Compliance

Where Shelf stands today.

Honest posture on the compliance frameworks merchants ask about. We'd rather be straight about where we are than overclaim.

GDPR

Shelf is built around data minimization — we request only the Shopify scopes we actively use, collect no customer data, and cascade-delete merchant data on uninstall. Shopify's mandatory GDPR compliance webhooks are implemented.

CCPA

Shelf is CCPA-aligned through the same data minimization posture — we don't collect data we don't need, and we delete what we have when you uninstall.

SOC 2

Not yet certified. SOC 2 comes when our scale warrants it. If it's a hard requirement for your review, email us — we can walk through the controls we've built that map to the SOC 2 trust services criteria.

AI provider

Shelf uses Anthropic's commercial Claude API. Under its terms, Anthropic does not retain input data or use it for training. In addition, Shelf anonymizes data before sending it — see Data handling.

Need more than the public page?

For data processing agreements (DPAs), sub-processor lists, breach notification procedures, or other compliance documentation required for your review — email security@shelfplugin.com.