Privacy Policy

Last updated: 2026-06-04 · Effective: 2026-06-04

This Privacy Policy explains how UCP Audit (“we”, “us”, “our”) collects, uses, and protects information when you use our website at ucp-audit.example.com and the related Shopify app. By using the service you agree to the practices described below.

1. What we collect

We run a tight ship. The information we collect is limited to what is needed to provide the audit tool and, optionally, notify you when the full product launches.

Information you give us

• Email address — only if you submit the waitlist form.
• Shop URL — only if you paste a URL into the audit form. The URL is processed in your browser to derive the public /products.json endpoint.

Information collected automatically

• IP address — used only for rate-limiting abusive requests. We hash the IP (SHA-256) and store the hash, not the raw IP. Raw IPs are not retained.
• Aggregated, non-identifying request metadata — e.g. HTTP status code, response size, and request path. Retained for 7 days for security and capacity planning.

We do not collect: full product data, customer data, order data, payment information, device fingerprints, advertising identifiers, or any data outside the above list.

2. Why we collect it

• Email — to send you a single launch announcement when the full UCP-feed product is available, and to delete your entry from the waitlist when you unsubscribe.
• Shop URL — to fetch the public /products.json from your browser, score your catalog against the 8 UCP-readiness rules, and render the report on the page. The URL itself is not stored.
• Hashed IP — to enforce per-IP request budgets that protect the service from abuse.

Legal bases under the GDPR: consent (waitlist email) and legitimate interest (rate-limiting to keep the service available).

3. Shopify’s role

Shopify is the platform on which our app runs. We do not store, log, or back up the product data we transform on behalf of merchants. The flow is:

1. An AI agent (or a merchant auditing their own store) calls our Worker.
2. The Worker fetches the merchant’s product data from Shopify’s public APIs in real time.
3. The Worker rewrites the data into the UCP-compliant feed format.
4. The rewritten feed is returned to the caller. The Worker discards the in-memory representation immediately after the response is sent.

We do not write product data to durable storage, do not replicate it to a database, and do not train models on it.

4. Data retention

• Waitlist email — held until you unsubscribe or until 24 months of inactivity, whichever comes first. One-click unsubscribe is included in every email.
• Hashed IP — retained for 24 hours, then dropped from the rate-limit cache.
• Request metadata — retained for 7 days in logs, then aggregated and the originals deleted.
• Product feed cache — cached at the edge for 5 minutes (TTL) to keep the service fast. The cache is keyed on the shop URL and contains no merchant-identifying information beyond the URL itself; the cache is wiped on TTL expiry.

5. Your GDPR rights

If you are in the EEA, the UK, or Switzerland, you have the right to:

• Access the personal data we hold about you.
• Rectification of inaccurate data.
• Erasure (“right to be forgotten”).
• Restriction or objection to our processing.
• Data portability in a machine-readable format.
• Withdraw consent at any time, without affecting prior processing.
• Lodge a complaint with your local data protection authority.

To exercise any of these rights, email privacy@ucp-feed.example.com. We respond within 30 days.

6. Sub-processors

We use one sub-processor: Cloudflare, Inc.

• Cloudflare Workers — runs the request-handling code that transforms product feeds.
• Cloudflare D1 — stores the waitlist email list (encrypted at rest, TLS in transit).
• Cloudflare KV — stores the rate-limit counters (hashed IPs only).

Cloudflare’s data-processing addendum and standard contractual clauses apply. No other third parties receive your data.

7. Cookies & tracking

The website sets no cookies. We do not use Google Analytics, Meta Pixel, or any third-party tracking script. The audit runs entirely in your browser; the only network calls leaving your device are (a) your browser fetching the merchant’s public /products.json, and (b) your browser submitting the waitlist form (if you choose to).

8. International transfers

Our infrastructure is operated by Cloudflare, which stores data in the regions you select at sign-up. Waitlist email is stored in the EU (Cloudflare’s Frankfurt region). We rely on Cloudflare’s SCCs for any cross-border transfer.

9. Changes to this policy

If we make material changes, we will update the “Last updated” date at the top of this page and, where appropriate, notify active waitlist subscribers by email. The previous version will be archived and available on request.

10. Contact

Email: privacy@ucp-feed.example.com

Postal address: To be supplied before going live — counsel to confirm registered address.