Privacy Policy

1. Scope

This policy covers the App Cost Watchdog Shopify application and the associated public website at app-05-web-production.up.railway.app (the “Service”). It applies to:

• Merchants who install the embedded Shopify admin app (OAuth flow).
• Visitors who use the /demo public scan without installing the app.
• Customers of merchants who have installed the app (limited — see section 5).

2. What We Collect

2a. Merchant-side data (installed app)

When you install App Cost Watchdog via the Shopify admin, we collect and store:

• Shop domain (e.g., yourstore.myshopify.com). Used to associate your scan results and subscription with your account.
• Scan markers — specifically: the source values of <script> and <link> tags, meta-tag content attributes, and block handles visible in your public storefront. We store these fingerprints to identify which apps are installed. We do not store the raw HTML of your storefront pages.
• Invoice line items (Monitor plan only, merchant-confirmed) — if you upload a Shopify invoice PDF, we extract and store the app names and amounts from each line item after you review and confirm the parsed result. We store app names and charge amounts only. We do not store your billing address, payment method details, or any other invoice field.
• Shopify session token — a short-lived JWT issued by Shopify App Bridge, used to authenticate requests from the embedded admin iframe. We verify this token server-side on each request. We do not persist session tokens beyond the request lifetime.
• Shopify access token — a long-lived offline token granted via OAuth, stored encrypted in our database. Used solely to verify that your store is active and to retrieve billing subscription status from the Shopify Admin API. We do not use it to read customer data, orders, or any other store content.

2b. Public /demo scan (no account required)

The /demo route accepts a store URL from any visitor and scans its public storefront without requiring login. For each scan, we store:

• Target host — the normalized domain of the store URL you submitted (e.g., yourstore.myshopify.com). Used for per-target rate-limiting and to aggregate scan authority data.
• Hashed IP address — your IP address is run through SHA-256(ip + salt), where salt is a random secret held server-side. The hash is stored; your raw IP address is never written to our database or logs. The hash is used for per-IP rate limiting (5 scans per hour per IP).
• Result summary (JSON) — a reduced, privacy-safe projection of the scan result: detected app names and confidence levels, estimated monthly spend range, and the top finding. This summary never includes raw marker values (script src URLs), raw HTML fragments, or full evidence arrays.
• Timestamp — the UTC time of the scan.

Demo scan records are not linked to any Shopify account. We have no way to associate them with a named individual unless you also install the app.

3. What We Do NOT Collect

The following items are explicitly out of scope for this app:

• Customer PII — We do not read, store, or process any customer names, email addresses, shipping addresses, phone numbers, or purchase history from your store. Our OAuth scopes do not grant access to customer data.
• Order data — We do not access or store any order records, order IDs, or order amounts.
• Raw storefront HTML — The scan engine extracts structured markers (script sources, link hrefs, meta values, block handles) from your public storefront HTML; we do not persist the raw HTML itself.
• Raw IP addresses — As described in section 2b, we hash IP addresses before storing. Raw IPs are never written to our database.
• Billing addresses — Invoice PDF processing (Monitor plan) extracts app names and charge amounts only. Merchant billing addresses, credit card details, and payment method information are not extracted or stored.
• Personally identifiable information beyond shop domain — We do not ask for, collect, or store merchant names, phone numbers, or personal email addresses as part of the app's normal operation.

4. Read-Only Operation

App Cost Watchdog is a read-only advisory tool. It does not make any changes to your Shopify store, your apps, your theme, your products, your orders, or your customer data. The app never creates, modifies, or deletes any Shopify resource on your behalf.

The Shopify OAuth flow requests the minimum scopes needed to appear in the admin interface. We do not request any additional scopes beyond what Shopify requires for a basic embedded app.

5. Sub-Processors

We share data with the following third-party sub-processors to operate the Service:

OpenRouter is used only in the Monitor plan's invoice-parsing feature; the invoice text is processed in-request and never stored. If these sub-processors change, we will update this policy.

