Privacy Policy

Different roles apply to different activities under data protection law.

Where Kedra acts as a Processor for Merchant data, the terms of this Policy together with our Data Processing Addendum (available on request from info@kedra.io) form the basis of the processing.

4.1  Merchant & Shop information

Provided by Shopify on install, stored for the duration of installation:

• Shop ID and Shop domain (e.g. your-store.myshopify.com)
• Shop name, country, currency, primary language, time zone, plan
• Store owner name and email address (used only for support contact)
• Shopify access token issued to the App, scoped to the permissions granted at install
• Geographic information about the Shop (country, region) to localize the readiness audit

4.2  Storefront content (queried on demand, not synced)

To generate llms.txt and run the AI readiness audit, we query published storefront content from the Shopify Admin GraphQL API. We query, transform, cache the resulting file, and discard the source data — we do not maintain a synchronized mirror of your catalog.

• Product titles, descriptions, prices, image alt text, variants, GTINs/barcodes, vendors, types, tags
• Collection titles, descriptions, handles, product membership
• Blog post titles, content excerpts, handles
• Page titles, content excerpts, handles

4.3  Bot crawl logs (App Proxy)

When an AI bot fetches /apps/kedra/llms.txt on your storefront, we record:

• Bot User-Agent string
• Originating IP address (read from Shopify's x-original-forwarded-for header) — used solely to verify the bot's claimed identity against the operator's published IP ranges
• HTTP response code
• Timestamp

Note: these logs identify automated bots, not Visitors. The IP address recorded belongs to the AI provider's infrastructure (e.g. an OpenAI crawler IP), not a person.

4.4  AI traffic events (Shopify Web Pixel)

While the App is active and the Visitor has granted analytics consent (via the Shopify Customer Privacy API), the Web Pixel records:

• Page path visited
• Document referrer and UTM source — used to detect AI-assistant origin (e.g. chatgpt.com, perplexity.ai)
• Order total and currency on checkout_completed — used to attribute revenue to an AI assistant referral
• A first-party AI-source attribution cookie (kedra_ai_src), session-only, scoped to the Shopify pixel sandbox, containing only the AI source name (e.g. chatgpt)

4.5  IndexNow submission logs

When we submit changed URLs to Microsoft IndexNow on your behalf, we record the URLs submitted, the response code, and the timestamp.

4.6  Communication and support data

If you contact us by email, we retain the message and our response so we can help you. Information you provide in support correspondence (screenshots, account IDs) is treated as confidential.

4.7  App diagnostics

We collect minimal technical logs (request paths, error codes, timestamps) for the purpose of operating and debugging the App. These logs do not include personal data.

For Merchants and Visitors in the EU/EEA, UK, and Switzerland, the following legal bases under GDPR Article 6 apply:

8.1  Sub-processors

These vendors process data on our behalf under contractual confidentiality and data-protection terms.

8.2  Other recipients

We do not disclose information to advertising networks, data brokers, AI model providers (for training or inference), or marketing platforms.

The App's primary infrastructure is in the United States (Gadget.dev managed infrastructure). Data is also processed at the global edge by Cloudflare and at Shopify's regional infrastructure.

Where personal data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, we rely on:

• The European Commission's Standard Contractual Clauses (SCCs), modules 2 and 3 as appropriate
• The UK International Data Transfer Addendum to the SCCs
• The Swiss FDPIC-recognized SCCs for transfers from Switzerland
• Supplementary measures, including encryption in transit and at rest, access controls, and pseudonymization where feasible

Copies of the relevant transfer mechanisms are available on request from info@kedra.io. We do not transfer data to jurisdictions where applicable law would prevent a sub-processor from complying with their contractual privacy obligations.

We retain personal data only as long as needed for the purposes described above, then delete or fully anonymize it.

When you uninstall the App, Shopify's shop/redact webhook fires after 48 hours and we delete all Shop-scoped data within that handler. You may request earlier erasure by emailing info@kedra.io.

11.1  GDPR / UK GDPR (EU, EEA, UK, Switzerland)

EEA authorities: edpb.europa.eu. UK: ico.org.uk.

