Legal

Privacy Policy

Effective May 5, 2026. This policy explains what data Agentic Shelf collects, how we use it, who we share it with, and how you can exercise your rights. It’s written to match the system as it actually works — if you find a claim that doesn’t match the product, email us at privacy@agenticshelf.ai and we’ll reconcile within 10 business days.

1. Who we are

Agentic Shelf operates the service at www.agenticshelf.ai, the API at api.agenticshelf.ai, and per-tenant MCP endpoints at api.agenticshelf.ai/m/{slug}/mcp. We are the data controller for merchant account data and the data processor for any data we handle on behalf of merchants on their shoppers’ behalf.

2. Shopify integration

When you install the Agentic Shelf app from the Shopify App Store, we authenticate via Shopify OAuth and request only the minimum scopes needed to deliver the service:

• read_products — required to read your product catalog (titles, descriptions, tags, handles, images, prices) so agents calling your MCP endpoint can answer shopper questions accurately and so we can audit how AI assistants currently represent your store.
• read_inventory — required to expose live availability through the MCP check_stock tool so agents don’t hallucinate stock levels.

We do not request and have never requested scopes that grant access to orders, customers, draft orders, fulfillments, discounts, gift cards, payment terms, or financial data. As a result, Agentic Shelf cannot read shopper personal data through Shopify even if asked to. If a future feature requires an additional scope, you’ll be prompted to re-authorize and this policy will be updated before that feature ships.

Mandatory privacy webhooks

We register and respond to Shopify’s three GDPR-mandatory webhooks. Because our scopes do not give us access to customer personal data, the customer-facing webhooks are mostly no-ops, but we handle each on receipt:

• customers/data_request — we acknowledge, cross-check our logs for any data tied to the customer ID (we do not store any), and respond to the merchant within 30 days.
• customers/redact — same as above. We confirm we hold no data tied to that customer; if any was inadvertently captured (e.g. through anonymised agent-traffic logs), we delete it within 30 days.
• shop/redact — we delete the merchant’s account, OAuth token, audit history, agent-traffic logs, and cached catalog within 30 days of receipt.

Uninstall

When you uninstall the app, Shopify revokes our OAuth token immediately. Within 30 days we receive the shop/redact webhook and delete all merchant-tied data as described above. You can also email privacy@agenticshelf.ai to request immediate deletion.

3. Data we collect

From merchants (our direct users)

• Account identifiers: email address, Firebase UID, and the display name you provide when you sign in.
• Shopify integration credentials: the OAuth offline access token issued by Shopify, scoped as described in section 2, stored encrypted at rest in Google Cloud Secret Manager. We never log raw token values.
• Merchant-entered configuration: competitor names, custom audit queries, weight preferences, and selected product SKUs you choose to audit.
• Billing data: we use Stripe and Shopify Managed Pricing for payments. Stripe receives payment-method data directly from you; we receive only a customer ID and billing status. We do not store credit card numbers.

From your store (merchant-approved)

• Product catalog metadata: titles, descriptions, tags, handles, SKUs, prices, and inventory levels. Fetched on demand to run audits and serve MCP tool calls; cached briefly for performance.
• We do not collect order data, customer data, cart contents, shopper identity, payment data, or any field outside the scopes listed in section 2.

From AI agents calling your MCP endpoint

• Request metadata for analytics: timestamp, HTTP method, tool name (e.g. check_stock), user-agent string (e.g. ChatGPT-User), and an anonymised IP prefix (IPv4 /24 or IPv6 /48). The full IP address never leaves our edge proxy; only the anonymised prefix is stored.
• Country/region: inferred from Cloud Run’s edge headers, not from cookies or fingerprinting.
• Session discriminator: a SHA-256 hash of (anonymised IP + user-agent + a rotating salt), truncated to 12 hexadecimal characters. Lets us count unique callers per week without storing PII.

4. How we use this data

• To run the citation audits, product-selection workflows, and MCP tool calls you configure.
• To show you aggregate analytics (agent traffic by country, per-LLM citation trends, Query Library trends).
• To operate, secure, and improve the service — debugging, fraud prevention, and performance monitoring.
• To communicate with you about account, billing, and material product changes.

We do not use your data to train machine-learning models. We do not sell your data. We do not share your data with third-party advertisers.

5. Subprocessors

We rely on a small number of subprocessors to operate the service. Each is listed below with the data category they handle and a link to their own privacy policy. We update this list before adding any new subprocessor that handles merchant data.

