What We Collect
ShelfScore collects the following data when you install the app: your store domain, owner name, and email address obtained via Shopify OAuth during installation; product data including titles, descriptions, images, pricing, GTINs, and SEO metadata accessed via the Shopify Admin API solely to run audits (this data is not stored permanently and is not retained after the audit completes); audit scores and results, stored in our database and linked to your store domain; and basic usage data including audit run timestamps and feature usage events. We do not use third-party behavioral tracking or advertising analytics.
What We Don't Collect
ShelfScore does not collect: customer data of any kind — we have no access to order history, customer browsing behavior, customer names, addresses, or personal shopper information. All billing is handled entirely through Shopify's native billing system; we never see or store payment card details. Shopify passwords or admin credentials are never accessed — authentication is handled exclusively via Shopify OAuth.
How We Use Your Data
We use collected data exclusively to: run AI search readiness audits and generate scores and improvement recommendations for your store; send weekly audit digest emails, only if you opt in (you may opt out at any time from within the app settings); and improve audit accuracy and detection logic using aggregated, anonymized data. No individual store data is used for AI model training.
Storage and Security
Data is stored in Supabase, hosted on Amazon Web Services (AWS), and is encrypted at rest and in transit using industry-standard TLS. Authentication is handled via Shopify OAuth — we never see or store your Shopify password. Access tokens are stored encrypted using AES-256 encryption. We retain audit history data for the duration of your subscription. Data retention periods are configurable in app settings on paid plans.
Data Deletion
Session data is deleted immediately when you uninstall the app. All stored data — including audit scores, audit history, and store metadata — is permanently deleted within 48 hours of uninstall. You may request immediate deletion of all data at any time by emailing privacy@getshelfscore.com. ShelfScore responds to Shopify's mandatory GDPR compliance webhooks (customers/data_request, customers/redact, and shop/redact) within 30 days as required by Shopify's Partner Program Agreement. These webhooks are handled automatically.
Your Rights
Depending on your jurisdiction, you may have the following rights regarding your data: right to access (request a copy of all data we hold associated with your store); right to rectification (request correction of inaccurate data); right to erasure (request permanent deletion of your data at any time); right to restriction (request that we limit processing of your data in certain circumstances); right to portability (request your data in a structured, machine-readable format); right to object (object to processing based on legitimate interests); and right to opt out of email communications (unsubscribe at any time from within app settings or by emailing privacy@getshelfscore.com). To exercise any of these rights, contact us at privacy@getshelfscore.com. We will respond within 30 days.
Third-Party Services
ShelfScore uses the following third-party services to operate, each receiving only the minimum data required to perform their function: Shopify Inc. for platform infrastructure, OAuth authentication, and billing; Supabase for database storage and backend infrastructure; Vercel for website and API hosting; and Resend for transactional email delivery (weekly digest emails to opted-in merchants only). ShelfScore does not sell, rent, or share your data with any third party for advertising or marketing purposes.
International Data Transfers
Data processed by ShelfScore may be transferred to and stored in the United States, where our infrastructure providers (AWS via Supabase, Vercel) operate. These transfers are subject to appropriate safeguards including standard contractual clauses where required by applicable law.
Legal Basis for Processing (GDPR)
For merchants in the European Economic Area and United Kingdom, we process your data under the following legal bases: performance of a contract (to deliver the service you installed); legitimate interests (improving audit quality); and consent (for optional email communications). You have the right to withdraw consent for email communications at any time.
Contact
For privacy-related questions, data access requests, or deletion requests: privacy@getshelfscore.com
See also our Terms of Service.