Privacy Policy.

Who we are

StoreAudit is operated by Karim Abd Al Fatah (BeSpark), Victoria, British Columbia, Canada. You can reach us at karim@storeaudit.app for any privacy-related questions.

What we collect and why

Information you give us

• Your store URL. You submit a Shopify store URL to use our service. We use this URL to crawl publicly accessible pages of your store and generate your AI-readiness score.
• Your email address. We use this to send login codes, save scans to your dashboard, deliver scan-completion emails you request, send Full AI Audit receipts and reports, and respond to support requests. If you join an early-access or waitlist form, we may also use that email for the product updates you signed up to receive.
• Account and purchase details. If you create a passwordless account, we store the email address for that account, saved scan ownership, invite-credit state, and any active Scan Pass expiry. If you buy a Full AI Audit or Scan Pass, we store payment status, amount charged, Stripe payment identifiers, customer email, and Stripe checkout/webhook records that may include payer or billing details returned by Stripe.
• Support messages. If you email us, we keep the information you send so we can investigate the issue and reply.

Information collected automatically

• IP address and request metadata. Collected automatically on each request. Used for rate limiting, security logging, abuse prevention, and basic operations.
• Essential cookies. StoreAudit uses session cookies to keep scan submissions, login state, CSRF protection, invite redemption, and dashboard access working.
• Analytics data. In production, we use Google Analytics and Microsoft Clarity to understand page usage, conversion paths, and product friction. These tools may collect device, browser, page-view, interaction, and approximate-location data according to their own policies.

Public Shopify agent-facing endpoint checks

For the Full AI Audit, StoreAudit may query public Shopify agent-facing endpoints exposed by your storefront, such as Storefront MCP and UCP Catalog MCP. We store public tool availability, response status, catalog-search samples, product-detail field completeness, and public policy answers or FAQ answers returned by those tools. We do not use merchant OAuth or customer credentials for these checks, and we do not perform cart, checkout, payment, order, return, or account mutations without explicit opt-in.

Information we do not collect

We do not ask for Shopify admin credentials, payment card details, or any information about your store’s customers or orders. We scan public storefront data only. Outside payment records returned by Stripe and messages you choose to send us, we do not ask you to provide your name or phone number. Your scan is accessible via a unique private link, and if you create an account, it can also be saved to your dashboard.

How we use your store data

When you submit your store URL, StoreAudit fetches publicly accessible pages and files, including your homepage, product pages, policy pages, robots.txt, sitemap, structured data, image metadata, and llms.txt where available. This is the same public storefront data a visitor, search engine, or AI crawler could access.

StoreAudit uses that public data to generate scores, recommendations, CSV exports, PDF reports, title and description rewrites, schema snippets, llms.txt drafts or audits, and query-visibility evidence. Depending on which features are enabled for a scan, public store data or generated buyer-query text may be sent to these providers:

• Anthropic (Claude) — anthropic.com
• OpenAI (ChatGPT) — openai.com
• Google (Gemini) — google.com
• Serper — serper.dev, for organic and Shopping search evidence on paid query tests

The brand-knowledge probe sends a minimal brand/domain prompt to enabled AI providers. Paid Full AI Audit features may send product titles, product types, short description excerpts, policy-presence signals, homepage metadata, generated buyer queries, and related public evidence. We do not send your Shopify customer data, order data, payment-card data, or Shopify admin credentials to AI providers.

These providers process content under their own terms and data-retention practices. We maintain provider kill switches for AI features if a provider’s retention or training posture becomes unsuitable for merchant data.

Payments

Payments are processed by Stripe (stripe.com). We never see or store your credit card number. Stripe’s privacy policy governs payment data. We store payment status, amount charged, Stripe payment identifiers, customer email, paid-at timestamps, refund markers, Stripe checkout/webhook records used for payment reconciliation and idempotency, and Scan Pass or included-rescan credit state needed to deliver the product and handle support.

Third-party service providers

Data retention

• Anonymous free scans keep detailed scan data for 14 days by default, then detailed JSON and page samples are stripped while lightweight fields such as score, domain, slug, and timestamps remain for cache, aggregate analytics, and expired-result handling.
• Logged-in free scans keep detailed scan data for 30 days by default, then the same detail-stripping process applies while dashboard history remains.
• Paid Full AI Audits are retained indefinitely so customers can revisit the deliverables they paid for, unless you request deletion.
• Raw page debugging artifacts may be retained temporarily for admin troubleshooting, normally up to 7 days when enabled.
• Email addresses are retained while needed for accounts, dashboard access, receipts, scan delivery, support, invite credits, Scan Passes, or any waitlist/product updates you requested.
• IP address and request logs are retained as needed for rate limiting, abuse prevention, security, and operations.
• Payment records are retained as required by applicable law (typically 7 years).

Cookies and analytics

StoreAudit uses essential cookies for security, sessions, login, and scan flow state. In production, we also load Google Analytics and Microsoft Clarity on non-admin pages, including public pages, login flows, and user dashboard pages, to understand how people find and use the product. You can control cookies through your browser settings, and you can use browser-level privacy tools to limit analytics tracking.

Your rights

Under British Columbia’s Personal Information Protection Act (PIPA) and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), you have the right to access, correct, and request deletion of your personal information, and to withdraw consent. Email karim@storeaudit.app and we will respond within 30 days.

Children’s privacy

StoreAudit is a business tool intended for Shopify merchants. We do not knowingly collect information from individuals under the age of 18.

Security

We use industry-standard measures: HTTPS encryption in transit, access controls on our servers, and error monitoring to detect anomalies. No system is completely secure. If you have security concerns, contact karim@storeaudit.app.

Third-party links

Your scan results may include links to third-party resources and tools. We are not responsible for the privacy practices of those sites.

Changes to this policy

If we make material changes, we will update the “Last updated” date at the top of this page. For significant changes affecting your rights, we will email you if we have your address on file.

Contact

Karim Abd Al Fatah · BeSpark
Victoria, British Columbia, Canada
karim@storeaudit.app