TL;DR Plain-English Overview
Before diving into the legal language, here is a plain summary of our privacy practices:
The full policy below governs in all cases. If anything is unclear, please contact us.
01 Who We Are
Scrapit ("we", "us", "our") is a Shopify application developed and operated by Inspired Marketing. Our registered contact email is support@scrapit.app.
For the purposes of applicable data protection law, Scrapit is the data controller in respect of the personal data processed in connection with your use of our application and website (scrapit.app).
This Privacy Policy applies to:
- The Scrapit Shopify application (available via the Shopify App Store)
- The Scrapit marketing website at scrapit.app
- Any related services, support communications, or APIs operated by us
02 Data We Collect
We collect data in three ways: data you provide directly, data collected automatically when you use the app, and data received from Shopify as part of the app installation flow.
2.1 Data You Provide Directly
| Data | When | Why |
|---|---|---|
| Shopify store domain | App installation | To authenticate and associate your account |
| Shopify access token | App installation (OAuth) | To read and write products in your store via Shopify API |
| Google Gemini API key | AI Settings (optional) | To perform AI-powered product scraping on your behalf |
| Product URLs | When you submit a URL to scrape | To fetch and process the product page |
| Name & email | Contact form (optional) | To respond to your support enquiry |
| App configuration & settings | Settings page | To apply your import preferences (pricing rules, inventory settings, etc.) |
2.2 Data Collected Automatically
| Data | Source | Purpose |
|---|---|---|
| IP address | Server logs | Security, fraud prevention, rate limiting |
| Browser / device type | HTTP headers | Compatibility, debugging |
| Pages visited & feature usage events | In-app analytics | Understanding how merchants use the app; improving features |
| Error logs and stack traces | Application error tracking | Diagnosing and fixing bugs |
| Timestamp of actions | Database | Audit trail, sync scheduling |
2.3 Data We Do NOT Collect
- Your Shopify customers' names, addresses, emails, or payment information
- Order data, transaction history, or financial records from your store
- Passwords or raw authentication secrets beyond the encrypted Shopify access token
- Content from third-party product pages beyond the session needed to complete an import
- Biometric data, health data, or any special category personal data
03 How We Use Your Data
We process your data only for the following purposes, each of which has a defined legal basis:
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Providing the Scrapit service | Store domain, access token, URLs, settings | Performance of contract |
| Authenticating your account | Shopify OAuth token, store domain | Performance of contract |
| Running AI scraping on your behalf | Gemini API key, product URLs | Performance of contract / your consent |
| Storing your import preferences | App settings, pricing rules | Performance of contract |
| Syncing products on a schedule | Source URLs, Shopify access token | Performance of contract |
| Sending transactional emails | Email address (if provided) | Performance of contract |
| Product analytics & improvement | Anonymised usage events | Legitimate interests |
| Security & fraud prevention | IP address, error logs | Legitimate interests |
| Legal compliance | As required by law | Legal obligation |
We will never process your data for purposes that are incompatible with those listed above without obtaining your prior consent.
04 Shopify Store Data
Scrapit is a Shopify app and therefore integrates with the Shopify platform. When you install Scrapit, you grant it specific OAuth permission scopes. We request only the scopes we strictly need:
| Shopify Scope | Why We Need It |
|---|---|
read_products | To detect duplicate products and check existing inventory before importing |
write_products | To create and update products in your store during import or sync |
read_inventory | To read inventory levels across locations for accurate stock mapping |
write_inventory | To update stock levels when syncing imported products |
read_locations | To identify available fulfilment locations for inventory assignment |
We access your Shopify store data only when you actively use the app or when a scheduled sync task runs on your behalf. We do not browse or scan your store in the background for any other reason.
Upon uninstalling Scrapit from your store, Shopify automatically revokes our access token, terminating our ability to access your store data. We delete all locally stored tokens and store-specific data within 30 days of receiving the uninstall webhook.
