Pawsome Passport ("the App") is a Shopify application that helps pet product stores manage pet allergy profiles and provide allergen warnings on product pages. This Privacy Policy explains how we collect, use, and protect information when you install and use the App.
1. Information We Collect
When a merchant installs the App, we access and store:
Shopify session data — shop domain, OAuth access token, and account information required for the App to function.
Product data — product titles, descriptions, and ingredients (read via Shopify API) to perform AI-based allergen tagging.
Customer metafields — pet profiles (name, species, allergies) stored in Shopify metafields, which the merchant's customers create voluntarily.
Allergen dictionary — custom allergen labels and categories configured by the merchant.
2. How We Use Information
To authenticate merchants and maintain active sessions.
To scan product ingredients using AI (OpenAI API) and tag products with relevant allergens.
To display allergen warnings on product pages based on the customer's pet allergy profile.
To provide a dashboard with store-level allergy statistics.
3. Data Storage and Security
Application data (sessions, allergen dictionaries, AI scan jobs) is stored in a PostgreSQL database hosted on Railway. Customer pet profiles are stored in Shopify metafields and are not duplicated in our database.
All communication between the App and Shopify uses HTTPS. API requests from the storefront are verified using HMAC signatures.
4. Third-Party Services
We use the following third-party services:
Shopify — platform for store data, authentication, and metafield storage.
OpenAI — AI model used to analyze product ingredients and identify allergens. Product titles and descriptions are sent to OpenAI for processing. OpenAI does not use API data for training. See OpenAI's Privacy Policy.
Railway — cloud hosting for the application and database.
5. Data Retention
We retain merchant data (sessions, allergen settings, scan history) for as long as the App is installed. When a merchant uninstalls the App, we receive a webhook from Shopify and delete all associated data within 48 hours.
Customer pet profiles are stored in Shopify metafields and remain under the merchant's control even after the App is uninstalled.
6. GDPR and Data Rights
We comply with the General Data Protection Regulation (GDPR) and Shopify's mandatory GDPR webhooks:
Customer data request — we can provide all data we hold about a specific customer upon request.
Customer data erasure — we honor requests to delete customer-related data.
Shop data erasure — upon uninstallation, all shop data is deleted.
To exercise your data rights, contact us at the email address below.
7. Changes to This Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent revision. Continued use of the App after changes constitutes acceptance.
8. Contact
If you have questions about this Privacy Policy or your data, contact us at: