Privacy Policy

Last updated: May 1, 2026

This Privacy Policy describes how Shelf (“we,” “us,” or “our”) collects, uses, and handles your information when you use our Shopify application and visit our website at shelfplugin.com.

1. What Data Shelf Collects

When you install Shelf, we access the following data from your Shopify store:

  • Product catalog — product names, prices, and variants (via the read_products Shopify API scope). This lets you select which of your products you want promotional context for.
  • Store URL — provided during Shopify OAuth installation to identify your merchant account.
  • Vertical and positioning tier — entered by you during onboarding to contextualize opportunities for your industry.

2. What Data Shelf Does NOT Collect

Shelf requests only the read_products Shopify API scope. We do not access:

  • Customer data (no read_customers scope)
  • Order or sales data (no read_orders scope)
  • Inventory data (no read_inventory scope)
  • Financial or accounting data
  • Email addresses of your customers
  • Browsing or analytics data from your store

3. External Data We Collect

Shelf watches publicly available promotional activity from brands you choose to follow:

  • Brand product pages — public product listings collected via HTTP requests to publicly available product endpoints. We extract product names, prices, and promotional indicators.
  • Brand homepages — public homepage content visited via a standard browser. We extract banners, sitewide offers, and marketing signals.
  • Brand newsletters (future feature) — commercial promotional emails that you subscribe to manually using a provided email address. We extract subject lines, offer details, and campaign themes.

All of these sources are publicly available. Product pages and homepages are public web pages. Newsletters are opt-in commercial communications that brands actively distribute.

4. How Data Is Processed by AI

Shelf uses Anthropic’s Claude API to generate competitive observations.

What is sent to Anthropic:

  • Your store’s vertical and positioning tier — e.g., “skincare”, “mid-market” (categorical, not identifying)
  • Titles of your matched products — the public-facing product names of your items that have a confirmed competitor match. No prices, variants, or inventory data.
  • Competitor promotional signals — banner text, signup offers, promotional activity, and marketing tools detected on competitor storefronts. Includes competitor store URLs.

What is NOT sent to Anthropic:

  • Your Shopify store URL or store identity
  • Your product prices, variants, or inventory levels
  • Any customer data

Purpose: This data is used solely to generate the competitive intelligence displayed in your Shelf dashboard. It is not used for any other purpose.

No AI training: Shelf does not use your store data, product information, or competitive signals to train, fine-tune, or improve any AI or machine learning model. Your data is never used to develop or enhance any model on our behalf or on behalf of any third party.

Opt-out: You can stop all AI processing at any time by uninstalling the app. All data is permanently deleted on uninstall (see Section 6).

Anthropic’s data handling: Anthropic’s commercial API does not use input data for model training. Data is not retained by Anthropic beyond the API request lifecycle. For current terms, see Anthropic’s privacy policy.

5. Data Storage and Security

  • AI-generated analysis is cached in a PostgreSQL database on AWS RDS (us-east-1)
  • Cache is overwritten with each analysis cycle — not append-only
  • Shopify access tokens are encrypted at the application layer using AES-256-GCM
  • All data transmitted over HTTPS (TLS 1.3)
  • Application hosted on AWS Fargate in private subnets

6. Data Deletion

Retention during active use: Data is retained for the duration of your active use of the app. This includes competitors, product matches, signals, price history, and cached intelligence.

On app uninstall: All your data is permanently deleted. This includes competitors, product matches, signals, price history, and cached intelligence. Full cascade deletion — no data is retained after uninstall.

Standard backups: AWS RDS automated backups are retained for 1 day. These are infrastructure-level backups and are not used to restore individual merchant data.

7. Cookies and Tracking

Shelf uses Shopify’s session tokens for authentication (embedded app — no third-party cookies). Our marketing site (shelfplugin.com) does not use analytics tracking, advertising pixels, or third-party tracking scripts.

8. GDPR Compliance

  • Mandatory webhooks implemented: Customer Data Request, Customer Redact, Shop Redact
  • No customer PII collected: Shelf does not access customer data from Shopify
  • Full deletion on uninstall: All merchant data is cascade-deleted when the app is uninstalled
  • Data portability: You can request an export of your data at any time via support

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via the Shopify admin dashboard or email. The “Last updated” date at the top will always reflect the most recent revision.

10. Contact Us

If you have questions about this Privacy Policy or how we handle your data: