Effective June 22, 2026

Privacy Policy

ShelfPilot provides commerce analytics and weekly operating reports for ecommerce and CPG businesses across Amazon, Shopify, Meta, and other authorized channels. This policy explains what data we collect, how we use it, and how customers can request deletion or support.

Information we collect

• Account information, including email address, business name, hashed password, session records, and support correspondence.
• Authorized Shopify data, such as store domain, access tokens, product titles, inventory levels, recent order totals, refunds, line-item titles, quantities, customer/order fields returned by the Shopify Admin API, and derived metrics.
• Authorized Amazon Seller data, such as seller account identifiers, marketplace information, OAuth access and refresh tokens, order totals where available, FBA inventory summaries, fulfillment data, listing or catalog fields, promotion report metrics, ASIN, SKU, account performance metrics, and derived marketplace recommendations.
• Authorized Meta Ads data, if connected, such as Meta access tokens, page or business identifiers, ad account identifiers, campaign names, spend, impressions, clicks, purchase actions, and purchase value.
• Generated report content, sync-run status, operational recommendations, and app preferences.
• Technical information needed to operate the app, such as request metadata, error logs, and security audit events.

How we use information

• To authenticate users and maintain secure sessions.
• To connect, sync, normalize, display, and analyze authorized commerce and advertising data.
• To generate weekly business reports, recommendations, and email-preview content.
• To maintain authenticated connections to Amazon, Shopify, Meta, and other connected platforms.
• To troubleshoot sync failures, protect the service, and respond to support requests.
• To meet legal, platform, security, and abuse-prevention obligations.

We do not sell, rent, or share customer data with third parties for marketing purposes.

Amazon Selling Partner API data

ShelfPilot accesses Amazon seller data through the Amazon Selling Partner API only after authorization. We access only the data necessary to provide weekly reporting, inventory, marketplace, and operational insights, and we handle Amazon data according to Amazon's applicable developer and data protection requirements.

Connector tokens and credentials

ShelfPilot stores connector access tokens and refresh tokens only for the signed-in account that authorized the connection. Tokens are stored server-side and are not exposed in the browser after submission. Production deployments should use durable server-side storage, encryption for connector token stores, and sensitive environment variables for platform secrets.

Sharing and subprocessors

We share data only with infrastructure and service providers needed to operate the app, such as hosting, storage, logging, and AI generation providers when configured. Data sent to AI generation is limited to synced facts and business context needed to produce the requested report.

Retention

We retain account, connector, sync, and report data while an account is active or as needed to provide the service, troubleshoot issues, comply with law, and protect the service. We delete or de-identify account data after a verified deletion request unless retention is legally required.

User choices

• Users can revoke Amazon access in Seller Central under Settings, User Permissions, Authorized Applications.
• Users can revoke Shopify access in Shopify Admin under Settings, Apps and sales channels.
• Users can disconnect Meta access in Meta Business tools or by contacting support.
• Users can request deletion of their ShelfPilot account and stored synced data.
• Users can request help exporting or identifying stored business data.

Third-party services

ShelfPilot integrates with third-party platforms subject to their own privacy notices:

• Amazon Privacy Notice
• Shopify Privacy Policy
• Meta Privacy Policy

Security

We use HTTPS, HTTP-only session cookies, password hashing, same-origin protections, scoped per-user storage, and server-side connector token handling. More detail is available in the Security Overview.

Children's privacy

ShelfPilot is a business tool intended for adults. We do not knowingly collect information from anyone under the age of 18.

Changes to this policy

We may update this Privacy Policy from time to time. Material updates will be reflected by changing the effective date on this page.

Contact

Privacy and deletion requests can be sent to meng@shelfpilot.io. See Data Deletion Instructions for the request process.