Privacy Policy

1. Data We Access from Your Shopify Store

When you install Burnish, we request the following Shopify API scopes:

• Products (read and write): to score and improve product data such as titles, descriptions, metafields, and alt text.
• Content (read and write): to update merchant-controlled content fields used in catalog improvement workflows.
• Product listings (read only): to assess readiness for external surfaces and channel-facing product data.
• Orders (read only, protected customer data Level 1): to compute revenue attribution for merchant-approved catalog changes (per-Action lift and cohort ROI on the Visibility tier). The pinned query reads only order totals, currency, processed/created/cancelled timestamps, refund totals, and the test-mode flag. It deliberately excludes customer name, email, phone, address, and line items.

We do not request Shopify theme scopes or Shopify analytics scopes for the current Burnish product, and we do not request access to all-orders history (only the default order window).

2. Data We Store

Burnish stores the following data in a PostgreSQL database hosted on Supabase (US West region). The application services that process this data are hosted on Railway.

• Store identity: your store's Shopify domain and installation status.
• Catalog scoring and gap data: score outputs, issue summaries, and supporting readiness measurements.
• Audit logs: before-and-after snapshots of approved product changes made through Burnish.
• Billing and plan state: the information needed to manage subscription status through Shopify billing.
• Consent and settings records: merchant-controlled preferences and workflow approvals.
• Early-access and pre-install scan records: business email address, submitted Shopify store URL or myshopify handle, source and campaign metadata, qualification responses you submit, scan/report status, hashed IP data used for abuse prevention and rate limiting, and purchase status if you complete the $29 full-audit unlock.
• Purchase records: Stripe checkout references, purchase status, refund status, and the coupon issuance and redemption status tied to your $29 audit unlock. Burnish does not receive or store full card numbers.
• Google integration records: encrypted Google OAuth access and refresh tokens, granted scopes, token expiry, Search Console site URLs, GA4 property IDs, and GA4 property timezones when you connect Google Search Console or Google Analytics 4.
• Search and analytics metrics: Search Console query, landing page, click, impression, CTR, and position data; GA4 source, medium, campaign, landing page, session, user, conversion, and revenue data used for attribution reporting.
• Attribution evidence: known AI crawler user agents, AI referrer URLs, landing pages, timestamps, inferred AI-session confidence labels, and rollups used to separate SEO, GEO, paid, direct, and other organic revenue.

Burnish is designed around product and catalog operations, not end-customer data storage. We do not store your customers' names, email addresses, payment information, or shipping addresses as part of the normal landing-page, scan, or scoring workflow.

3. Third-Party Data Processing

Burnish may send relevant product and catalog data to approved LLM providers for scoring, analysis, and fix generation. This can include product titles, descriptions, metafield values, image URLs, and other merchant-controlled catalog fields required for the workflow.

If you submit a pre-install scan, we use the submitted business email and store URL to run the scan, deliver the report, prevent abuse, and follow up about early access. If you complete the $29 full-audit unlock, Stripe processes the payment and Burnish stores the checkout and refund references needed to operate the purchase and a 7-day refund window.

These providers may include OpenAI, Anthropic, Google, Perplexity, and xAI (Grok) under commercial API terms and a zero-retention or no-training posture where available.

Burnish also uses OpenRouter (Crystal Logic Inc.) as a routing layer for catalog-execution and scoring-auxiliary LLM calls — e.g. product description rewriting, vision analysis, prompt synthesis, and mention classification — to route requests to cost-appropriate models. OpenRouter acts as a GDPR Article 28 Processor under its Data Processing Agreement, holds SOC 2 Type II certification, and routes requests under EU Standard Contractual Clauses Module 2 (with UK and Swiss equivalents). Burnish asserts provider.data_collection: deny and provider.allow_fallbacks: false on every OpenRouter call so requests are routed only to provider endpoints that do not retain or train on the data, and documented processing instructions further bind OpenRouter to “routing only” — explicitly prohibiting training, fine-tuning, aggregation, or retention beyond what is operationally required.

If you connect Google Search Console or Google Analytics 4, Burnish calls Google APIs using the OAuth scopes you approve. Google-provided data is used only for Burnish attribution, reporting, and connection-health workflows.

Current infrastructure and subprocessors include Supabase for PostgreSQL hosting, Railway for application and worker hosting, Shopify for embedded app and billing services, Google for connected Search Console and GA4 APIs, OpenRouter for catalog-execution LLM routing, and the approved LLM providers listed above.

No customer personal information is intentionally sent to model providers as part of the normal Burnish workflow.

4. Data Retention

• Audit logs (the before-and-after record of approved product changes made through Burnish) are retained indefinitely as a permanent compliance trail. Enterprise-tier merchants can configure a custom retention floor.
• Snapshots (the short-term rollback window referenced by the “90-day rollback” promise) are retained for 90 days plus a 24-hour grace period, then pruned automatically.
• Store-level records, waitlist and pre-install scan records, Google connection records, attribution metrics, audit-unlock purchase records, and billing-related records are retained for the duration needed to operate Burnish and for reasonable operational or legal retention periods where required.
• Google OAuth tokens are removed or made unusable when the related connection is revoked or the shop deletion workflow runs.

5. Data Deletion

You can request deletion of all your data at any time by uninstalling the app or contacting us. When you uninstall Burnish:

• Your installation is marked inactive.
• Operational data is queued for deletion or retention handling according to our deletion workflow.

We also support Shopify's mandatory GDPR webhooks:

• Customer data erasure (customers/redact): handled according to Shopify platform requirements.
• Shop data erasure (shop/redact): removes data associated with the requesting shop according to our deletion workflow.

To request access to your store-level data, correct inaccurate records, or request deletion outside the uninstall flow, contact support@useburnish.com.

6. Data Security

All data is transmitted over HTTPS. Infrastructure providers are selected with commercial-grade security controls. Shopify and Google access tokens are encrypted at rest and are not exposed in merchant-facing content.

7. Cookies

Burnish does not set cookies. Authentication is handled through Shopify's session token mechanism.

8. Changes to This Policy

We may update this policy as Burnish evolves. Changes will be posted at this URL with an updated date.

9. Contact

For questions about your data or to request deletion, contact us at support@useburnish.com.