Privacy Policy

Last updated: April 12, 2026

RunMyStore AI ("we," "us," or "our") operates the RunMyStore AI platform, a Shopify app that connects your store to Claude AI via the Model Context Protocol (MCP). This Privacy Policy explains how we collect, use, disclose, and protect your information.

1. Who We Are

RunMyStore AI is operated by TikiTaka3D. For privacy inquiries, contact us at contact@runmystoreai.com.

EU Representative (GDPR Article 27): Until a formal EU representative is designated, please direct all EU data protection inquiries to contact@runmystoreai.com. We will respond within 30 days and are actively working to appoint a formal representative in the EU.

UK Representative (UK GDPR): Until a formal UK representative is designated, please direct all UK data protection inquiries to contact@runmystoreai.com. We will respond within 30 days and are actively working to appoint a formal representative in the UK.

2. Data We Collect

2.1 Data collected directly from you

• Shop domain: Your Shopify store URL (e.g., my-store.myshopify.com), provided during the OAuth authorization flow
• OAuth tokens: Shopify access tokens and refresh tokens, used to connect Claude to your store. These are encrypted at rest using AES-256 (Fernet) encryption
• Billing information: If you subscribe to a premium tier, payment is processed by Stripe. We do not store credit card numbers — Stripe handles all payment data under PCI DSS Level 1 compliance

2.2 Data accessed from Shopify on your behalf

When you use RunMyStore AI through Claude, we access your Shopify store data in real time via the Shopify Admin API. This may include:

• Products (titles, descriptions, prices, inventory, images)
• Orders (order details, customer names, emails, addresses, payment status)
• Customers (names, emails, order history)
• Store settings (shop name, currency, timezone)
• Inventory levels and locations
• Discount codes and themes

We do not permanently store your customers' personal data. This data is read from Shopify on demand when you make a request through Claude and is not retained after the response is delivered.

2.3 Data generated by the service

• Bearer tokens: Authentication tokens for the MCP connection, stored as one-way SHA-256 hashes
• OAuth session data: Temporary session records created during authorization, automatically expired after 15 minutes
• Server logs: Request logs with PII automatically redacted (emails, tokens, and API keys are masked before logging)

3. How We Use Your Data

• To provide the service: Connecting Claude AI to your Shopify store so you can manage your store through natural language
• To authenticate you: Verifying your identity via OAuth 2.1 and maintaining your MCP connection
• To process payments: Managing premium subscriptions through Stripe (when applicable)
• To maintain security: Rate limiting, HMAC verification, and abuse prevention
• To respond to legal obligations: Complying with GDPR data subject requests, Shopify compliance webhooks, and applicable laws

We do NOT use your data to train, fine-tune, or improve any AI models. Your store data is processed by Anthropic's Claude AI solely to respond to your requests and is subject to Anthropic's data handling policies, which also prohibit using API inputs for model training.

4. AI Processing Disclosure

RunMyStore AI uses Anthropic's Claude AI to process your requests. When you interact with the service:

• Your Shopify store data is sent to Anthropic's API to generate responses
• Anthropic processes this data under their Privacy Policy and API terms
• Anthropic does not use API inputs to train their models
• Data is processed in the United States (Anthropic's infrastructure)

You are interacting with an AI system, not a human. All responses are generated by Claude AI based on your store data.

5. Legal Basis for Processing (GDPR)

We process your personal data under the following legal bases:

Data	Legal Basis	GDPR Article
Shop domain, OAuth tokens	Performance of contract — necessary to provide the service you requested	Art. 6(1)(b)
Billing data (via Stripe)	Performance of contract — necessary to process your subscription	Art. 6(1)(b)
Server logs	Legitimate interest — security monitoring and abuse prevention	Art. 6(1)(f)
Shopify customer data (accessed on demand)	Performance of contract — necessary to fulfill your instructions	Art. 6(1)(b)
GDPR compliance webhooks	Legal obligation — mandatory under GDPR and Shopify requirements	Art. 6(1)(c)

6. Data Retention

Data Category	Retention Period
Shopify access tokens (encrypted)	While your app is installed. Deleted within 30 days of uninstall via shop/redact webhook
Bearer tokens (hashed)	30 days from issuance, or until you disconnect
OAuth sessions	15 minutes (automatically expired)
User records (user ID, shop domain, tier)	While your app is installed. Deleted within 30 days of uninstall
Server logs	90 days (PII redacted before storage)
Billing records (via Stripe)	7 years per tax/accounting requirements
Customer PII from Shopify	Not retained — accessed in real time and not stored

7. Data Sharing and Subprocessors

We share your data only with the following third-party service providers ("subprocessors"), each necessary to operate the service:

Subprocessor	Purpose	Data Shared	Location
Anthropic	AI processing (Claude API)	Store data included in your requests	United States
Shopify	E-commerce platform / data source	OAuth tokens, API queries	Canada / United States
Stripe	Payment processing	Billing information for premium tiers	United States
Hetzner	Server infrastructure	All data stored on our servers	Germany (EU)

A full subprocessor list with change notification is available at /legal/subprocessors.

