Privacy Policy

Last updated: 2026-05-17

GEO-ify ("we", "us", "our") is a Shopify app operated by Legitimate LLC that audits and rewrites product copy to meet the technical requirements of AI shopping channels (ChatGPT Shopping, Google AI Mode, Microsoft Copilot, Perplexity). This policy explains what data we collect, how we use it, and how merchants and end shoppers can exercise their rights.

1. Data we collect

From merchants who install GEO-ify

• Shop profile: myshopify domain, shop ID, installed-at timestamp, subscription tier, and OAuth access tokens issued by Shopify for API access. Tokens are stored encrypted at rest and used only to call the Shopify Admin API on the shop’s behalf.
• Product catalog: product titles, descriptions, alt text, vendor, product type, tags, variant SKUs, GTINs/barcodes, prices, image URLs and metadata. We do not collect customer-facing storefront analytics or buyer behavior.
• Audit + rewrite history: findings produced by our deterministic rules engine, rewrites generated by our LLM pipeline, and an apply/revert audit log per rewrite. We retain original product values so merchants can revert any change.
• Usage metrics: per-month counts of rewrites generated and applied, and the LLM cost in cents, for billing reconciliation and quota enforcement.

From shoppers (your customers)

GEO-ify processes no customer personally identifiable information. Our app declares only the write_products Shopify access scope — we have no permission to read your customer database, orders, addresses, payment methods, or browsing behavior, and we do not request any such permission. Shopify’s mandatory GDPR webhooks (customers/data_request,customers/redact, shop/redact) are implemented and respond with HTTP 200 because no customer PII is stored to request, redact, or delete.

2. How we use the data

• Audit: deterministic checks against the ACP/UCP feed specs (no LLM involvement).
• Voice extraction + rewrites: we send a subset of product copy to our LLM provider (Moonshot AI’s Kimi K2.6 via OpenRouter) to infer a brand voice and generate compliant rewrites. The merchant’s brand voice is persisted so rewrites match the merchant’s existing copy patterns.
• Apply changes: approved rewrites are written back to the shop via the Shopify Admin GraphQL API productSet mutation. Original values are stored so any change can be reverted by the merchant at any time.
• Billing + quota: usage counters and Shopify billing subscription state are used to enforce free vs paid tier limits.

3. Third-party processors

• Shopify — OAuth + Admin API host. Operating under your existing contract with Shopify.
• OpenRouter (San Francisco, CA) — LLM API gateway. Product copy is transmitted for rewrite generation. OpenRouter forwards to the underlying model provider (Moonshot AI). See openrouter.ai/privacy.
• Moonshot AI — underlying LLM provider for the Kimi K2.6 model. OpenRouter’s default privacy policy applies; we do not enable training on data shared by your store. See platform.moonshot.ai/legal.
• Trigger.dev (London, UK) — background job runner for audits and rewrites. See trigger.dev/legal/privacy.
• Railway — hosting + managed Postgres for our application data. See railway.app/legal/privacy.

4. Data retention

• Active install data is retained for the lifetime of the install.
• When a merchant uninstalls GEO-ify, Shopify fires app/uninstalled; we mark the shop as uninstalled and revoke session tokens. Audit history is retained for 30 days in case of reinstall (per Shopify’s reinstall window).
• When Shopify fires shop/redact (48 hours after uninstall for stores older than 30 days, or on explicit merchant request), we delete all data associated with that shop within 24 hours.

5. Your rights

Merchants can request data access, correction, or deletion at any time by contacting us at support@geo-ify.com. We respond within 30 days per applicable law (GDPR, CCPA, etc.).

6. Security

All Shopify OAuth tokens are encrypted at rest. Application traffic is served over TLS 1.2+ via managed certificates. We follow Shopify’s App Store security requirements and run mandatory HMAC verification on every webhook delivery.

7. Children

GEO-ify is a B2B tool for Shopify merchants. We do not knowingly process data from anyone under 13.

8. Changes

We may update this policy from time to time. Changes will be posted at this URL with a new "Last updated" date. Material changes will be communicated via in-app notice or email to merchant contact addresses.

9. Contact

Legitimate LLC
support@geo-ify.com

Terms of Service · Home