Privacy Policy

1. Who We Are

Conversion Guard ("we," "us," "our") is a Shopify app that audits online stores for conversion and performance issues. The app is operated by Conversion Guard LLC, registered at 2525 W. Grand Ronde Ave, Kennewick, WA.

If you have any questions about this policy, contact us at privacy@conversionguard.ai.

2. What Data We Collect

From Shopify (when you install the app)

  • Shop domain — your Shopify store's domain (e.g. yourstore.myshopify.com)
  • Shopify access token — the credential Shopify issues to allow the app to read your store's content and themes. This token is encrypted at rest using AWS KMS and is never exposed outside our systems.
  • Store content — during an audit, the app reads your published themes, online store pages, script tags, and storefront content. This is limited to the scopes you grant at install: read_content, read_online_store_pages, read_script_tags, read_themes, and write_themes (used only to apply theme patches to draft themes).

Generated During Audits

  • Screenshots — images of your storefront pages captured during an audit. Screenshots are stored in AWS S3 and served via a CloudFront CDN for use in your audit report.
  • Audit findings — structured records describing issues found across SEO, AI search visibility, CRO, UX, app stack, and theme code categories. Stored in AWS DynamoDB.
  • Audit reports — an HTML report and a JSON findings file generated at the end of each audit. Stored in AWS S3 and accessible only to you via an authenticated link.
  • Audit progress events — a timeline of events recorded as the audit runs (e.g. "SEO check started," "CRO check complete"). Stored in AWS DynamoDB.

Billing Records

  • Transaction records — records of Shopify charges associated with your account (charge IDs, amounts, status). We do not store card numbers or payment details; all payment processing is handled by Shopify.

What We Do Not Collect

  • No customer PII. The app does not collect, store, or process any personal information belonging to your store's customers. Audit checks analyze page content and structure, not individual shopper sessions.
  • No passwords or admin credentials beyond the Shopify access token granted through Shopify's standard OAuth flow.

3. How We Use Your Data

Data Purpose
Shop domain + access token Authenticate requests, read store content for audits, write theme patches to draft themes
Store content (pages, themes) Run audit checks; sent to our AI analysis service (see section 4)
Screenshots Display in your audit report
Audit findings and reports Show you the results of each audit and enable the fix flow
Transaction records Track billing status; required by Shopify's partner program

We do not use your data for advertising, and we do not sell or rent your data to third parties.

4. Third-Party Services

Anthropic (AI Analysis)

The audit process sends store content — including page text, theme code, and storefront structure — to Anthropic for AI-powered analysis using the Claude model. This is the core mechanism by which the app identifies issues and generates recommendations.

Data sent to Anthropic is governed by Anthropic's privacy policy and terms of service. We recommend reviewing Anthropic's privacy policy for details on how they handle data submitted through their API.

Amazon Web Services (AWS)

All application infrastructure runs on AWS, including:

  • DynamoDB — stores shop records, audit findings, audit events, and transaction records
  • S3 — stores screenshots and audit report files
  • Lambda — runs application logic
  • KMS — encrypts Shopify access tokens at rest
  • CloudFront — serves audit screenshots for report display
  • EventBridge — routes internal events between services

AWS infrastructure is located in the us-east-2 region. Data does not leave this region except when sent to Anthropic's API for analysis.

Shopify

As a Shopify app, we operate within Shopify's platform. Shopify's own privacy policy governs the data they hold about you as a merchant.

5. Data Sharing

We do not sell, trade, or rent your data. Data is shared only with the third-party services listed in section 4 above, and only to the extent necessary to operate the app.

We may disclose data if required by law, court order, or to protect the rights and safety of users and third parties.

6. Data Retention and Deletion

While the app is installed

We retain your shop data, audit records, and screenshots for as long as you have the app installed. Audit findings and reports remain accessible to you through the app.

When you uninstall

When you uninstall Conversion Guard, Shopify sends us an app/uninstalled webhook. We stop processing your data at that point.

Shopify's partner program requires that all merchant data be deleted within 48 hours of receiving a shop/redact webhook (sent by Shopify after a grace period following uninstall). When that webhook is received, we delete all records associated with your shop domain from our systems, including DynamoDB records and S3 files.

Screenshots and reports

Screenshots and report files stored in S3 are deleted as part of the shop redact process described above.

Audit records on request

You may request deletion of your audit history before uninstalling by contacting us at support@conversionguard.ai. We will delete your audit records within 7 business days of receiving the request.

What we retain after deletion

After a shop/redact deletion, we retain one minimal record per store: a boolean flag indicating whether the free-audit entitlement was used, keyed on your Shopify store domain. This record contains no personal data — only the domain and a timestamp — and is kept solely to prevent abuse of the free trial on reinstall. It is not used for any other purpose.

7. Your Rights

Shopify GDPR Webhooks

We handle all three Shopify-mandated GDPR webhooks:

Webhook Our response
customers/data_request Acknowledged. We do not store any customer PII, so there is no customer data to provide.
customers/redact Acknowledged. We do not store any customer PII, so there is no customer data to redact.
shop/redact We delete all data associated with your shop domain within 48 hours of receipt.

GDPR (EU/UK Merchants)

If you are based in the European Union or United Kingdom, you have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data
  • Object to or restrict certain processing
  • Data portability (receive your data in a structured format)

To exercise any of these rights, contact privacy@conversionguard.ai.

CCPA (California Merchants)

If you are a California resident, you have the right to:

  • Know what personal information we collect and how it is used
  • Request deletion of your personal information
  • Opt out of the sale of personal information (we do not sell personal information)

To exercise your rights, contact privacy@conversionguard.ai.

8. Security

We take reasonable technical measures to protect your data:

  • Shopify access tokens are encrypted at rest using AWS Key Management Service (KMS)
  • All data in transit is encrypted using TLS
  • API endpoints require Shopify session token (JWT) authentication
  • Webhook endpoints verify Shopify HMAC signatures before processing
  • Audit report files are stored in a private S3 bucket and are not publicly accessible; screenshots are served via a restricted CloudFront distribution
  • Theme writes are restricted to draft themes — the app never modifies your published live theme automatically

No system is completely secure. If you believe your data has been compromised, contact us immediately at privacy@conversionguard.ai.

9. Children's Privacy

This app is intended for use by merchants operating commercial stores. We do not knowingly collect data from or about individuals under the age of 18.

10. Changes to This Policy

We may update this policy as the app evolves. When we make material changes, we will update the "Last updated" date at the top of this document. For significant changes, we will notify merchants via the app or by email.

Continued use of the app after a policy update constitutes acceptance of the revised policy.

11. Contact