This Privacy Policy explains how Catalog Canary (“we,” “us,” “our”) collects, uses, stores, and discloses information from Shopify merchants (“you,” “merchant”) who install our app.
1. Information we collect
When you install Catalog Canary, our app receives information through the Shopify API based on the access scopes you approve at install. The data we collect and store includes:
- Shop information. Your shop domain, store name, installed access scopes, and the email address of the account that installed the app (held in the Shopify session record).
- Product and collection data. A snapshot of every field you choose to monitor (titles, descriptions, prices, inventory levels, SEO, sales-channel publications, metafields, etc.) — required to detect changes and provide one-click revert.
- Change history. A record of every detected change to monitored fields, including who made the change (when Shopify attributes it), when it occurred, the previous value, and the new value.
- App configuration. Notification preferences (email addresses, Slack webhook URLs), scheduled sync time, monitored field list, and subscription tier.
- Diagnostic data. Server logs that include shop domain, request paths, and error messages. Sensitive data is excluded from logs.
We do not request access to customer data, order data, customer PII, or financial data, and we do not store any such data.
2. How we use information
- To detect, record, and display changes to your product catalog.
- To send the notifications (email, Slack) you've configured.
- To enforce your subscription tier's product limits and feature access.
- To diagnose errors and improve the app.
- To respond to support requests you initiate.
We do not sell merchant data. We do not use merchant data to train machine-learning models. We do not share merchant data for marketing purposes.
3. Sub-processors and third-party services
Catalog Canary relies on the following infrastructure providers, each acting as a data processor under our direction:
- Shopify Inc. — source of all merchant data via the official APIs.
- Fly.io — application hosting (region: iad, United States).
- Resend — transactional email delivery for digests and notifications. Receives the recipient email address(es) and the email body.
- Slack — receives notification messages when you've configured a Slack webhook URL.
- PostHog — anonymous product analytics. Distinct ID is a SHA-256 hash of the shop domain (not the raw value). Autocapture and session recording are disabled.
- Crisp — in-app support chat (only loaded when the shop opens the support chat).
4. Data retention
Your data is retained while the app is installed on your shop. When you uninstall the app, Shopify fires a shop/redactwebhook approximately 48 hours later, after which our handler permanently deletes all data associated with your shop — including all change history, product snapshots, settings, and sessions.
Customer data requests fired by Shopify GDPR webhooks (customers/data_request, customers/redact) are handled by our system within the time required by Shopify. Since we do not store customer data, these requests typically return no matching records.
5. Security
All data is transmitted over HTTPS. Stored data lives in an encrypted PostgreSQL database hosted by Fly.io. Access to production systems is restricted to authorized personnel using multi-factor authentication.
6. International data transfer
Our infrastructure operates from the United States. If you are located outside the United States, installing the app constitutes consent to the transfer of your data to and storage in the United States, subject to the protections described in this policy.
7. Your rights
You may:
- Access or export your data at any time using the in-app CSV export (Growth and Pro plans) or by contacting us.
- Request deletion of your data by uninstalling the app (which triggers permanent deletion ~48h later) or by contacting us directly.
- Update notification settings, monitored fields, and configuration at any time inside the app's Settings page.
8. Children
Catalog Canary is intended for use by Shopify merchants. We do not knowingly collect personal information from children under 13.
9. Changes to this policy
We may update this policy as the app evolves. Material changes will be announced inside the app and via email to the address on file for installed shops. The effective date at the top of this page reflects the latest revision.
10. Contact
Questions about this policy or about how your data is handled:
support@catalogcanary.com