We do not sell, rent, or trade your personal data. We do not share your data with any parties beyond those listed above.

8. Affiliate Commissions Disclosure

RunMyStore AI recommends third-party services across categories like email marketing, SMS, reviews, social media, design, SEO, and analytics. When you sign up for a recommended service through our tracked referral link, we may earn a commission from that provider. This does not affect the price you pay — commissions are paid out of the provider's marketing budget, not yours.

How the tracking works in practice:

• Cookie tracking. Clicking a recommendation link sets a referral cookie operated by the provider's affiliate network (for example, Impact for Klaviyo). If you sign up within the cookie window (typically 30–90 days), the conversion is attributed to RunMyStore AI.
• What we share. The provider receives only the information you give them directly when you sign up (your email, business details, etc.). RunMyStore AI does not transmit your customer or end-user data to any recommended provider.
• Opting out. If you prefer not to be tracked through our link, navigate directly to the provider's website instead. The recommendation itself is unaffected.

We rank recommendations based on fit for your store — store profile, current pricing, onboarding ease, and recent provider signal — not commission rate. We will not let differences in commission terms drive a ranking. A complete list of providers we have tracked relationships with is available on request at privacy@runmystoreai.com.

9. Your Rights

9.1 Rights under GDPR (EU/UK residents)

You have the right to:

• Access your personal data (Art. 15)
• Rectify inaccurate data (Art. 16)
• Erase your data ("right to be forgotten") (Art. 17)
• Restrict processing (Art. 18)
• Data portability — receive your data in a structured format (Art. 20)
• Object to processing based on legitimate interest (Art. 21)
• Lodge a complaint with your local supervisory authority

We will respond to all data subject requests within 30 days.

9.2 Rights under CCPA/CPRA (California residents)

California residents have the right to know what personal information we collect, request deletion, request correction, and opt out of the sale or sharing of personal information. We do not sell or share personal information as defined by the CCPA.

9.3 Rights under PIPEDA (Canadian residents)

Canadian residents have the right to access their personal information, challenge its accuracy, and withdraw consent for its collection, use, or disclosure.

9.4 Rights under LGPD (Brazilian residents)

Brazilian residents have rights including access, correction, anonymization, deletion, data portability, and information about data sharing.

9.5 US State Privacy Rights

Residents of states with comprehensive privacy laws (including Texas, Virginia, Colorado, Connecticut, Oregon, Montana, Delaware, Iowa, Nebraska, New Hampshire, New Jersey, Maryland, Minnesota, Tennessee, Indiana, Kentucky, Rhode Island, and others) have rights to access, delete, correct, and opt out of targeted advertising and data sales. To exercise these rights, contact us at the address below.

We do not sell your personal data. We do not share your personal data for targeted advertising. We do not engage in profiling for automated decision-making. Because we do not sell data or engage in targeted advertising, there is no opt-out mechanism required — but if you have concerns, contact us and we will address them within 30 days.

10. International Data Transfers

Your data may be transferred to and processed in the United States (Anthropic, Stripe) and Germany (Hetzner). For transfers from the EU/EEA/UK, we rely on:

• EU-US Data Privacy Framework (where applicable)
• Standard Contractual Clauses (SCCs) approved by the European Commission
• The UK International Data Transfer Agreement (IDTA) for UK transfers

11. Security

We implement appropriate technical and organizational measures to protect your data:

• Shopify tokens encrypted at rest (AES-256 / Fernet)
• Bearer tokens stored as irreversible SHA-256 hashes
• All connections encrypted in transit (TLS 1.2+)
• HMAC-SHA256 verification on all Shopify webhooks
• OAuth 2.1 with PKCE for authorization
• CSRF protection on all state-changing operations
• PII automatically redacted from server logs
• Rate limiting to prevent abuse
• Security headers on all responses (X-Frame-Options, X-Content-Type-Options, Referrer-Policy)

12. Cookies

The RunMyStore AI app uses only strictly necessary cookies for authentication and CSRF protection. These cookies are:

• Session cookies for OAuth authorization flow (expire after 15 minutes)
• CSRF tokens to prevent cross-site request forgery

We do not use analytics, tracking, or marketing cookies in the app. No cookie consent is required for strictly necessary cookies under the ePrivacy Directive.

Do Not Track (CalOPPA): Our service does not track users across third-party websites and does not respond to "Do Not Track" (DNT) browser signals because we do not engage in cross-site tracking. We only use strictly necessary cookies as described above.

13. Children's Privacy

RunMyStore AI is a business-to-business service for Shopify store owners. We do not knowingly collect personal information from children under 16. If we learn we have collected data from a child, we will delete it promptly.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Last updated" date and, for significant changes, by email or in-app notification at least 30 days before the changes take effect.

15. Contact Us

For privacy inquiries, data subject requests, or complaints:

• Email: contact@runmystoreai.com
• Support: support@runmystoreai.com

We aim to respond to all inquiries within 30 days.