Privacy Policy — SKU Surf

Effective date: 2026-04-18

Last updated: 2026-04-18

SKU Surf ("the App," "we," "our," or "us"), operated by Raj Patel (a sole proprietor based in Minneapolis, Minnesota, USA), respects your privacy and is committed to minimum-necessary data collection. This Privacy Policy explains what we collect, how we use it, and your rights. It applies to merchants who install the App from the Shopify App Store.

1. What We Collect

Shop data (collected via Shopify OAuth):

Your shop domain (e.g., yourshop.myshopify.com)
Your product catalog: product titles, handles, prices, vendors, product types, status, and associated identifiers (SKU, barcode where available)
Access token issued by Shopify for our read-only catalog access

Merchant-provided data (collected when you use the App):

Competitor URLs you add to the App for tracking
Preferences you configure (alert thresholds, MAP rules, monitoring cadence)

Scraped data (collected from third-party public sites on your behalf):

Competitor product prices, availability, and titles from publicly accessible URLs that you have added to the App
Historical price data for Amazon ASINs via Keepa API (where applicable)

Operational data:

Timestamps of your activity in the App
Error logs and diagnostic information needed to operate the service

2. What We Do NOT Collect

We explicitly do not collect the following, because we do not need it for the App to function:

Your end customers' personal data. We do not access read_customers, read_orders, or any other scope that exposes customer PII from your Shopify store.
Payment card information. All billing flows through Shopify's Billing API. We never see or store your payment information.
Competitor customer data. We scrape publicly displayed product pricing, not customer-facing account or transaction data.
Unrelated Shopify admin data. We request only the read_products OAuth scope, which limits our access to your product catalog.

3. How We Use Your Data

Operate the App: to display competitor pricing alongside your product catalog, generate alerts when competitor prices change, and power the AI URL discovery feature during onboarding.
Service operation and troubleshooting: to monitor the scraper's health, debug errors, and ensure the App works correctly.
Billing: Shopify Billing handles charges; we only reference your shop domain to link billing state to your account.

We do NOT:

Sell your data to third parties
Pool your catalog data across merchants to create aggregate datasets we sell or redistribute
Use your data to train or improve AI models (Shopify's February 27, 2026 Partner Program Agreement update explicitly requires written consent for this; we do not have or seek such consent)
Share your data with advertisers or marketing partners

4. Third-Party Processors

To operate the App, we share limited data with the following service providers:

Provider	What they process	Purpose
Shopify Inc.	OAuth token, shop domain, billing	Platform integration, billing
Supabase	Shop catalog, competitor URLs, settings	Database storage
Render	Same as Supabase	Application hosting
Hetzner Cloud	Scraping requests (competitor URLs only — no Shopify data)	Scraper infrastructure
Smartproxy/Decodo or Bright Data	Competitor URLs passed to proxy	Scraping proxy infrastructure
Keepa	Amazon ASINs (public identifiers, no Shopify data)	Historical price data
OpenAI or Perplexity	Anonymized product titles only (no shop identifiers)	AI-assisted URL discovery

All processors are bound by data processing agreements (or equivalent) appropriate to their role. They access only what they need to perform their specific function.

5. Data Retention and Deletion

During your subscription: We retain your data as long as you're actively using the App.

Upon uninstall: Shopify fires the shop/redact webhook 48 hours after uninstall. Within 30 days of receiving this webhook, we delete:

All rows in our database associated with your shop domain
Any cached scraping results for competitor URLs you monitored
Authentication tokens and session information

Our automated db.purge_shop_data function handles this across all shop-scoped tables. We verify deletion via our scripts/test_gdpr_purge.py round-trip test.

Customer data: Not applicable — we do not collect end-customer PII, so we have nothing to delete when Shopify fires customers/data_request or customers/redact webhooks. We still acknowledge those webhooks with a 200 OK response and log the receipt.

6. Data Location and International Transfers

Shopify data: Hosted wherever Shopify's infrastructure dictates (typically multiple regions globally).
Our database (Supabase): Primary region is in the United States (subject to Supabase's infrastructure).
Application hosting (Render): United States.
Scraper infrastructure (Hetzner): Germany (EU).
Scraping proxy providers: Global (traffic routed through proxy IPs in multiple regions for scraping effectiveness).

By using the App, you consent to the transfer of your data across jurisdictions necessary for the App to function. If you are in the EU/UK, we rely on Standard Contractual Clauses (or equivalent mechanisms) for data transfers where required.

7. Your Rights (GDPR / CCPA / Similar)

If you are in a jurisdiction with data-protection laws (GDPR, CCPA, etc.), you have the following rights:

Access: Request a copy of the data we hold about your shop
Correction: Request correction of inaccurate data
Deletion: Request deletion of your data (this happens automatically on uninstall via shop/redact)
Portability: Request an export of your data in a machine-readable format
Objection: Object to specific processing activities

To exercise any of these rights, email us at the address below. We respond within 30 days.

8. Security

We use industry-standard security practices:

All connections use TLS/HTTPS
Shopify access tokens are stored in Supabase with row-level security
Scraper service is protected by a bearer-token authentication header
Regular security patching of underlying infrastructure

No system is perfectly secure. If you believe there has been a security incident affecting your data, contact us immediately at the email below.

9. Children

The App is not directed at children under 16 and we do not knowingly collect data from them. If you believe we have collected data from a child, contact us and we will delete it.

10. Changes to This Policy

We may update this Privacy Policy as the App evolves or as regulations change. Material changes will be announced via the App's dashboard and/or by email to the contact on file at Shopify. The "Last updated" date at the top reflects the most recent material change.

11. Contact

For privacy questions, data requests, or to exercise your rights:

Privacy email: support@skusurf.com
Operator: Raj Patel, sole proprietor (Minneapolis, Minnesota, USA)

By installing SKU Surf on your Shopify store, you acknowledge that you have read, understood, and agreed to this Privacy Policy.