Privacy Policy

Last updated: July 2, 2026

Catalog Optimizer (“the App”, “we”, “us”, “our”) is a Shopify application. This Privacy Policy explains what information we collect when you use the App inside your Shopify store, how we use it, and your rights.

1. What information we collect

When you install and use Catalog Optimizer, we collect:

  • Store information — your Shopify store domain, access token (stored encrypted), and the subscription plan you are on.
  • Product data — product titles, descriptions, types, tags, images, and Google Merchant Center attribute fields that are required to perform feed optimisation. We do not store customer data or personally identifiable information (PII) attached to orders beyond aggregated counts.
  • Order counts — daily order volume and revenue totals per product, used to calculate before/after attribution on the Performance screen. Individual order details, customer names, emails, and addresses are never stored.
  • Google account data — if you choose to connect a Google account, we store OAuth tokens (encrypted at rest) and the email address associated with the connected account. We use these tokens to read Google Search Console and Merchant Center data on your behalf.
  • Usage data — optimisation events (which products were optimised, what fields changed, confidence scores) and credit consumption per billing period.
  • Billing data — your current Shopify subscription plan tier. Payment details are handled entirely by Shopify and are never transmitted to or stored by us.

2. How we use your information

  • To deliver the core service: score your product feed, generate optimisation suggestions, and write approved changes back to your Shopify catalogue.
  • To show you performance attribution: comparing GSC impressions, clicks, and order counts before and after optimisations.
  • To enforce billing limits: track credits used this month against your plan allowance.
  • To improve the service: anonymised, aggregated usage metrics (e.g. average category accuracy, token consumption) may be used to improve the scoring algorithms. No merchant-specific data is used in model training.

3. Sharing with third parties

We share data with the following third parties only as necessary to deliver the service:

  • Shopify — your store domain and the Shopify Admin API are used to read products and write back approved optimisations. Shopify's own Privacy Policy governs their use of your data.
  • Anthropic — product attribute data (titles, descriptions, types, tags) is sent to the Claude API to generate optimisation suggestions. Anthropic's data-processing terms apply. Data sent is limited to the fields required for optimisation; no customer PII is included.
  • Google — if you connect a Google account, your OAuth tokens are used to query the Google Search Console and Merchant Center APIs. Google's Privacy Policy governs their handling of this data. Catalog Optimizer's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Google user data is displayed only to the merchant who connected the account, is never sold or used for advertising, and is never used to train machine-learning models.
  • Supabase — our database infrastructure provider, hosting the PostgreSQL database where your store data is held. Data is stored in the US East region. Supabase is SOC 2 Type II certified.
  • Vercel — our application hosting provider. Application logs may include store domain identifiers for debugging purposes.

We do not sell, rent, or share your data with advertisers or any other third party not listed above.

4. Data retention

  • Active installs — store data, product snapshots, and optimisation history are retained while the App is installed.
  • After uninstall — we receive a Shopify shop/redactwebhook within 48 hours of uninstall. On receipt, all store data (products, events, performance snapshots, and Google connection) is permanently deleted.
  • Customer data requests — in response to a Shopifycustomers/data_request webhook, we confirm that we do not store individual customer records.
  • Customer redact — in response to a Shopifycustomers/redact webhook, we confirm there is no customer-level data to delete.

5. Security

All Shopify and Google OAuth access tokens are encrypted at rest using AES-256-GCM before being written to our database. Connections to our database use TLS in transit. API calls between the App and Shopify use Shopify's standard HTTPS Admin API. JWT session tokens issued by Shopify App Bridge are verified using HMAC-SHA256 on every request.

6. Your rights (GDPR / CCPA)

If you are located in the European Economic Area, the United Kingdom, or California, you have the right to:

  • Access the data we hold about your store.
  • Correct inaccurate data.
  • Request deletion of your data (which is automatically triggered by uninstalling the App).
  • Restrict or object to processing.
  • Data portability — request an export of your optimisation history.

To exercise any of these rights, email us at mcaoptimizer@gmail.com.

7. Cookies and tracking

The App runs exclusively inside the Shopify Admin embedded frame and does not use cookies, pixel tracking, or any third-party analytics SDKs. A single short-lived HttpOnly cookie (shopify_oauth_state) is used during the OAuth installation flow for CSRF protection. It expires after 5 minutes.

8. Children

The App is intended for use by merchants operating Shopify stores. It is not directed at children under the age of 13 and we do not knowingly collect data from children.

9. Changes to this policy

We may update this policy from time to time. Material changes will be communicated via the email address associated with your Shopify Partners account or via an in-app notice. Continued use of the App after changes constitutes acceptance of the updated policy.

10. Contact

For privacy questions or data requests, please contact:

Email: mcaoptimizer@gmail.com
App: https://mca-optimizer-app.vercel.app