11.2  CCPA / CPRA (California)

California residents have the right to:

• Know what personal information we collect, the sources, the purposes, and the categories of recipients
• Delete personal information we have collected, subject to legal exceptions
• Correct inaccurate personal information
• Opt out of sale or sharing — we do not sell or share, and have not done so in the preceding 12 months
• Limit the use of sensitive personal information — we do not collect sensitive PI as defined under CPRA
• Non-discrimination for exercising any CCPA right
• Authorize an agent to make a request on your behalf

To exercise these rights, email info@kedra.io. We do not have actual knowledge that we sell or share personal information of consumers under 16.

11.3  Other US state privacy laws

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Iowa, Tennessee (TIPA), and — effective 2026 — Indiana, Kentucky, and Rhode Island, have rights similar to those above, including access, correction, deletion, opt-out of targeted advertising and profiling, and (in several states) appeal of a decision. Email info@kedra.io. To appeal, reply to our response with the word "Appeal" in the subject line.

11.4  PIPEDA (Canada), LGPD (Brazil), PDPA (Singapore), Australian Privacy Act, others

You have substantially similar rights under these regimes. Use the same contact route.

11.5  How to exercise rights

We subscribe to and honor all three of Shopify's mandatory privacy compliance webhooks:

Webhook signatures are verified via HMAC; invalid signatures receive HTTP 401.

The App uses one cookie, set inside Shopify's strict Web Pixel sandbox on the Merchant's storefront (not in the Shopify admin):

The cookie is set only after the Visitor has granted analytics consent through the Merchant's Shopify Customer Privacy banner. If consent is not granted, no event is recorded and no cookie is set.

The Merchant remains responsible for displaying a compliant cookie / consent banner on their storefront and for honoring "Do Not Sell or Share" and "Global Privacy Control" signals as required by their jurisdiction. We honor whatever consent state Shopify exposes to the pixel.

We apply administrative, technical, and physical safeguards designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access:

No method of transmission or storage is 100% secure. If you suspect a security issue, email info@kedra.io with the subject "Security Report".

14.1  Personal data breach notification

If we become aware of a personal data breach affecting Merchant or Visitor data, we will:

• Notify the Merchant without undue delay and, where required by GDPR Art. 33, within 72 hours of becoming aware
• Provide the information required by Art. 33(3) — nature of breach, categories and approximate number of data subjects, likely consequences, measures taken
• Notify supervisory authorities and affected individuals where required by applicable law

The App is not directed to children. We do not knowingly collect personal information from anyone under 16 (or under the higher age of digital consent in the Visitor's jurisdiction). If you believe we have inadvertently collected such information, contact info@kedra.io and we will delete it promptly.

By installing the App, the Merchant warrants that:

• It has the legal right to share Shop, content, and Visitor data with the App
• It has provided Visitors with notices and obtained any consents required by applicable law (including for the Web Pixel, where required)
• It will display a compliant cookie / consent banner on its storefront
• It will reflect the App in its own privacy policy where required by law
• It will not use the App in violation of applicable law, Shopify's Acceptable Use Policy, or this Policy

If the Merchant requires a separate Data Processing Addendum (DPA) under GDPR Art. 28 or analogous laws, request a counter-signed copy from info@kedra.io.

We may update this Policy from time to time. When we do:

• The "Last updated" date at the top will change
• For material changes, we will provide reasonable advance notice through the App's dashboard and (where we have your email) by email — at least 30 days in advance for changes that expand our use of data, add a new category of data, or add a new sub-processor
• Continued use of the App after the effective date of a change constitutes acceptance, except where applicable law requires fresh consent

A versioned history of this policy is available on request.

This Policy is governed by the laws of the Republic of Lithuania, without regard to its conflict-of-laws principles. Nothing in this Policy limits any non-waivable rights you have under applicable law, including the right to lodge a complaint with your local supervisory authority.

For any privacy question, request, or complaint:

You also have the right to lodge a complaint with your local data protection authority. EEA: edpb.europa.eu. UK: ico.org.uk. California: cppa.ca.gov.

Current as of 2026-04-25. See Section 8.1 for the full table.

For Shopify reviewers verifying compliance:

• Webhook handler source: api/models/shopifyGdprRequest/actions/create.js
• Webhook subscriptions configured in shopify.app.toml under [webhooks]
• HMAC verification handled by the Gadget Shopify connection layer
• Response: HTTP 200 on success; HTTP 401 on invalid signature