1. Who we are
ShieldScan ("we", "our", "us") is a Shopify application that provides automated security auditing for Shopify stores. Our application is available through the Shopify App Store. For any privacy-related questions, contact us at shieldscan@alainpicard.ca.
2. Data we collect
When you install ShieldScan, we collect and process the following data:
- ›Store domain: Your myshopify.com domain, used to identify your store and make API calls.
- ›Access token: A read-only OAuth token issued by Shopify that lets us audit your store. We never request write permissions.
- ›Store metadata: Shop name, plan name, and configuration — retrieved during a scan to generate your security report.
- ›Theme assets: The source code of your active theme is read during a scan to detect malware, injected scripts, and exposed secrets. Theme code is never stored.
- ›App & script tag list: The list of installed apps and injected scripts is read to audit permissions and third-party exposure.
- ›HTTP headers: We make a HEAD request to your storefront to audit security headers. No customer data is read.
3. What we do NOT collect
- ✓Customer personal information (names, emails, addresses)
- ✓Order details or payment information
- ✓Product inventory or pricing
- ✓Theme code is scanned in memory and never persisted to disk or a database
4. How we use your data
Data collected is used exclusively to:
- Generate your store's security report and score
- Authenticate API calls to Shopify on your behalf
- Provide scan history and trend data (paid plans)
- Send security alert notifications (paid plans, opt-in)
We never sell, rent, or share your data with third parties for marketing purposes.
5. Data storage & security
Session tokens are stored in an encrypted PostgreSQL database hosted on infrastructure within the United States. All data is transmitted over HTTPS/TLS. Access is restricted to application processes only — no human access to production data without explicit audit logging.
6. Data retention
Your session token is retained for as long as ShieldScan is installed on your store. When you uninstall the app, we receive Shopify's app/uninstalled webhook and permanently delete your session token within 48 hours.
7. GDPR & data subject rights
We comply with Shopify's GDPR requirements. If you are in the European Economic Area, you have the right to access, rectify, or erase personal data we hold about you. To exercise these rights, contact shieldscan@alainpicard.ca.
ShieldScan implements all three mandatory GDPR webhooks required by Shopify: customer data requests, customer redact, and shop redact.
8. Changes to this policy
We may update this policy from time to time. We will notify merchants of material changes via email or an in-app notice. Continued use of ShieldScan after changes constitutes acceptance of the updated policy.
9. Contact
Questions about this policy? Email us at shieldscan@alainpicard.ca.