Acceptable use policy

You may only connect a platform, account, or store that you are authorised to read and write on behalf of — either because you own it, or because an account holder with the authority to bind the business has given you permission in writing. If your authority is revoked, disconnect the integration the same day.

You must not connect a staging, employee, or agency account to a workspace that also hosts unrelated clients without the account owner's explicit, documented consent.

You must not use ShopMCP to:

• Probe, scan, or test the security of ShopMCP or any connected upstream platform beyond what a security researcher is authorised to do under our vulnerability disclosure process.
• Circumvent, disable, or tamper with rate limits, usage caps, seat enforcement, audit logging, or billing metering.
• Send unsolicited commercial messages, spam, phishing, or any traffic that violates CAN-SPAM, CASL, the GDPR, the Australian Spam Act, or equivalent law in the recipient's jurisdiction.
• Scrape, mirror, or bulk-exfiltrate a connected platform beyond what the platform's own terms permit. Shopify, Maropost, Google, Klaviyo, and Stripe terms continue to apply — a ShopMCP API key is not a license to breach them.
• Use the service to build, train, or fine-tune a product that competes with ShopMCP, or to export tool definitions or internal schemas for the same purpose.
• Process special-category personal data (Article 9 GDPR, PIPEDA sensitive data, Australian Privacy Act sensitive information) unless you have a lawful basis for doing so and have disclosed that basis to us in writing.
• Upload, store, or transmit content that is unlawful, defamatory, infringing, or designed to harass a person.
• Use the service to make automated decisions that have legal or similarly significant effects on individuals without the human review required by Article 22 GDPR or equivalent local law.
• Reverse engineer, decompile, or attempt to extract source code for the dashboard, runtime, or any integration module, except to the narrow extent permitted by non-waivable local law.
• Resell, sublicense, or share access to the workspace with parties outside the organisation that holds the subscription, beyond what Agency plans are designed for. Agencies should use a dedicated client workspace per client rather than a single shared key.

Because an LLM reads tool output and untrusted user text in the same context window, a prompt-injected instruction embedded in, say, a support email body can trigger tool calls you never intended. The security docs describe the defences we apply on our side. On your side you must:

• Start every new merchant with write tools disabled. Turn writes on only after you have reviewed the usage log in /settings/connections.
• Scope upstream credentials to the narrowest permission set that lets the workspace do its job. For Shopify that means custom-app scopes; for Neto it means an API user with only the resources you actually read; for Magento it means a scoped Integration.
• Never paste an un-reviewed customer message, product review, or page body into the same chat as a write-capable tool call without first summarising it through a read-only tool.

• ShopMCP API keys are bearer tokens. Treat them like passwords — never commit them to source control, never paste them into a public chat client, and rotate them if you suspect exposure.
• Any tool call made with a valid bearer token from your workspace counts as your action for billing, audit, and liability purposes, even if the token was used by a third party.
• Upstream platform credentials (Shopify offline tokens, Neto API keys, Google refresh tokens) remain the merchant's property. Revoking them on the upstream platform immediately and permanently disables the connection on our side.

Violations of this policy can result in rate limiting, suspension of individual tools, suspension of the workspace, or termination — with or without prior notice depending on the severity of the breach and the risk to other users or to connected upstream platforms.

Where a violation is technical (e.g. an API key scope that is too broad) and not malicious, we will try to contact the workspace owner and give a reasonable chance to fix the issue before any customer-visible action is taken.

To report an abuse of the service — spam, impersonation, scraping, a stolen credential being used through ShopMCP, anything else covered here — email abuse@shop-mcp.app. Include the workspace URL or API key prefix if you know it, a description of the behaviour, and evidence (log lines, timestamps, screenshots). We acknowledge reports within one business day.