Skip to main content

Open for Agents

Privacy policy

This policy explains the limited information processed by the Open for Agents Shopify catalogue-assurance application.

Effective 2026-07-17. Document version 2026-07-17.1.

Operator

The application is operated by Enoki Limited, located at 14 Kenyon Avenue, Mount Eden, Auckland 1024, New Zealand.

Information processed

  • Shopify installation information, shop domain, granted scopes, offline access token and installation state.
  • Supported product, variant, publication, market, price, availability, disclosure, policy-presence and catalogue-title intent facts.
  • Normalized Storefront Catalog and public-web observations, source health, findings, changes and evidence receipts. Raw Catalog and public-web response bodies are discarded.
  • Scan history, retention settings, finding review actions and one optional encrypted operational-alert email address.
  • Minimized security and reliability logs containing bounded event codes and aggregate measurements.

The app does not request protected customer, company, order, checkout, payment, transaction, account or staff data.

Why information is used

Information is used to authenticate the installed shop, perform requested and scheduled read-only comparisons, preserve reproducible evidence, show material changes, deliver configured operational alerts, secure the service and meet Shopify privacy obligations.

Retention and deletion

  • Normalized scan evidence follows the merchant-selected 30, 90, 180 or 365-day retention window.
  • Alert-delivery webhook receipts expire after 90 days.
  • Removing an alert address deletes the encrypted address and cancels pending delivery.
  • Uninstall disables sessions, jobs and alerts. Shopify’s required redaction workflow deletes tenant evidence and retains only a keyed, non-reversible operational reference where required.
  • Active records are deleted when required. Supabase Pro retains up to seven daily database backups, so deleted data may remain in provider backups for up to seven days before expiry and is not restored to service without redaction reconciliation.

Providers and transfers

Application data is processed by Hetzner Cloud on the application server in the United States, Supabase for managed PostgreSQL and daily backups in us-east-1, Mailgun US for operational email, and a separate Hetzner server in Finland for availability monitoring. These providers may process data outside New Zealand under their contractual data-protection terms.

Security

Controls include TLS, Shopify authentication, least-privilege scopes, tenant-keyed authorization, bounded outbound requests, encrypted alert addresses, separated secrets, authenticated webhooks, minimized logs, retention controls, dependency review, backups and recovery testing. No system is absolutely secure.

Requests and contact

To request access, correction or deletion, or to ask a privacy question, email [email protected]. Report a security concern to [email protected].