6. Data Retention

• Invoice PDF files — never stored. The PDF you upload is read once in-request to extract app names and amounts, then discarded; it is never written to disk or retained. The extracted line-item data (app names + amounts only, merchant-confirmed) is retained for as long as your subscription is active.
• Scan data (installed merchant) — retained for as long as the app is installed. When you uninstall, we process the app/uninstalled webhook (which ends processing and deletes stored session tokens); Shopify's shop/redact webhook, sent about 48 hours later, then deletes the shop record and all linked scan data from our database.
• Public /demo scan records — retained for up to 12 months, then automatically purged. These records contain hashed IPs (not raw IPs), target hostnames, and result summaries only.
• Shopify access tokens — retained while the app is installed. Purged on app/uninstalled webhook or upon merchant data-redact request.
• Invoice line items (Monitor plan) — retained for as long as your subscription is active. Deleted upon shop-redact webhook or on your explicit request to support@legitimateapps.com.

7. Mandatory Privacy Webhooks (GDPR / CCPA)

As a Shopify app, we implement and honor all three mandatory compliance webhooks:

• customers/data_request — When Shopify notifies us that a customer has requested their data, we acknowledge the request. Because we do not store any customer PII (section 3), there is no customer-identifiable data to export. We return a confirmation and direct the merchant to Shopify's own customer data exports for order and profile data.
• customers/redact — When Shopify sends a customer-redact request, we confirm receipt and purge any records that could be associated with that customer. Because we do not store customer PII, this webhook results in a no-op data change with a 200 acknowledgment.
• shop/redact — When Shopify notifies us that a merchant has requested their shop data be erased (typically 48 hours after app uninstall), we delete all data associated with that shop domain: the shop record, all scan markers, all invoice line items (Monitor plan), and all linked scan history. This is in addition to the session-token deletion that occurs on the app/uninstalled webhook.

All three webhooks return HTTP 200 and perform the appropriate data action. We do not merely acknowledge — we act.

8. Your Rights

Depending on your jurisdiction, you may have the right to access, correct, port, or delete the data we hold about you. To exercise any of these rights:

• Email us: support@legitimateapps.com
• Include: your shop domain and a description of your request.
• Response time: We will respond within 30 days. For deletion requests, we will confirm when the data has been purged.

GDPR (EEA / UK merchants)

If you are located in the European Economic Area or the United Kingdom, you have rights under the General Data Protection Regulation (GDPR) or UK GDPR, including the right to access your data, the right to erasure, the right to restrict processing, and the right to data portability. Our legal basis for processing merchant data is the performance of a contract (the app subscription) and our legitimate interest in preventing abuse (rate limiting via hashed IP).

CCPA (California residents)

If you are a California resident, you have the right to know what personal information we have collected, the right to delete it, and the right to opt out of the sale of your personal information. We do not sell personal information to third parties. To make a CCPA request, email us at support@legitimateapps.com.

9. Security

We take reasonable technical and organizational measures to protect the data we hold:

• All traffic to the Service is served over HTTPS.
• Shopify access tokens are stored encrypted at rest in our managed PostgreSQL database on Railway.
• All Shopify webhook payloads are verified via HMAC-SHA256 before processing. Webhook requests with invalid or missing signatures are rejected immediately.
• IP addresses submitted to the /demo route are hashed with a random per-deployment salt before storage. Raw IPs are never logged or persisted.
• Invoice PDFs (Monitor plan) are processed in memory during the request and never written to disk or stored.

If you believe you have found a security vulnerability in the Service, please report it responsibly to support@legitimateapps.com.

10. Cookies and Tracking

The embedded Shopify admin app uses session cookies and Shopify App Bridge session tokens to authenticate requests. These are functional cookies necessary for the app to operate within the Shopify admin iframe.

The public website (/, /demo, /privacy, /terms) does not set tracking cookies or use third-party analytics. We do not fingerprint visitors or build behavioral profiles.

We do not use advertising cookies or retargeting pixels.

11. Children's Privacy

The Service is not directed at individuals under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, please contact us and we will delete it.

12. Changes to This Policy

We will update this Privacy Policy if our data practices change. Material changes will be communicated to installed merchants via the Shopify admin interface or by email at least 14 days before they take effect. The “Last updated” date at the top of this page reflects the date of the most recent revision.

Continued use of the Service after the effective date of a revised policy constitutes your acceptance of the revised terms.

13. Contact

For any privacy questions, data requests, or concerns, contact us at:

We aim to respond to all privacy inquiries within 5 business days and to complete data requests within 30 days.