Privacy Policy

StoreSteady Privacy Policy

Effective Date: April 1, 2026

Last Updated: March 30, 2026

StoreSteady ("we," "us," "our") is operated by Caleb Carter. This Privacy Policy explains how we collect, use, store, and protect information when you use the StoreSteady application ("the App") available through the Shopify App Store.

By installing or using StoreSteady, you agree to the practices described in this policy.

1. Information We Collect

1.1 Information Collected Through Shopify APIs

When you install StoreSteady, we request access to your Shopify store data through Shopify's OAuth system. The specific data scopes we request are:

•Product data (read_products): Product titles, descriptions, prices, images, variants, inventory status, barcodes (GTINs/UPCs), and product URLs.

•Discount data (read_discounts): Active discount codes, percentage/fixed-amount discounts, and free shipping offers.

•Shipping data (read_shipping): Shipping zones, rates, and carrier service configurations.

•Theme data (read_themes): Theme file access for structured data analysis (read-only).

We do not request or store write access to your Shopify products. We access only the data necessary to detect conflicts between your Shopify store and your Google Merchant Center account.

1.2 Information Collected Through Google APIs

If you choose to connect your Google Merchant Center account, we collect:

•Google OAuth tokens: Access tokens and refresh tokens to maintain your Google connection. These tokens are stored encrypted and are used only to access your Merchant Center data on your behalf.

•Merchant Center product data: Product statuses, disapproval reasons, pricing, availability, and diagnostic information from your Google Merchant Center account.

•Merchant Center policies: Return policies, shipping settings, and promotion configurations.

•Merchant Center account ID: Your Merchant Center account identifier, used to scope data queries to your account.

If you optionally grant Search Console access, we may read your site verification status and indexed page data. This scope is optional and not required for core functionality.

1.3 Information Collected from Your Storefront

StoreSteady crawls your public storefront pages to extract structured data markup, including:

•JSON-LD structured data (schema.org Product, Offer, MerchantReturnPolicy, OfferShippingDetails)

•Microdata and meta tag content related to product information

•Page HTTP status codes to detect broken landing pages

This crawling accesses only publicly available pages on your storefront — the same pages Google's own crawlers visit. We do not access password-protected content or customer-facing account pages.

1.4 Information Collected Directly from You

•Shopify shop domain: Your myshopify.com store URL, provided during installation.

•Email address: If you contact us for support.

1.5 Automated Logs

We collect standard server logs related to your use of the App, including:

•Timestamps of sync operations and audit runs

•Error logs when data operations fail

•API response metadata (status codes, not response bodies)

We do not track individual page views, clicks, or browsing behavior within the App.

2. How We Use Your Information

We use the information described above for the following purposes:

•Conflict detection: Comparing product data across your Shopify store, Google Merchant Center, and storefront markup to identify mismatches, policy gaps, and disapprovals.

•Fix generation: Creating recommended fixes for detected issues, including API payloads for Merchant Center updates and theme patches for structured data corrections.

•Sync operations: Periodically refreshing your product data to keep your rescue queue current.

•Issue tracking: Storing detected issues, their severity, and resolution status so you can track progress.

•Service improvement: Analyzing aggregate, anonymized usage patterns (not individual merchant data) to improve conflict detection accuracy.

We do not use your data for advertising, marketing to third parties, or any purpose unrelated to the StoreSteady service.

3. How We Store Your Information

3.1 Data Storage

Your data is stored in a PostgreSQL database hosted by Supabase, with servers located in the United States. All data is encrypted at rest using AES-256 encryption. All data in transit is protected by TLS 1.2 or higher.

3.2 Authentication Credentials

Your Shopify access token and Google OAuth tokens are stored in our database with the same encryption protections as all other data. We never log, display, or expose these tokens in any user-facing interface.

3.3 Session Management

We use a signed HTTP-only cookie (ss_merchant) to maintain your session. This cookie contains only your merchant identifier and an HMAC-SHA256 signature — no personal data, tokens, or sensitive information.

