Privacy Policy

This Privacy Policy describes how PreFlight ("we", "us", or "our") collects, uses, and handles information when you use our Shopify application and website at https://preflight-t6rf.polsia.app (the "Service").

1. What We Collect

1.1 Shopify Merchant Data

When you install PreFlight from the Shopify App Store, we receive and store:

• Shop domain — your .myshopify.com store domain
• Access token — a Shopify API access token used to read theme and product data, stored encrypted using AES-256-GCM encryption
• Granted scopes — the permission scopes you authorized (read_themes, read_products)

We do not collect or store customer names, email addresses, payment information, order data, or any personal data belonging to your store's customers.

1.2 Storefront Scan Data

When PreFlight scans a storefront, we store:

• The store URL scanned
• The health score result (0–100)
• The number and types of issues detected
• The full JSON diagnostic report
• The timestamp of the scan

Scan results are keyed by store URL only. No customer identity or personal data is stored in scan history.

1.3 Website Analytics

When you visit our website, we collect anonymized pageview data including:

• Page URL visited
• HTTP referrer (the page you came from)
• UTM campaign parameters (if present)
• A hashed, non-reversible representation of your IP address (SHA-256 HMAC) — the raw IP is never stored
• Browser user-agent string

We do not use cookies for tracking and do not share this data with third parties.

1.4 Waitlist / Early Access

If you submit your email address on our website to join the waitlist, we store your email address and any optional name provided. This is used only to notify you when PreFlight reaches general availability. We will not send unsolicited marketing emails.

2. How We Use Your Data

We use collected data to:

• Provide the PreFlight diagnostic service (scanning storefronts, returning health reports)
• Authenticate API calls to your Shopify store on your behalf
• Maintain and improve the Service
• Understand aggregate usage patterns (anonymized analytics)
• Respond to your support requests

3. Data Retention

• Access tokens — retained while your app is installed. Wiped when you uninstall PreFlight from your Shopify admin (see GDPR Webhook handling below).
• Scan history — retained indefinitely for service improvement. Contains no personal data.
• Pageview analytics — retained for 90 days.
• Waitlist emails — retained until you request deletion or the waitlist program ends.

4. Shopify GDPR Compliance

PreFlight implements all three mandatory Shopify GDPR webhook endpoints:

• Customer Data Request (/webhooks/shopify/customers/data_request) — PreFlight stores no personal data about your store's customers. When this webhook fires, we return an empty dataset, which is the correct and complete response.
• Customer Redact (/webhooks/shopify/customers/redact) — As above, no customer PII is held. We log the request for audit purposes and return 200.
• Shop Redact (/webhooks/shopify/shop/redact) — Fired 48 hours after you uninstall the app. We permanently delete your encrypted access token and all merchant-specific data from our database.

All webhook requests are HMAC-verified using your Shopify app secret before processing. GDPR webhook requests are logged to an internal audit table.

5. Data Security

• All Shopify access tokens are stored encrypted using AES-256-GCM with a random IV per token.
• All connections to our service use TLS (HTTPS).
• Database access is restricted to our application server only.
• We do not sell, rent, or share your data with third parties.

6. Third-Party Services

We use the following infrastructure providers:

• Render.com — application hosting (US-based servers)
• Neon — PostgreSQL database (US-based, encrypted at rest)

Each provider's privacy practices are governed by their own privacy policies. We do not use third-party analytics services (no Google Analytics, Mixpanel, etc.).

7. Your Rights

You have the right to:

• Access — request a copy of data we hold about your store
• Deletion — request deletion of your store's data (or simply uninstall the app — deletion is automatic 48h after uninstall)
• Correction — request correction of inaccurate data
• Portability — receive your data in a machine-readable format

To exercise any of these rights, contact us at preflight@polsia.app. We will respond within 30 days.

8. Children's Privacy

PreFlight is a B2B developer tool and is not directed to anyone under the age of 18. We do not knowingly collect personal information from minors.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. Continued use of the Service after changes constitutes acceptance of the revised policy.

10. Contact Us

If you have questions about this Privacy Policy or your data, contact us at:

• Email: preflight@polsia.app
• Website: https://preflight-t6rf.polsia.app