Privacy Policy

Last updated: April 6, 2026

Complyo ("we", "us") is a Shopify application that scans e-commerce stores for EU AI Act and Cyber Resilience Act compliance. This policy explains how we collect, use, and protect your data.

1. Data We Collect

When you install and use Complyo, we access the following data from your Shopify store:

• Store information — shop name, domain, email, country, Shopify plan
• Product data — titles, descriptions, tags, images, metafields (read-only)
• Page content — titles and body content of your store pages
• Store policies — privacy policy, terms of service, refund and shipping policies

We do not collect customer data, order data, payment information, or personal data of your customers.

2. How We Use Your Data

Your store data is used exclusively for:

• Compliance scanning — analyzing your products, pages, and policies for EU AI Act and CRA violations
• AI analysis — sending anonymized, PII-stripped store content to Google Gemini API for compliance assessment
• Report generation — creating PDF compliance audit reports
• Email notifications — sending scan results to your configured email address

3. AI Processing

We use Google Gemini 2.0 Flash to analyze your store content for compliance issues. Before sending data to Gemini:

• All customer email addresses are redacted
• Phone numbers and physical addresses are removed
• Credit card numbers are stripped
• Content is truncated to relevant sections only

Google's Gemini API processes data per their terms of service. We use the API in a configuration where prompts and responses are not used for model training.

4. Data Storage

• Location — all data is stored on servers in the European Union (Amsterdam, Netherlands)
• Scan results — compliance issues and scores are stored in our PostgreSQL database
• Retention — scan logs are automatically deleted after 90 days. Failed scans are deleted after 30 days
• Raw store data — is processed during the scan and not persisted after the scan completes

5. Data Sharing

We do not sell, rent, or share your data with third parties except:

• Google Gemini API — for AI compliance analysis (anonymized data only)
• Resend — for transactional email delivery (your notification email address only)
• Law enforcement — if required by applicable law

6. Shopify Access

Complyo requests the following Shopify permissions:

• read_products — to analyze product descriptions and metadata
• read_content — to read store pages and blog posts
• read_themes — to assess storefront transparency
• write_products — to apply auto-fixes (Business plan, with your explicit approval)
• read_shop — to retrieve store information and policies

We use offline access tokens stored securely via Shopify's session storage framework. Access tokens are never logged or exposed.

7. Security

• All connections use HTTPS/TLS encryption
• Database access is restricted and credentials are environment-variable based
• Webhook payloads are verified using Shopify's HMAC validation
• Server firewall allows only SSH, HTTP, and HTTPS traffic
• Daily encrypted database backups with 30-day retention

8. GDPR Compliance

We comply with the EU General Data Protection Regulation:

• Data access — request an export of your data at any time
• Data deletion — uninstalling the app triggers automatic deletion of your store data. You can also request manual deletion
• Data portability — PDF reports serve as portable compliance records
• GDPR webhooks — we handle Shopify's mandatory GDPR webhooks (customer data request, customer redaction, shop redaction)

9. Data Retention on Uninstall

When you uninstall Complyo:

• Your store is marked as uninstalled in our database
• Active sessions are terminated
• Scan data is retained for 30 days (in case you reinstall), then permanently deleted
• You can request immediate deletion by contacting us

10. Children's Privacy

Complyo is a business tool for Shopify merchants. We do not knowingly collect data from children under 16.

11. Changes to This Policy

We may update this policy from time to time. Significant changes will be communicated via email or in-app notification. Continued use of Complyo after changes constitutes acceptance.

12. Contact

For privacy-related questions or data requests:

• Email: privacy@usecomplyo.com