4. Data Sharing

We do not sell, rent, or share your personal or store data with third parties, with the following limited exceptions:

•Browserless.io: We use Browserless.io as a page rendering service to crawl JavaScript-heavy storefronts. Browserless receives only the public URL being crawled — no merchant credentials, tokens, or private data. Browserless processes the page and returns rendered HTML to us.

•Infrastructure providers: Our hosting providers (Vercel, Supabase) process data as part of delivering the service. They are bound by their own privacy policies and data processing agreements.

•Legal requirements: We may disclose information if required by law, regulation, legal process, or governmental request.

We never share your Shopify product data, Google Merchant Center data, or business metrics with other merchants, competitors, or data brokers.

5. Data Retention

•Active merchants: We retain your data for as long as your StoreSteady installation is active.

•After uninstallation: When you uninstall StoreSteady, we mark your account as inactive. We delete your product data, crawl results, and detected issues within 30 days of uninstallation. We retain your merchant record (shop domain and timestamps only, no tokens) for 90 days to support reinstallation.

•OAuth tokens: Your Shopify access token is revoked by Shopify upon uninstallation. We delete stored Google OAuth tokens within 30 days of uninstallation.

•Logs: Automated server logs are retained for 90 days and then deleted.

You may request immediate deletion of all your data at any time (see Section 7).

6. Data Security

We implement the following security measures:

•All API communications use HTTPS (TLS 1.2+)

•OAuth tokens are stored encrypted at rest

•Session cookies are signed with HMAC-SHA256 and marked HttpOnly, Secure, and SameSite=Lax

•Shopify webhook payloads are verified using HMAC-SHA256 before processing

•Database access is restricted to service-level credentials with row-level security

•We request only the minimum Shopify API scopes necessary for the App's functionality

7. Your Rights

You have the following rights regarding your data:

•Access: You may request a copy of all data we hold about your store. We will provide this within 30 days of your request.

•Correction: You may request correction of any inaccurate data. In practice, data corrections are handled by re-syncing from your source systems (Shopify and Google).

•Deletion: You may request deletion of all your data at any time by emailing support@storesteady.com. We will complete deletion within 30 days.

•Data portability: You may request an export of your detected issues and audit history in a machine-readable format (JSON).

•Restriction: You may request that we stop processing your data while a dispute is being resolved.

To exercise any of these rights, contact us at support@storesteady.com.

8. Shopify Compliance Webhooks

StoreSteady subscribes to Shopify's mandatory compliance webhooks:

•customers/data_request: We respond to data access requests. StoreSteady does not store individual customer data — only merchant-level product and configuration data.

•customers/redact: We respond to customer data deletion requests. As we do not store customer data, no deletion is required beyond acknowledging the request.

•shop/redact: When a merchant requests data deletion or when an uninstalled app's data retention period expires, we delete all associated merchant data from our systems.

9. Google API Services User Data Policy

StoreSteady's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

•We access Google user data only for the purposes described in this Privacy Policy.

•We do not transfer Google user data to third parties except as necessary to provide the service, as required by law, or with your explicit consent.

•We do not use Google user data for advertising.

•A human reviews your Google data only when you explicitly request support or troubleshooting.

10. Children's Privacy

StoreSteady is a business-to-business application designed for Shopify merchants. We do not knowingly collect information from children under 13. If you believe we have inadvertently collected such information, please contact us and we will delete it promptly.

11. International Data Transfers

If you are located outside the United States, your data will be transferred to and processed in the United States. By using StoreSteady, you consent to this transfer. We rely on standard contractual clauses and our infrastructure providers' data processing agreements to safeguard international transfers.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you through the App or by email. The "Last Updated" date at the top of this page indicates when the policy was last revised.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

Email: support@storesteady.com

Website: https://www.storesteady.com/privacy

Caleb Carter

StoreSteady

Seattle, Washington, United States