What we collect
- Your shop’s myshopify.com domain (used to identify your store in our database).
- Your Shopify access token (encrypted at rest; used only to call Shopify’s API on your behalf).
- Lighthouse scan results from your public storefront pages (LCP, TBT, scripts loaded, etc.).
- Aggregate analytics you grant via Shopify (monthly sessions, average order value, conversion rate — used for revenue projection only).
What we do NOT collect
- Customer names, addresses, emails, phone numbers, or any personally identifiable information.
- Order contents, line items, or financial details.
- Anything stored in your storefront’s customer accounts.
How we use the data
- Generate per-app performance audits and revenue projections.
- Store scan history for trend comparison.
- Nothing else. We do not sell, share, or use the data for any other purpose.
Data retention
- Scan results are kept for 30 days (Free plan) or 365 days (Pro / Plus plans).
- On app uninstall, all data is automatically deleted within 48 hours via Shopify’s
shop/redact webhook. - Merchants can request immediate deletion at dan@defyn.com.au.
Sub-processors
- Vercel (US East) — hosts the app; stores nothing persistently.
- Neon (AP-SOUTHEAST-2 Sydney) — Postgres database for scan results.
- Browserless.io (US West) — runs Lighthouse against your public storefront.
GDPR compliance
Store Auditor honors Shopify’s GDPR compliance webhooks: customers/data_request, customers/redact, and shop/redact. Because we do not store any personally identifiable customer data, customer-scoped requests return an empty payload; shop-scoped requests trigger a cascading deletion of all scan history within 48 hours.