05 Third-Party Services
We use a small number of trusted third-party services to operate Scrapit. Each is listed below with the data shared and the purpose:
5.1 Shopify
Role: Platform provider and identity provider. Data shared: App installation events, OAuth flow, webhook payloads. Privacy policy: shopify.com/legal/privacy
5.2 Vercel
Role: Cloud infrastructure and hosting provider for the Scrapit application. Data shared: Server logs (IP addresses, request metadata) are processed on Vercel's infrastructure. Privacy policy: vercel.com/legal/privacy-policy
5.3 Google Gemini API (optional)
Role: AI model provider for the optional AI scraping feature. Data shared: When you enable AI scraping, we send the HTML content of the product page you have requested to scrape to the Gemini API, using your own API key. We do not share your store data or personal information with Google in this request. Privacy policy: policies.google.com/privacy
5.4 Database Provider (Prisma / PostgreSQL)
Role: Persistent data storage for app sessions, settings, and sync schedules. Databases are hosted on infrastructure within the EU/US and are encrypted at rest. Access is restricted to application processes only.
5.5 Analytics (Vercel Analytics)
Role: Privacy-first, cookieless web analytics. Vercel Analytics does not use cookies and does not track individuals across sessions. It collects aggregated, anonymised page view data only.
5.6 Sub-processors
All sub-processors we engage are bound by data processing agreements that require them to maintain appropriate technical and organisational measures to protect your data. You may request a current list of sub-processors by contacting us at support@scrapit.app.
06 Data Storage & Security
We take data security seriously and implement industry-standard technical and organisational measures to protect your information against unauthorised access, loss, alteration, or disclosure.
Technical Safeguards
- All data in transit is encrypted using TLS 1.2 or higher (HTTPS enforced site-wide)
- All data at rest is encrypted using AES-256 encryption at the infrastructure level
- Shopify access tokens are stored in a hashed and encrypted format β they are never logged in plaintext
- Google Gemini API keys are encrypted before being written to the database using application-level encryption
- Database access is restricted to application processes via private networking β no public database endpoints
- API endpoints are rate-limited to prevent abuse and brute-force attacks
- All application dependencies are regularly audited and updated to patch known vulnerabilities
Organisational Safeguards
- Access to production systems and databases is restricted to authorised personnel only
- We follow the principle of least privilege β no person or process gets more access than strictly necessary
- Security incidents are subject to a documented incident response process
Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of affected individuals, we will notify the relevant supervisory authority within 72 hours of becoming aware, as required by GDPR Article 33. Affected users will be notified without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
07 Data Retention
We retain your data only for as long as necessary to provide the service or as required by applicable law.
| Data Type | Retention Period | Reason |
|---|---|---|
| Shopify access token & store domain | Duration of app installation + 30 days | Required to operate the service; deleted after uninstall |
| App settings & import preferences | Duration of app installation + 30 days | Needed to apply your configured rules |
| Scraped product data (temporary) | Session duration only (not persisted) | Used only to complete the current import; not stored long-term |
| Sync schedules & source URLs | Until you delete the linked product or uninstall the app | Needed to run scheduled syncs |
| Gemini API key (encrypted) | Until you remove it in Settings or uninstall the app | Required for AI scraping feature |
| Server & error logs | 90 days | Security monitoring and debugging |
| Analytics data (anonymised) | Up to 24 months | Product improvement (no personal identifiers) |
| Support correspondence | 3 years | Legal records and support quality |
Upon expiry of the relevant retention period, data is securely deleted or anonymised. You may request early deletion of your data at any time β see Your Rights below.
08 Cookies & Tracking
Marketing Website (scrapit.app)
The Scrapit marketing website uses Vercel Analytics, which is cookieless and does not track individuals. We do not use advertising cookies, tracking pixels, or third-party analytics platforms such as Google Analytics on this website.
Shopify App (Embedded)
The embedded Scrapit app (running inside Shopify Admin) uses session cookies set by Shopify's App Bridge framework. These cookies are strictly necessary for the app to function β they maintain your authenticated session and are not used for tracking or advertising purposes.
| Cookie Name | Type | Purpose | Duration |
|---|---|---|---|
shopify_app_session | Strictly necessary | Maintains your authenticated session in the Scrapit app | Session |
shopify_app_session.sig | Strictly necessary | Cryptographic signature verifying session integrity | Session |
We do not use cookies for advertising, remarketing, or cross-site tracking. No cookie consent banner is required for the app as we only use strictly necessary cookies.