• Shopify Inc. — the platform you connect from. Handles OAuth, billing (Managed Pricing), and the underlying store data we read. Shopify privacy policy.
• Google LLC (Google Cloud Platform). Hosts our services in us-central1: Cloud Run (API + dashboard), Firestore (audit history), Secret Manager (tenant tokens), Cloud Storage (audit report exports). Google Cloud privacy notice.
• Google LLC (Firebase Authentication). Handles merchant sign-in and session tokens. Firebase privacy and security.
• Stripe, Inc. Processes card payments for any plan charges that don’t flow through Shopify Managed Pricing. We never see raw card data. Stripe privacy policy.
• OpenAI, Anthropic, Google (Gemini), Perplexity. When you run an audit, the shopping prompts you select are sent to these LLM APIs server-to-server with our API keys; each provider receives only the prompt + system context and returns a response. Privacy policies: OpenAI, Anthropic, Google, Perplexity.

6. Where your data lives

• Primary infrastructure: Google Cloud Platform, region us-central1.
• Encryption: at rest via Google Cloud’s default encryption (AES-256). In transit via TLS 1.2 or higher with a valid certificate on every Agentic Shelf domain.
• Authentication: Firebase Authentication for merchants; Shopify OAuth for app installation; session tokens for in-product API calls.

7. International data transfers

Our primary infrastructure is in the United States. If you access the service from the European Economic Area, the United Kingdom, Switzerland, or any other jurisdiction with cross-border data restrictions, your data is transferred to the United States. We rely on the Standard Contractual Clauses (2021/914 module 2) and, where applicable, the UK International Data Transfer Addendum to authorise those transfers. A copy of the executed clauses is available to enterprise merchants on request.

8. Retention

• Merchant account data: retained while your account is active. Deleted within 30 days of uninstall, account closure, or receipt of Shopify’s shop/redact webhook.
• Audit history: retained while your account is active; downloadable via CSV export at any time.
• Agent traffic logs: 90-day rolling window, then aggregated to daily totals without raw logs.
• Backups: Firestore point-in-time backups roll off within 35 days. Deletion requests propagate to backups within that window.

9. Your rights

You can request access to, correction of, or deletion of your personal data by emailing privacy@agenticshelf.ai. We respond within 30 days (typically within 5 business days). If we deny the request, we’ll explain why and how to appeal.

If you are in the European Economic Area, the United Kingdom, or California, you have additional rights under GDPR, UK-GDPR, or CCPA — including the right to access, rectify, erase, restrict processing of, port, or object to processing of your personal data, and the right to withdraw consent. California residents have the right to opt out of the “sale” or “sharing” of personal information; we don’t sell or share data, so the opt-out is automatic. You may also lodge a complaint with your local supervisory authority.

10. Cookies & analytics

The marketing site (www.agenticshelf.ai) sets only the minimum cookies required for navigation and theme preference. We do not run third-party advertising trackers, fingerprinting scripts, or cross-site tracking pixels. The signed-in dashboard uses Firebase Authentication session cookies and a small number of first-party functional cookies (e.g. last-viewed merchant slug); none are used for advertising.

Server-side analytics use only the anonymised request metadata described in section 3 (no full IPs, no user-level identifiers, no cross-site joins). We honour the Global Privacy Control (Sec-GPC: 1) header and Do Not Track signals where the browser sends them.

11. Security & vulnerability disclosure

We take security seriously. If you believe you’ve found a vulnerability in any Agentic Shelf surface (marketing site, API, dashboard, MCP endpoint, OAuth flow), please email security@agenticshelf.ai with reproduction steps. We acknowledge reports within 2 business days and aim to remediate critical issues within 30 days. We commit to good-faith handling: no legal action against researchers who report responsibly and avoid privacy violations or service disruption while testing.

12. Data Processing Agreement

Merchants subject to GDPR, UK-GDPR, or comparable regimes can execute a Data Processing Agreement (DPA) with us. The DPA incorporates the EU Standard Contractual Clauses and lists our subprocessors as named in section 5. Email privacy@agenticshelf.ai to request a copy.

13. Children

Agentic Shelf is a B2B service sold to merchants. We do not knowingly collect data from anyone under 16. If you believe a child’s data has reached us in error, email privacy@agenticshelf.ai and we’ll delete it.

14. Changes

If we make a material change to this policy, we’ll notify active merchants by email at least 14 days before the change takes effect and update the “Effective” date above. Non-material changes (typos, link updates) will be made without notice.

15. Contact

Questions, data-subject requests, or concerns: privacy@agenticshelf.ai. Security reports: security@agenticshelf.ai.