Privacy Policy

Effective date: March 25, 2026

Last updated: March 25, 2026

ShipRules AI ("we", "us", "our") is committed to protecting the privacy of merchants who use our Shopify application. This policy explains what data we collect, how we use it, and your rights regarding that data.

What data we collect

Shop configuration data

When you install ShipRules AI, we store your Shopify shop domain, encrypted access token, and basic shop metadata (name, currency, timezone). This is required to authenticate API calls and provide the service.

Shipping configuration

All shipping zones, methods, rules, conditions, product groups, and related settings you create or import through ShipRules AI are stored in our database. This is the core data that powers your shipping rates.

Product data

We read product titles, tags, vendors, SKUs, weights, and prices from your Shopify store. This data is used to assign products to groups and evaluate rules during rate calculation. We do not modify your product data.

Checkout request data

When Shopify sends a rate request to our carrier service, the request contains cart contents (variant IDs, quantities, weights) and destination address (country, province, city, postal code). We process this data in real time to calculate shipping rates. Rate requests are not stored beyond transient processing logs that are purged within 7 days.

Shadow mode data

When shadow mode is active, we store checkout request payloads (cart contents and destination addresses) alongside the calculated live and staged rates. This data is used to compare how proposed rule changes would affect real checkouts. Shadow mode data is automatically purged 30 days after the associated staged changeset is promoted or discarded.

Version history

Every change to your shipping configuration creates a versioned snapshot. Snapshots contain the full configuration state at that point in time. Version history is retained according to your plan's retention period (7 days for Starter, 90 days for Pro, 365 days for Enterprise). Expired versions are compacted — the configuration diff is preserved but the full snapshot is removed.

Usage and billing data

We track feature usage counts (AI prompts used, methods created, API calls made) to enforce plan limits and for billing purposes.

What data we do not collect

  • We do not collect customer personal information (names, email addresses, phone numbers, payment details)
  • We do not access order data, customer accounts, or store analytics
  • We do not use tracking pixels, advertising cookies, or third-party analytics on our app pages within Shopify Admin

How data is stored

All data is stored in PostgreSQL databases hosted on Neon (Cloudflare-connected) infrastructure. Databases are encrypted at rest and all connections use TLS encryption in transit.

Shopify access tokens are stored encrypted using AES-256. Tokens are only decrypted at runtime to make authenticated API calls to your store.

Application servers run on Cloudflare Workers in regions selected for proximity to Shopify's infrastructure. No data is transferred to third parties for storage or processing.

AI processing

When you use the AI prompt box, your prompt text and current shipping configuration context are sent to our AI provider (Anthropic Claude) to generate rule suggestions. The AI provider does not store your data beyond the duration of the request. No customer data, order data, or personally identifiable information is included in AI prompts.

Data retention

Data type Retention
Shop configuration Duration of installation
Shipping configuration Duration of installation
Product group assignments Duration of installation
Version snapshots Per plan (7 / 90 days / full history)
Shadow mode results 30 days after changeset resolution
Rate request logs 7 days
Usage metrics 90 days rolling

Data deletion

On uninstall

When you uninstall ShipRules AI, we receive the app/uninstalled webhook from Shopify. Within 48 hours of uninstallation, we permanently delete:

  • Your encrypted access token
  • All shipping configuration (zones, methods, rules, conditions, product groups)
  • All version history snapshots
  • All shadow mode results
  • All API keys
  • All usage metrics
  • Your shop record

This deletion is irreversible. If you reinstall the app, you start with a clean configuration.

On request

You can request full data deletion at any time by emailing [email protected]. We will process deletion requests within 30 days.

GDPR compliance

ShipRules AI complies with the EU General Data Protection Regulation (GDPR) and supports all mandatory Shopify compliance webhooks:

Customer data request

When a customer requests their personal data (via Shopify's customers/data_request webhook), we search our shadow mode results for any checkout data that may contain the customer's destination address and return it to the merchant for inclusion in the data export.

Customer data erasure

When a customer requests erasure of their data (via Shopify's customers/redact webhook), we remove any shadow mode results that contain checkout data associated with the requesting customer's shop.

Shop data erasure

When a shop requests full data erasure (via Shopify's shop/redact webhook), we perform a complete deletion of all data associated with that shop, equivalent to the uninstall process described above.

Data export

Merchants can export their full shipping configuration at any time through the app's Settings page (available on Pro and Enterprise plans). The export includes all zones, methods, rules, conditions, and product groups in JSON format.

Note: ShipRules AI acts as a data processor on behalf of the merchant (data controller). We process store and checkout data solely to provide the shipping rate calculation service.

Data sharing

We do not sell, rent, or share your data with third parties. Data is only shared with:

  • Shopify — via the carrier service callback (shipping rates returned to Shopify checkout)
  • Anthropic — AI prompt text and configuration context for rule generation (no customer data, no PII)
  • Cloudflare / Neon — infrastructure providers (data encrypted at rest and in transit)

No data is used for advertising, profiling, or purposes unrelated to providing the ShipRules AI service.

Security

  • All data encrypted at rest (AES-256)
  • All connections encrypted in transit (TLS 1.2+)
  • Access tokens encrypted with application-level encryption
  • API keys are hashed — we store only the hash, not the plaintext key
  • Role-based access controls on all infrastructure
  • Regular security updates and dependency audits

Changes to this policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Continued use of ShipRules AI after changes constitutes acceptance of the updated policy.

Contact

For questions about this privacy policy, data requests, or any privacy concerns:

Email: [email protected]
Documentation: https://docs.shiprules.ai