Privacy Policy

Last updated: 2026-05-24

What we collect

• Your Shopify domain and a Shopify-issued access token (encrypted at rest with AES-256-GCM).
• Configuration you enter in the app (llms.txt preferences, schema toggles, robots.txt rules, competitor domains).
• Product, collection, blog, and policy metadata fetched via Shopify GraphQL — used only to generate the llms.txt file and schema markup. We do not store the underlying product data after generation.
• Aggregate order data (no PII) — order count, total amount, referrer host — for the AI traffic attribution dashboard. We do not store customer names, addresses, or contact details.

What we do not collect

• Customer names, email addresses, phone numbers, addresses, or any personally identifiable information.
• Payment card data.
• Browsing behavior beyond what Shopify Analytics already records.

How we store it

Configuration is stored in a Supabase Postgres database in the `aeo` schema. Access tokens are encrypted at rest. RLS is enabled. Backups are encrypted in transit and at rest.

Subprocessors

• Vercel — hosting
• Supabase — database
• Cloudflare — edge caching + OG image generation
• Shopify — source of merchant data
• Bing, Yandex, IndexNow.org — receive product URLs we submit on your behalf

Your rights

On uninstall, all merchant data is deleted within 48 hours via Shopify's shop/redact webhook. Reach us at hello@shieldkit.app for any data request.