Privacy Policy
Last updated: June 20, 2026
Profit Agent ("we", "us", or "our") is an embedded Shopify application that provides store analytics, catalog recommendations, product optimization and SEO/GEO suggestions, AI-assisted content drafts, operational insights, optional abandoned cart recovery, and campaign link tracking.
This Privacy Policy explains how we collect, use, store, share, and protect information when you install and use Profit Agent. It applies to merchants who install the app and describes our processing of Shopify store data you authorize through OAuth scopes.
We do not sell personal data. We do not provide merchant or customer data to advertisers for advertising purposes. We process data only to provide, maintain, improve, secure, and support the service.
By installing or using Profit Agent, you acknowledge that you have read this Privacy Policy. If you do not agree, please uninstall the app and contact us at contact@profit-agent.app.
1. Introduction
Profit Agent runs inside your Shopify Admin as an embedded application. We access Shopify data only through the permissions (OAuth scopes) you grant during installation or re-authorization.
When you use Profit Agent with your Shopify store, you are generally the data controller for your customers' personal data under applicable privacy laws. Profit Agent acts as a data processor on your behalf for app features that process customer-related data (such as abandoned cart recovery). For data about your shop account, billing, and direct communications with us, we may act as an independent controller.
This policy describes our actual practices based on how Profit Agent is built today. It should be read together with our Terms of Service at https://profit-agent.app/terms and Shopify's own privacy documentation for the Shopify platform.
2. Information We Collect
We collect and process the following categories of information:
- Shop and account data: Shopify shop domain, internal shop identifier, installed scopes, subscription plan, billing status, usage counters (actions, cart recovery messages, AI credits), preferred admin locale, product content locale, currency code, installation and uninstallation timestamps, and encrypted OAuth access tokens.
- Catalog and inventory data: product and variant identifiers, titles, descriptions, product types, handles, tags, collection titles, SEO title and description, media references, inventory levels, costs where available, storefront URLs, and audit content signals derived from catalog data.
- Order and sales data: aggregated order line snapshots (Shopify order and line item IDs, product/variant IDs, quantity, revenue, order date). We do not store customer names in order line snapshots. When available from Shopify, we may store UTM attribution fields and referrer/landing page metadata linked to orders for campaign reporting.
- Abandoned checkout data: Shopify abandoned checkout ID, recovery URL, cart line items, total amount, currency, and customer contact fields (email, phone, display name, locale) only when made available through Shopify and only when you use cart recovery features.
- App activity data: recommendations, action drafts, approval/rejection decisions, measured outcomes, shop learning signals, bundle pairing insights (when enabled), analysis run metadata, and campaign link definitions with click counts.
- Billing data: Shopify subscription identifier, plan changes, renewal events, amounts, currency, and webhook payload hashes received from Shopify Billing.
- AI usage metadata: shop-level records of AI credit consumption, model usage counts, and cache hits.
- Feedback and support: optional messages, ratings, categories, page path, locale, and browser user agent when you submit in-app feedback or contact support.
- Technical data: structured server logs (timestamps, shop domain or shop ID, correlation IDs, error codes, webhook topics); httpOnly session and locale cookies in the embedded app; optional browser localStorage/sessionStorage for non-sensitive UX state (onboarding, billing return paths). We do not use third-party advertising or analytics cookies.
3. Data We Receive From Shopify
Profit Agent receives data from Shopify through the Shopify Admin API, OAuth, App Bridge session authentication, and Shopify webhooks subscribed when you install the app.
Authorized OAuth scopes include:
- read_products, write_products — read and update catalog data when you approve draft actions.
- read_orders — read aggregated order data for analytics, recommendations, and outcome measurement.
- read_inventory, write_inventory — read stock levels and apply inventory-related actions you approve.
- write_discounts — create discount codes and promotions you approve.
We receive only the data permitted by scopes you grant. Shopify webhooks processed by Profit Agent include: app/uninstalled; customers/data_request; customers/redact; shop/redact; app_subscriptions/update; products/create, products/update, products/delete; and optionally orders/create and orders/updated when enabled and approved in Shopify Partners.
We do not access Shopify data beyond what is necessary for the features you use and the permissions you grant.
4. How We Use Information
We use the information described above solely to:
- Provide, operate, and secure the embedded Profit Agent application.
- Analyze catalog and sales patterns to generate informational recommendations and operational insights.
- Prepare draft catalog changes (pricing, discounts, bundles, inventory alerts, product content, SEO/GEO fields) for your review before anything is applied in Shopify.
