Privacy policy

ShopMCP is operated by ShopMCP. For privacy questions you can reach us at privacy@shop-mcp.app. For European data subjects, this address also acts as the contact point under Article 27 GDPR until a representative is appointed.

When you sign up for a workspace we collect the minimum data needed to run the service:

• Identity: email address and (if you sign in with Google) the name and avatar URL Google returns.
• Account state: the workspaces you belong to, your role in each, and any team invites you have sent or accepted.
• Billing: Stripe customer id, plan tier, and invoice history. Card details are handled by Stripe — they never touch our servers.
• Operational logs: tool call counts, latency, and HTTP error codes, keyed only by an opaque workspace_id. We never tag log lines or error reports with the user's email.

When you connect Shopify, Neto, GA4, or Google Search Console, the ShopMCP runtime reads data from those platforms in response to a tool call from your MCP client (Claude Desktop, Cursor, ChatGPT, etc.). Depending on which tools you use, this can include order records, customer email and shipping addresses, product catalogues, analytics rows, and search performance reports.

For this data we are a processor — you instruct us via the tool call, and we return the result to you. We do not mine, aggregate, sell, or train any model on this data. Our Data Processing Addendum is the binding contract for that processing.

ShopMCP's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. This section describes, per Google's verification requirements, exactly what we access, why, and how we protect it.

Data accessed

When a workspace owner connects a Google product, ShopMCP requests only the OAuth scopes listed below and reads only the records each scope grants:

• Sign-in (openid, email, profile): Google account email, display name, and avatar URL — used to create the workspace member record and label the connection in the dashboard (“connected as olivia@acme.com”).
• Google Analytics 4 (analytics.readonly): aggregated GA4 reports the user requests via an MCP tool — sessions, sources, page paths, conversion counts, audience definitions, and custom dimensions on properties the user already owns.
• Search Console (webmasters.readonly, webmasters): search analytics rows (queries, pages, clicks, impressions, CTR, position), sitemap status, and URL inspection results. The non-readonly webmasters scope is requested only for the optional sitemap-submit tool.
• Indexing API (indexing): URL inspection metadata and reindex requests for URLs on properties the user owns. No bulk crawl data.
• Google Ads (adwords): campaign, ad group, ad, keyword, and search-term reports for accounts the user is authorised on. Writes (pause/budget changes) are off by default and gated per workspace.
• Merchant Center (content): product feed records, account and product issues, price competitiveness, and performance reports for Merchant accounts the user is authorised on. Writes are off by default and gated per workspace.

Data usage

Google user data is used solely to fulfil the user-facing feature that requested it: an MCP tool call from the user's AI client (Claude Desktop, ChatGPT, Cursor, etc.) is translated into a Google API request, and the response is returned to that same AI client as the answer to the user's question. Concretely:

• We do not use Google user data to train, fine-tune, or evaluate any generalised machine-learning model.
• We do not use Google user data for advertising, profiling, or audience-building of any kind.
• We do not aggregate one workspace's Google data with another's, and we do not sell, rent, or share Google user data with brokers or analytics resellers.
• We do not allow humans to read Google user data, except (a) with the user's explicit consent for support, (b) where required for security investigations, or (c) where compelled by law.

Data sharing

Google user data is processed only by the subprocessors listed on our subprocessors page — currently Vercel (runtime, US-east), Neon (Postgres, AWS us-east-1), and AWS KMS (key wrapping, us-east-1). Google user data is not shared with any third party for analytics, advertising, lead generation, or model training.

Data storage and protection

Google OAuth refresh tokens are encrypted with envelope encryption before they reach our database: a fresh data encryption key is generated per credential via AWS KMS GenerateDataKey (workspace id bound as the encryption context), and only the wrapped key plus the ciphertext are persisted. Plaintext tokens are held in memory for the lifetime of a single request, briefly cached (≤ 60 seconds) to keep tool calls responsive, and never written to logs, error reports, support tickets, or backups. Google API responses are streamed straight back to the requesting MCP client and are not persisted server-side beyond per-request memory.

All processing happens in US-east (Vercel iad1, Neon AWS us-east-1). TLS is enforced for every Google API call and for every connection to the dashboard.

Data retention and deletion

• Encrypted Google refresh tokens are kept only while the integration is connected. Disconnecting from Settings → Integrations deletes the ciphertext immediately and renders the wrapped DEK unrecoverable.
• Users can also revoke ShopMCP's access at any time from myaccount.google.com/permissions; we honour the revocation on the next API call.
• Operational logs reference connections only by an opaque workspace id and never contain Google API payloads, tokens, or email addresses.
• To request deletion of any remaining account data, email privacy@shop-mcp.app from the address on your account; we respond within 30 days.

Credentials you give us (Shopify offline tokens, Google OAuth refresh tokens, Neto API keys) are encrypted with envelope encryption: a fresh data encryption key is generated per stored credential via AWS KMS GenerateDataKey with the workspace id bound as the encryption context, and the wrapped key is stored alongside the ciphertext in our Postgres database. The unwrapped key is held only in memory for the duration of a request and is briefly cached (at most a minute) to keep tool calls responsive.

Plaintext credentials never appear in logs, error reports, support tickets, or backups. If you revoke a connection from Settings → Integrations we delete the ciphertext immediately and the wrapped DEK becomes unrecoverable.

We rely on a small set of infrastructure providers to run the service. The current list, and the data each one sees, is published on our subprocessors page. We will give 30 days' notice before adding or replacing any subprocessor that processes customer data.

The Postgres database (Neon) lives in AWS us-east-1 and backups are retained in the same region. The Next.js dashboard and the MCP runtime both run on Vercel's iad1 region (US East), so data stays within US-east for the entire request path. We do not replicate ecommerce data outside the US-east primary database.

For European customers, transfers to the US rely on the EU-US Data Privacy Framework and, where the framework does not apply, the Standard Contractual Clauses signed as part of the DPA.

The targets below describe how long each data category is retained. We will delete or anonymise earlier on written request (see §8).

• Account records: kept for the lifetime of the workspace plus up to 30 days after deletion, to allow recovery from accidental cancellation.
• Raw tool-call usage events (opaque counters keyed by workspace id, no payload): retained for 90 days, then collapsed into per-day workspace summaries for billing reconciliation and capacity planning.
• Audit log entries: retained indefinitely for security forensics, but the actor and workspace pointers are nulled out automatically when the underlying user or workspace is deleted, so the preserved record is no longer attributable to an identifiable person.
• Sign-in session metadata: the IP address and user-agent we record for the anti-sharing pipeline are nulled out on session rows whose expiry is more than 30 days in the past.
• Encrypted credentials: kept only while the connection is active and deleted on disconnect.

Wherever you are in the world, you can:

• Ask for a copy of the personal data we hold about you.
• Ask us to correct anything that is wrong.
• Ask us to delete your account and any data attached to it.
• Object to or restrict processing in the cases described by GDPR Articles 18 and 21.
• Lodge a complaint with your local supervisory authority. Australian users can contact the OAIC; EU users can contact their national DPA.

To exercise any of the above, email privacy@shop-mcp.app from the address on your account. We respond within 30 days.

We use a single first-party session cookie for authentication and a first-party cookie to remember whether you have dismissed the cookie banner. We do not run advertising trackers, fingerprinting scripts, or third-party analytics on the dashboard.

We will post any changes to this page and update the effective date at the top. For material changes (new categories of data, new purposes, new subprocessors that handle customer data) we will email workspace owners at least 30 days before the change takes effect.