Privacy Policy
Last updated: March 10, 2026
SP Control ("we", "our", "the App") provides a Model Context Protocol (MCP) bridge that connects your AI clients to your Shopify store. This policy explains what data we access, how we use it, and your rights.
1. Data We Access
When you install SP Control, we request access to the following Shopify store data through the Shopify Admin API:
- Products — titles, descriptions, prices, inventory, images, variants
- Orders — order details, line items, fulfillment status, shipping info
- Customers — names, email addresses, order history (read-only)
- Discounts — discount codes and rules
- Inventory — stock levels and locations
- Store settings — store name, currency, timezone
2. How We Use Your Data
We do NOT store your Shopify store data. All product, order, customer, and inventory data flows directly between your AI client and the Shopify API through our MCP bridge. We act as a pass-through — your data is not cached, logged, or retained on our servers.
We store only the minimum required for the service to function:
- OAuth access token — used to authenticate API calls on your behalf
- Shop domain — to identify your store
- Usage logs — which tools were called, success/failure, and response time (no request/response payloads)
- Plan and billing status — Free or Pro subscription
3. Data Sharing
We do not sell, rent, or share your data with third parties. Your data is only transmitted to:
- Shopify — via the official Admin API, to fulfill your requests
- Your AI client — the responses are sent to whatever MCP-compatible client you connect (Claude Desktop, Cursor, Windsurf, etc.)
4. AI/ML Policy
In accordance with Shopify's Partner Program Agreement, we do not use merchant or customer data for AI/ML model training. Your data is never used to train, fine-tune, or improve any AI system.
5. Data Storage and Security
- OAuth tokens are stored in Supabase (PostgreSQL) with Row-Level Security (RLS) enabled
- All data is transmitted over HTTPS/TLS
- MCP URLs are unique per store and should be treated as secrets
- We do not have access to your Shopify admin password
6. Data Retention and Deletion
- When you uninstall the app, we receive a webhook from Shopify and mark your store as disconnected
- OAuth tokens are invalidated immediately upon uninstall
- Usage logs are retained for 90 days, then automatically deleted
- You can request full data deletion by contacting us
7. GDPR and Data Rights
We comply with Shopify's mandatory compliance webhooks and GDPR. You have the right to:
- Access — request a copy of data we hold about your store
- Deletion — request complete deletion of your data
- Portability — receive your data in a machine-readable format
8. Cookies
We use only essential cookies for OAuth session management. We do not use tracking cookies or analytics.
9. Changes
We may update this policy from time to time. Changes will be posted on this page with an updated date.
10. Contact
For privacy questions or concerns, contact us at: support@spcontrol.dev