Privacy Policy
Last updated: 2026-05-24
WBS SEO Audit ("the app", "we", "our") is a SaaS tool for Shopify merchants that audits a connected Shopify store for SEO and AEO (answer engine optimization) issues and proposes AI-generated fixes the merchant can approve and apply with one click. This document explains what data we collect, why, where it goes, and your rights.
1. Who we are
WBS Agency SpA (Chile) is the data controller. Contact for any privacy question: soporte@agenciawbs.cl.
2. Data we collect
2.1 From you (the merchant)
- Email address — required to sign in via magic link (no password). Stored hashed in our session table.
- Name and avatar — only if you sign in via Google / your Shopify account; otherwise nothing besides email.
- Language preference — stored on your user record so the dashboard renders in your chosen language.
2.2 From your connected Shopify store
When you install the app from the Shopify App Store and approve the OAuth scopes, we read (and in some cases write, only with your explicit per-fix approval) the following resources via Shopify's Admin GraphQL API:
- Shop profile (name, primary domain, country, currency, locale).
- Products and product variants (title, description, images, metafields).
- Collections (title, description, smart/manual rules).
- Pages, blog posts and articles.
- Navigation menus.
We do NOT read or store: customer data, orders, payment information, draft orders, marketing consent records, or any PII belonging to the merchant's customers. Our scopes never includeread_customers or read_orders.
2.3 From your public storefront (crawling)
We crawl the rendered HTML of the storefront (home + a sample of product/collection/page URLs) to verify what Google and AI search engines actually see. The crawl is performed by ScraperAPI proxies and never carries cookies, login state, or any personal identifier. Only the HTML markup is fetched.
2.4 Automated logs
We log audit runs, fix-generation events, applied changes and API usage per merchant for billing and troubleshooting. These logs are retained for 12 months.
3. Where data goes (sub-processors)
| Provider | Purpose | Data sent |
|---|---|---|
| Railway | Application hosting + Postgres + Redis | All of section 2 (encrypted at rest) |
| Shopify | OAuth + Admin GraphQL access | OAuth scopes you approved |
| Anthropic (Claude) | AI generation of titles, FAQs, alt text, descriptions | Product titles, descriptions, structured metadata (no PII) |
| OpenAI (GPT) | Fallback AI provider when Anthropic is unavailable | Same as Anthropic; only on failover |
| ScraperAPI | Rendering public storefront pages from a clean IP pool | Public URLs only; no merchant credentials |
| Resend | Transactional email (magic links, audit-complete notifications) | Your email address; email subject + body |
4. How we protect access tokens
Your Shopify access token is encrypted with AES-GCM-256 using a key stored only in Railway environment variables — never in source code or in any log. Reading the token from the database without the key is cryptographically infeasible.
5. Writing to your store
We write to your Shopify store ONLY when you explicitly click "Apply" on a specific fix in the Approval Center. We never auto-apply suggestions. Every applied change is logged in the Change History and can be reverted to its previous value with one click.
6. Data retention
- While you have an active subscription: we keep all audit data and applied-change history so you can review and revert at any time.
- When you uninstall the app: we receive a Shopify webhook (
app/uninstalled) and immediately revoke the access token. Audit data is kept for 60 days in case you re-install, then anonymised. - If you request deletion: see Section 9.
7. Cookies
We use one strictly-necessary cookie for session management (__Secure-authjs.session-token, httpOnly, secure) and one preference cookie (NEXT_LOCALE) to remember your language. We use no analytics cookies, no third-party tracking, and no marketing pixels.
8. Your rights
Depending on your jurisdiction (GDPR, CCPA, Chilean Law 21,096), you may have the right to access, rectify, port or delete your personal data. Email soporte@agenciawbs.cland we'll respond within 30 days.
9. Customer data deletion (Shopify GDPR webhooks)
Per Shopify's mandatory privacy webhooks, when a merchant requests their shop be deleted or a customer requests data deletion, we receive the shop/redact and customers/redactwebhooks. Because we do NOT store customer data (no orders, no customers scope), customer redaction is a no-op. Shop redaction triggers full deletion of all stored data for that shop within 30 days of receiving the webhook.
10. International transfers
Our hosting region is US-East (Railway). Sub-processors operate globally. If you're in the EU, your data may be transferred outside the EU under Standard Contractual Clauses with each sub-processor.
11. Changes to this policy
We will update the "Last updated" date when we change this policy. Material changes are emailed to active subscribers.
12. Contact
WBS Agency SpA · Chile · soporte@agenciawbs.cl