- Measure post-action outcomes using your store's order data as observational indicators.
- Run optional abandoned cart recovery when you explicitly initiate it.
- Generate campaign short links and attribute orders when UTM or referrer data is available.
- Process Shopify Billing subscriptions, enforce plan quotas, and maintain billing records.
- Operate AI-assisted features when you explicitly trigger them, using merchant-authorized store data and optional inputs you provide.
- Respond to support requests, improve reliability, detect abuse, and comply with legal and Shopify platform obligations.
We do not sell personal data. We do not use your data for third-party advertising. We do not use your data to train general-purpose AI models for unrelated products.
5. AI and Automated Processing
Some features use automated rules and, when enabled and triggered by you, third-party AI services (such as OpenAI-compatible APIs) to suggest product descriptions, SEO/meta fields, FAQs, bundle pairings, and similar content.
AI outputs are generated from your Shopify catalog data, audit signals, and optional merchant inputs you provide. Suggestions are informational only. You must review, verify, and edit all AI-generated or automated content before applying it in Shopify or publishing it to customers. You remain solely responsible for published content and business decisions.
We apply technical safeguards including input validation, quality checks, rate limits, monthly AI credit quotas per plan, and server-side cost controls. We do not guarantee that AI output is accurate, complete, current, legally compliant, or suitable for your market.
AI requests you trigger may be sent to our AI subprocessors with data minimization. Cached AI responses may be reused for identical requests; explicit regeneration bypasses cache and consumes credits as described in-app.
6. Legal Bases for Processing (GDPR)
Where the UK GDPR or EU GDPR applies, we rely on the following legal bases depending on the processing activity:
- Performance of a contract (Article 6(1)(b)): providing Profit Agent features you request by installing and using the app.
- Legitimate interests (Article 6(1)(f)): securing the service, preventing abuse, improving reliability, and measuring feature usage — balanced against your rights.
- Legal obligation (Article 6(1)(c)): responding to lawful requests and mandatory Shopify compliance webhooks.
- Your instructions as controller: processing end-customer data for cart recovery and catalog actions you approve.
Where consent is required under applicable law, you are responsible for obtaining valid customer consent before using features that contact customers (such as cart recovery emails).
7. Data Sharing and Service Providers
We share information only as necessary to operate Profit Agent:
- Shopify: authentication, API access, applying approved store changes, billing, and compliance webhooks.
- Cloud hosting and database providers: application hosting, encrypted storage, and backups.
- AI service providers (when you trigger AI features): processing specific generation requests under contractual confidentiality and data minimization.
- Email infrastructure (if configured for cart recovery): delivering recovery messages you initiate.
- Professional advisers or authorities: when required by law or to protect rights, safety, and security.
We do not sell or rent personal data. We do not share merchant or customer data with advertisers. A list of subprocessors may be provided on request — For support, privacy requests, GDPR requests, legal inquiries, or data deletion requests, contact contact@profit-agent.app.
8. Shopify Data and Merchant Data
You retain ownership of your Shopify store content and data. You grant Profit Agent a limited license to access and process your Shopify data solely to provide the service while the app is installed and authorized.
For your customers' personal data, you remain the controller under GDPR and similar laws. Profit Agent processes such data only on your instructions and for the features you enable (for example, storing checkout contact details for abandoned cart recovery you initiate), under our Data Processing Agreement (DPA): https://profit-agent.app/dpa.
Merchant staff using the embedded app authenticate through Shopify. We do not operate a separate merchant password system. Support communications you send to us may be retained to resolve your request.
9. Data Retention
We retain data only as long as needed for the purposes above or as required by law:
- Order line snapshots: 90 days, then deleted automatically.
- Closed abandoned checkout records (recovery sent, dismissed, or completed): 12 months, then deleted automatically.
- OAuth access tokens: until app uninstallation, then revoked (app/uninstalled webhook).
- Full shop data: retained while installed; deleted after Shopify sends shop/redact following uninstall (typically ~48 hours per Shopify requirements).
- Billing and audit records: retained as needed for accounting, dispute resolution, and legal compliance.
- Webhook processing logs: deleted with shop erasure.
Retention schedules may be updated; material changes will be reflected in this policy.
10. Data Security
We implement technical and organizational measures appropriate to the risk, including:
- HTTPS encryption for data in transit.
- Encrypted storage of Shopify OAuth access tokens at rest (AES-256-GCM).
