Data Processing Policy
Last updated: April 5, 2026
This Data Processing Policy describes how Xi Yu Li Chen ("Buildora") processes data on behalf of Shopify merchants who install and use our application. This policy supplements our Privacy Policy and is designed to meet Shopify's app compliance requirements.
1. Role & Relationship
When a merchant installs Buildora on their Shopify store:
- The merchant is the Data Controller — they decide which products to create pages for and what content to publish
- Buildora acts as a Data Processor — we process store and product data only on the merchant's behalf and per their instructions
- Shopify acts as a platform intermediary — facilitating the connection between the merchant and Buildora
2. Data We Process
2.1 Store Data
| Data Type | Purpose | Retention |
|---|---|---|
| Store domain & name | Identify connected store | Until uninstall + 30 days |
| OAuth access token | API authentication | Encrypted; deleted on uninstall |
| Product data | Page generation & publishing | Until product deleted or uninstall |
| Theme information | Template injection | Until uninstall + 30 days |
| Product images | AI image generation & display | Until product deleted or uninstall |
2.2 Customer Data
Buildora does not request, access, or store any end-customer data from your Shopify store. We do not access:
- Customer names, emails, or phone numbers
- Shipping or billing addresses
- Order history or purchase information
- Customer accounts or login credentials
- Payment or credit card information
3. Sub-Processors
We use the following third-party services to process data on your behalf:
| Provider | Purpose | Data Shared |
|---|---|---|
| Supabase | Database & authentication | All application data |
| Anthropic (Claude) | AI text generation | Product data for page generation |
| Google (Gemini) | AI image generation | Product images for enhancement |
| Firecrawl | Web scraping | Public product URLs |
| Stripe | Payment processing | Billing information |
| Vercel | Application hosting | Request logs (IP, user agent) |
4. Shopify Mandatory Webhooks
Buildora implements all Shopify-mandated compliance webhooks:
Customer Data Request
When a customer requests their data from a merchant, Shopify notifies us. Since Buildora does not store customer data, we respond confirming no customer data is held. If any indirect data is found, it is provided within 30 days.
Customer Data Erasure
When a customer requests deletion of their data, Shopify notifies us. We delete any data associated with the specified customer within 30 days. Since we don't store customer PII, this typically requires no action.
Shop Data Erasure
48 hours after a merchant uninstalls Buildora, Shopify sends a shop erasure request. We delete all data associated with that store — products, generated content, scrape data, themes, and the encrypted access token — within 30 days.
5. Data Security Measures
- Encryption in transit — all data is transmitted over TLS 1.2+
- Encryption at rest — Shopify access tokens encrypted with AES-256; database encrypted by Supabase
- Access control — Row Level Security (RLS) ensures users can only access their own organization's data
- Minimal scopes — we only request Shopify API scopes necessary for product and theme management
- No customer data — we do not request scopes that access customer, order, or checkout data
- Credential security — passwords hashed with bcrypt; tokens never logged or exposed in error messages
6. Cross-Border Data Transfers
Data processed through Buildora may be stored and processed in regions where our infrastructure providers operate (primarily United States). For EU/EEA/UK merchants, appropriate safeguards are in place through our providers' Standard Contractual Clauses (SCCs) and data processing agreements.
7. Data Breach Notification
In the event of a data breach that affects your data, we will:
- Notify affected merchants within 72 hours of becoming aware of the breach
- Provide details of the breach scope, affected data, and remediation steps
- Cooperate with Shopify and relevant authorities as required
- Take immediate steps to contain and remediate the breach
8. Merchant Rights
As a merchant using Buildora, you have the right to:
- Request an export of all data we hold for your organization
- Request deletion of all your data (subject to legal retention requirements)
- Disconnect your Shopify store at any time via Shopify admin
- Audit what data we process — contact us for a detailed data inventory
- Revoke access by uninstalling the app, triggering automatic data deletion
9. Contact & Data Protection Inquiries
For data processing inquiries, data access requests, or concerns about how we handle your data:
Xi Yu Li Chen
Operating as Buildora
hello@buildoraai.comWe aim to respond to all data-related inquiries within 30 days.