Privacy Policy
Last updated: May 28, 2026
Findable for Shopify is operated by Ziguru LLC ("we", "us"). This policy explains what data we collect when you install the app on your Shopify store, why we collect it, who we share it with, how long we keep it, and your rights. Questions: support@usefindable.ai.
What we collect and why
Each row names the data, the purpose, and the legal basis we rely on under GDPR Art. 6.
| Data | Purpose | Legal basis |
|---|---|---|
| Shop domain + Shopify access token (OAuth) | Authenticate the app against your store | Contract performance |
| Product catalog (titles, descriptions, prices, images, tags) | Generate articles that reference your actual products | Contract performance |
| Blog metadata (existing posts, categories) | Publish new articles into the right blog | Contract performance |
| Generated article content + your edits | Show your library in the app dashboard | Contract performance |
| Billing state (Shopify charge ID, tier, status) | Enforce subscription limits via Shopify Billing | Contract performance |
| Product analytics events | Understand which features merchants use | Legitimate interest (product improvement) |
| Error reports (Sentry) | Detect and fix bugs | Legitimate interest |
We do NOT access: orders, customer records, payment data, draft orders, fulfillment data, inventory adjustments. The Shopify scopes we request are limited to what these workflows need.
Where data lives
The Findable for Shopify backend runs at api.contentboo.st on Render. Your shop's access token and generated articles are stored in a PostgreSQL database hosted on Neon (USA region). The public-facing marketing site at usefindable.ai/shopify serves static pages only; it does not have your shop's data.
AI processing
Generating articles sends your store name, product catalog data, and the article topic to AI providers (Anthropic, OpenAI, Perplexity, Google Gemini). We use enterprise / API tiers that do not train on customer inputs:
- Anthropic API: Anthropic does not train on data submitted via the API.
- OpenAI API: OpenAI does not train on API inputs by default.
- Perplexity, Google Gemini: we send only the buyer-intent queries we generate, not your shop credentials or customer data.
We do not train any models ourselves. We do not sell merchant data to anyone, ever, for any purpose.
Sub-processors
| Service | What it does | Data location |
|---|---|---|
| Shopify | App platform, OAuth, Admin API, Billing | USA + global edge |
| Render | Backend hosting (api.contentboo.st) | USA |
| Neon | PostgreSQL database hosting | USA |
| Cloudflare R2 | Image storage for article assets | USA + global edge |
| Anthropic, OpenAI | AI for article generation | USA |
| Perplexity, Google Gemini | AI engines for buyer-intent research | USA |
| Firecrawl, Jina, Serper | Competitor and source research | USA |
| Sentry | Error monitoring | USA |
| PostHog | Product analytics | USA |
| Resend | Transactional email | USA |
Retention
- Shop access tokens: until you uninstall, then deleted within 48 hours per Shopify GDPR policy.
- Generated articles: yours forever. They stay on your Shopify blog after uninstall.
- Catalog snapshots: most recent only; replaced on every catalog read.
- Billing records: 7 years (tax and accounting requirements).
- Product analytics: 12 months in PostHog, then aggregated.
- Error reports: 90 days in Sentry.
GDPR webhooks
We handle Shopify's mandatory GDPR webhooks:
- customers/data_request: because we don't hold customer-level data by default, the normal response is a confirmation that no records exist. If any customer-tied data is found, we compile it and email the shop owner within 30 days.
- customers/redact: we purge any customer-related data we hold (we don't hold customer data by default; this is enforced as a safety net).
- shop/redact: 48 hours after uninstall, Shopify fires this and we delete all data associated with the shop.
International transfers
All sub-processors above are in the USA or operate global edge networks that include the US. For merchants in the EU, UK, or other jurisdictions with cross-border transfer rules, we rely on Standard Contractual Clauses (SCCs) with each sub-processor where adequacy decisions don't apply, and the EU-US Data Privacy Framework where the sub-processor self-certifies. SCC copies available on request.
Your rights
If GDPR, UK GDPR, CCPA, or LGPD applies, you have the right to:
- Access the data we hold about your shop.
- Rectify anything that's wrong.
- Delete by uninstalling the app; the GDPR webhook chain removes data within 48 hours.
- Port generated articles by exporting from your Shopify blog.
- Restrict or object to processing based on legitimate interest.
- Lodge a complaint with your local data protection authority.
To exercise any of these rights, email support@usefindable.ai with the request and your shop domain. We respond within 30 days.
Security
All data is transmitted over HTTPS. Shopify access tokens are encrypted at rest. We never see your Shopify password (Shopify handles that). Payment is handled by Shopify Billing; we never see card details. Database access is restricted to our backend services and is audited.
Children
Findable for Shopify is intended for merchants and is not directed at children under 16.
Changes to this policy
When we change this policy materially, we update the "Last updated" date and notify shop owners via the email on the Shopify Partner account.
Contact
Privacy questions or rights requests: support@usefindable.ai. Ziguru LLC, 1021 E Lincolnway, Cheyenne, WY 82001, USA.