09 Your Rights
Depending on your location, you may have the following rights regarding your personal data. We honour these rights for all users regardless of jurisdiction.
ποΈ Right of Access
Request a copy of all personal data we hold about you and your store, and information on how it is processed.
βοΈ Right to Rectification
Request correction of any inaccurate or incomplete personal data we hold about you.
ποΈ Right to Erasure
Request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements.
βΈοΈ Right to Restriction
Request that we restrict processing of your data in certain circumstances, such as while a dispute is resolved.
π¦ Right to Portability
Receive your personal data in a structured, machine-readable format and transfer it to another controller.
π« Right to Object
Object to processing based on legitimate interests, including profiling, at any time.
β©οΈ Right to Withdraw Consent
Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
π€ Automated Decision-Making
We do not make decisions about you using solely automated processing that have legal or significant effects.
How to Exercise Your Rights
To exercise any of these rights, contact us at support@scrapit.app with the subject line "Data Rights Request". We will respond within 30 days (or within the timeframe required by applicable law). We may need to verify your identity before fulfilling a request.
There is no charge for exercising your rights. If requests are manifestly unfounded or excessive, we may charge a reasonable administrative fee or decline to act, with written explanation.
10 GDPR β EU & EEA Users
If you are located in the European Union or European Economic Area, the General Data Protection Regulation (GDPR) applies to our processing of your personal data.
Legal Bases for Processing
We rely on the following legal bases under GDPR Article 6:
- Article 6(1)(b) β Performance of a contract: Processing necessary to provide the Scrapit service you have subscribed to
- Article 6(1)(f) β Legitimate interests: Anonymised analytics, security monitoring, and fraud prevention
- Article 6(1)(c) β Legal obligation: Where processing is required to comply with applicable law
- Article 6(1)(a) β Consent: For optional features such as AI scraping that require additional data processing
International Data Transfers
Some of our infrastructure (including Vercel hosting) may process data in the United States. Where personal data is transferred outside the EEA, we ensure adequate protections are in place through:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where applicable
- Data Processing Agreements with all relevant sub-processors
Right to Lodge a Complaint
If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with your national supervisory authority. A full list of EU data protection authorities is available at edpb.europa.eu.
11 CCPA β California Residents
If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) grant you specific rights regarding your personal information.
Categories of Personal Information Collected
In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA:
- Identifiers: Shopify store domain, email address (if provided), IP address
- Commercial information: Subscription plan, import history metadata
- Internet / network activity: App usage events, error logs, pages visited
We Do Not Sell or Share Your Personal Information
Your CCPA Rights
California residents may exercise the following rights by contacting us at support@scrapit.app:
- Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected
- Right to Delete: Request deletion of personal information, subject to certain exceptions
- Right to Correct: Request correction of inaccurate personal information
- Right to Non-Discrimination: We will not discriminate against you for exercising any CCPA right
We will respond to verifiable consumer requests within 45 days as required by the CCPA.
12 Children's Privacy
Scrapit is a business tool intended exclusively for adults operating Shopify stores. Our service is not directed at, and is not intended for use by, children under the age of 16 (or the applicable minimum age in your jurisdiction).
We do not knowingly collect personal data from children. If you believe a child has provided us with personal information, please contact us at support@scrapit.app and we will promptly delete such information.
13 Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Update the "Last updated" date at the top of this page
- Display a notice within the Scrapit app for active users
- For significant changes, send an email notification to the address associated with your account where we hold one
Your continued use of Scrapit after the effective date of the revised policy constitutes acceptance of the changes. If you do not agree with the updated policy, you must stop using the service and may request deletion of your data.
Previous versions of this Privacy Policy are available on request by emailing support@scrapit.app.
14 Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please reach out:
π§ Email: support@scrapit.app
π Website: scrapit.app
π¬ Subject line for data requests: "Data Rights Request"
We aim to respond to all privacy-related enquiries within 5 business days and to fulfil data rights requests within 30 days.