Last updated: 09. Nov 2025

Contact

Terms of Service

Privacy Policy

Create a free website with Framer, the website builder loved by startups, designers and agencies.