- Tenant isolation by shop identifier.
- Access controls and structured logging for security monitoring and incident diagnosis.
- HMAC verification of Shopify webhooks.
No method of transmission or storage is completely secure. You are responsible for securing your Shopify admin accounts, staff permissions, and reviewing all draft actions before approval.
11. Security Incident Response
We maintain a written security incident response policy for events that may affect personal data we process on your behalf (such as unauthorized access, data exposure, or loss of confidentiality).
Our policy defines:
- Severity levels and response time targets.
- Roles and responsibilities for detection, containment, investigation, and remediation.
- Evidence preservation (structured logs without customer PII, webhook and GDPR audit metadata).
- Notification criteria for affected merchants, Shopify, and supervisory authorities where required by law (typically within 72 hours of confirming a personal data breach under GDPR).
- Post-incident review and preventive improvements.
If you believe a security incident involving Profit Agent has affected your store or customer data, contact us immediately at contact@profit-agent.app with the subject line "SECURITY INCIDENT" and include your shop domain, a description of what you observed, and relevant timestamps.
Technical details of our procedures are documented internally and aligned with Shopify protected customer data requirements.
12. International Transfers
Your data may be processed in countries other than your own, including outside the EEA and UK. Where required, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) or equivalent mechanisms approved under applicable data protection law.
Shopify also processes data globally under its own terms and data protection mechanisms.
13. Merchant Rights
Depending on your location, you may have rights regarding personal data we process about you or your shop account, including access, correction, deletion, restriction, objection, and data portability where applicable.
To exercise rights relating to data we control directly (such as support messages or shop account metadata), For support, privacy requests, GDPR requests, legal inquiries, or data deletion requests, contact contact@profit-agent.app. We respond within timelines required by applicable law.
For personal data about your customers, you are generally the controller. Customer requests may need to be handled by you first; we assist as processor where applicable.
14. GDPR / EEA Rights
If you or your customers are in the EEA or UK:
- You may lodge a complaint with your local supervisory authority.
- You may request access, rectification, erasure, restriction, objection, and data portability where applicable.
- We support Shopify mandatory GDPR webhooks (Section 16) to help you respond to customer requests.
- For support, privacy requests, GDPR requests, legal inquiries, or data deletion requests, contact contact@profit-agent.app.
Recommendations and AI suggestions require your review and approval before affecting your storefront. We do not make solely automated decisions producing legal or similarly significant effects without appropriate safeguards.
15. California Privacy Rights
If you are a California resident, the CCPA/CPRA may provide additional rights regarding personal information.
Profit Agent does not sell or share personal information for cross-context behavioral advertising.
California residents may request to know, access, correct, or delete personal information we hold about them as a merchant contact, subject to applicable exceptions. For support, privacy requests, GDPR requests, legal inquiries, or data deletion requests, contact contact@profit-agent.app.
For your store's customers, you are the business/controller; customer rights requests should generally be directed to you, and we assist via Shopify GDPR webhooks as processor.
16. Shopify GDPR Webhooks
Profit Agent implements Shopify mandatory compliance webhooks:
- customers/data_request: we log and report categories of customer-related data we hold for your shop (abandoned checkout contact fields matching the customer email; order line snapshots for specified order IDs).
- customers/redact: we delete or anonymize customer contact fields in abandoned checkout records and delete order line snapshots linked to specified orders.
- shop/redact: we delete your shop record and associated data from our systems (cascade deletion of shop-linked tables and webhook audit entries).
- app/uninstalled: we revoke OAuth tokens, clear scopes, and mark the shop uninstalled. Full erasure follows shop/redact.
These processes are implemented in our shop data lifecycle service (see technical documentation).
17. Children's Privacy
Profit Agent is a business application for Shopify merchants and is not directed to children under 16 (or the applicable age in your jurisdiction). We do not knowingly collect personal data from children. For support, privacy requests, GDPR requests, legal inquiries, or data deletion requests, contact contact@profit-agent.app.
18. Changes to This Privacy Policy
We may update this Privacy Policy to reflect changes in our practices, legal requirements, or product features. We will post the revised version on this page and update the "Last updated" date. Material changes may also be communicated through the app or our Shopify App Store listing where appropriate.
19. Contact Information
For support, privacy requests, GDPR requests, legal inquiries, or data deletion requests, contact contact@profit-agent.app.
You may also use our contact form at https://profit-agent.app/contact.
Terms of Service: https://profit-agent.app/terms