Privacy Policy

Last updated: April 10, 2025

Cartograph ("we", "us", "our") is a Shopify app that helps merchants monitor and optimize their stores for AI shopping agents. This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data.

1. What We Collect

We collect the following categories of data:

• Shop domain and metadata — Your Shopify store domain, store name, and Shopify plan tier. This is required to operate the app.
• Product data — Product titles, descriptions, attributes, and variants from your Shopify catalog. Used to calculate agent-readiness scores and generate optimized listings.
• Agent traffic analytics — Events generated when AI shopping agents interact with your storefront via the Universal Commerce Protocol (UCP), including agent identifiers, query strings, viewed products, cart activity, and checkout events.
• Shopify session tokens — Authentication tokens provided by Shopify to operate the embedded app experience. These are managed by Shopify's OAuth flow.

2. What We Do NOT Collect

• We do not collect, store, or process customer personal data (names, emails, addresses, phone numbers).
• We do not collect or store payment information of any kind.
• We do not collect data from customers who are not AI agents interacting via UCP.

3. How We Use Your Data

• To provide the Cartograph dashboard, analytics, and product scoring features.
• To generate AI-optimized product descriptions and structured attributes.
• To calculate and display daily, weekly, and trend analytics for your store.
• To send product improvement recommendations and alerts (if enabled).
• To maintain and improve the Cartograph service.

4. Data Storage

All data is stored in a Prisma-managed PostgreSQL database hosted on Neon (neon.tech), a serverless PostgreSQL provider with SOC 2 Type II compliance. Data is stored in the EU (Frankfurt) region.

We retain shop data for as long as the Cartograph app is installed on your store. When you uninstall the app, your data is queued for deletion within 48 hours in accordance with Shopify's GDPR requirements.

5. Data Sharing

We do not sell, rent, or trade your data with third parties. We may share data with:

• AI providers — Product data may be sent to an AI API (e.g., Anthropic Claude) to generate optimized listings. No personal data is included.
• Infrastructure providers — Neon (database), Vercel (hosting), and Shopify (app platform).
• Legal requirements — If required by law or to protect our legal rights.

6. GDPR Compliance

We comply with Shopify's GDPR webhook requirements. We handle the following mandatory webhooks:

• customers/data_request — We do not store customer personal data, so no data is returned.
• customers/redact — We do not store customer personal data, so no deletion is required.
• shop/redact — When a shop uninstalls the app and 48 hours pass, we permanently delete all associated shop data, agent events, product scores, and analytics records.

7. Your Rights

As a merchant using Cartograph, you have the right to:

• Request a copy of data we hold about your store.
• Request deletion of your store's data (uninstalling the app triggers this automatically).
• Contact us with any data-related questions or concerns.

8. Security

We use industry-standard security practices including HTTPS encryption, Shopify's authenticated webhook verification (HMAC), and access controls on our database infrastructure. All data in transit is encrypted via TLS.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. Continued use of the Cartograph app after changes constitutes your acceptance of the updated policy.

10. Contact

For privacy-related questions or data requests, contact us at: malte@usecartograph.com

Cartograph
usecartograph.com