Privacy Policy

Introduction

PathConvert Ltd ("we," "our," or "us") is committed to protecting the privacy of merchants who use our Shopify application. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our application available through the Shopify App Store.

By installing and using PathConvert, you agree to the collection and use of information in accordance with this policy.

Information We Collect

1. Information You Provide

When you install PathConvert, we collect:

• Shop Information: Your Shopify store domain, shop name, and shop owner contact information
• Authentication Data: OAuth access tokens to communicate with your Shopify store on your behalf

2. Information Automatically Collected

PathConvert automatically collects the following data from your Shopify store:

• Product Data: Product titles, descriptions, and metadata (used solely for generating AI recommendations)
• Collection Data: Collection titles, descriptions, handles, and the products within each collection
• Store Configuration: Theme information and app settings you configure within PathConvert

How We Use Your Information

We use the collected information solely to:

1. Provide Core Functionality: Analyze your collections using AI to generate smart navigation recommendations
2. Generate Embeddings: Create semantic embeddings of your collections to determine similarity
3. Display Recommendations: Show AI-powered collection navigation buttons to your store visitors
4. Improve Service: Optimize recommendation algorithms and app performance
5. Provide Support: Respond to your support requests and troubleshoot issues
6. Send Service Communications: Notify you about important updates, security alerts, or changes to our service

Data Retention

• Active Shops: We retain your store data while your app subscription is active
• Uninstalled Apps: When you uninstall PathConvert, we acknowledge the uninstallation immediately
• Data Deletion: All shop data is permanently deleted within 48 hours of app uninstallation via Shopify's mandatory shop/redact webhook
• Billing Records: Billing history may be retained for up to 7 years for accounting and legal compliance purposes
• Trial Usage Records: To prevent abuse of our free trial program, we permanently retain a record of when each store first installed the app. This record contains only your store domain and the trial start date. This data is not deleted when you uninstall the app and is used solely to ensure each store receives only one free trial period.

Data Sharing and Disclosure

We Share Data With:

1. OpenAI (AI Processing)

• We use OpenAI's API to generate embeddings for your collection descriptions
• Data sent: Collection titles and descriptions (non-personal product metadata only)
• Purpose: AI-powered similarity analysis
• OpenAI's Privacy Policy: https://openai.com/policies/privacy-policy

2. Render (Hosting Provider)

• Our application and database are hosted on Render
• Data stored: All app data including collections, embeddings, and shop settings
• Security: Encrypted connections (TLS/SSL), secure database access
• Render's Privacy Policy: https://render.com/privacy

We Do NOT Share Data With:

• Third-party advertisers or marketing companies
• Data brokers or analytics platforms
• Social media platforms
• Any other third parties except as required by law

Legal Disclosure

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court order or government agency), including to meet national security or law enforcement requirements.

Data Security

We implement industry-standard security measures to protect your data:

• Encryption in Transit: All data transmitted between your store and PathConvert uses TLS 1.3 encryption
• Encryption at Rest: Database contents are encrypted at rest
• Access Controls: Strict access controls and authentication mechanisms
• HMAC Verification: All Shopify webhooks are verified using HMAC SHA-256 signatures
• OAuth 2.0: Secure authentication using Shopify's OAuth 2.0 protocol
• Regular Security Audits: Ongoing monitoring and security updates

Despite our security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

Your Rights (GDPR & CCPA Compliance)

If You Are in the European Economic Area (EEA):

Under GDPR, you have the right to:

1. Access: Request a copy of the data we hold about your store
2. Rectification: Request correction of inaccurate data
3. Erasure: Request deletion of your data (automatically handled upon app uninstallation)
4. Restriction: Request restriction of processing
5. Data Portability: Request transfer of your data to another service
6. Objection: Object to processing of your data
7. Withdraw Consent: Withdraw consent at any time (by uninstalling the app)

If You Are in California (USA):

Under CCPA, you have the right to:

1. Know what personal information we collect and how it's used
2. Request deletion of your personal information
3. Opt-out of the sale of personal information (we do not sell your data)
4. Non-discrimination for exercising your privacy rights

To exercise these rights, contact us at: cameron@pathconvert.io

Shopify-Mandated Webhooks

PathConvert complies with Shopify's mandatory GDPR webhooks:

1. Customers Data Request (customers/data_request)

When a merchant receives a customer data request, PathConvert acknowledges the request but has no customer data to provide, as we do not collect or store any customer personal information.

2. Customer Redaction (customers/redact)

When customer data must be redacted, PathConvert acknowledges the request. Since we don't store customer data, no action is required.

3. Shop Redaction (shop/redact)

When a shop is redacted (48 hours after uninstallation), PathConvert permanently deletes all shop data, collection records, AI embeddings, recommendation edges, billing records, and job history.

Children's Privacy

PathConvert is not intended for use by children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information, please contact us at cameron@pathconvert.io.

International Data Transfers

Your data may be transferred to and processed in countries other than your own, including the United States (Render infrastructure) and OpenAI's servers for AI processing. We ensure appropriate safeguards are in place for international transfers, including Standard Contractual Clauses (SCCs) for EU data transfers and encryption during transfer and storage.

Cookies and Tracking

PathConvert uses minimal cookies solely for session management (JWT token in httpOnly cookie) and security (CSRF protection). We do not use third-party tracking cookies, analytics cookies, or advertising cookies.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by updating the "Last Updated" date, sending an email notification (for material changes), and displaying a notice within the app. Your continued use of PathConvert after changes become effective constitutes acceptance of the updated policy.

Shopify Privacy Policy

This Privacy Policy is supplemental to Shopify's Privacy Policy. For information about how Shopify handles data, please review:

• Shopify Privacy Policy: https://www.shopify.com/legal/privacy
• Shopify GDPR Compliance: https://www.shopify.com/legal/gdpr

Legal Basis for Processing (GDPR)

Our legal basis for processing your data under GDPR is:

1. Contractual Necessity: Processing is necessary to provide the PathConvert service you've subscribed to
2. Legitimate Interests: Improving our service, preventing fraud, and ensuring security
3. Legal Obligation: Complying with legal requirements such as tax and accounting regulations
4. Consent: Where explicitly provided for specific processing activities

© 2025 PathConvert Ltd (Company No. 16933279). All rights reserved.