Privacy Policy — Plugstore
Last updated: April 3, 2026
Plugstore ("we", "us") provides a remote MCP server that connects your Shopify store to AI assistants like Claude and ChatGPT. This policy explains what data we collect, how we protect it, and your rights.
Data controller: Plugstore — contact: support@plugstore.io
1. Data We Collect
1.1 Data stored on our servers
When you install the Shopify app, we store:
- Your Shopify store domain (e.g.
your-store.myshopify.com) - Encrypted OAuth tokens (Shopify access token and refresh token)
- Subscription and plan metadata (plan tier, billing interval, usage counters)
All tokens are encrypted at rest using AES-256-GCM. Encryption keys are stored separately from the database.
1.2 Data we do NOT store
We do not store any of your Shopify store data — products, orders, customers, or any other business data. All queries are proxied in real time to the Shopify Admin API and never persisted.
1.3 Cookies, analytics, and tracking
We do not use cookies for tracking, analytics platforms, or any third-party tracking technologies. A temporary session cookie may be used during the OAuth installation flow only.
2. How We Use Your Data
We process your data exclusively to:
- Authenticate your store and proxy API requests to Shopify on your behalf
- Manage your subscription and enforce plan limits
- Comply with Shopify and GDPR legal obligations
We do not sell your data. We do not use your data for marketing, profiling, or automated decision-making.
3. Third-Party Services
Your data may be processed by the following infrastructure providers, solely to operate the service:
| Provider | Purpose | Data received |
|---|---|---|
| Supabase (AWS) | Database hosting | Encrypted tokens, store domain, subscription data |
| Railway | Application hosting | Application logs (no PII) |
| Shopify | Store API access | API queries initiated by you through your AI assistant |
All providers are bound by their respective data protection agreements. No data is shared with any other third party.
4. Data Retention and Deletion
We retain your data only while the app is installed on your store.
When you uninstall the app, all your data is deleted immediately:
- OAuth tokens are destroyed
- Subscription metadata is removed
- Active server processes for your store are terminated
As a safety net, Shopify sends a shop/redact request within 48 hours of uninstall, which triggers a second deletion pass.
Customer data requests: Since we do not store any customer personal data, there is nothing to export or delete in response to GDPR customer data requests. These events are logged for audit purposes only.
5. Security
- All tokens encrypted at rest with AES-256-GCM (application-level encryption)
- All communications over HTTPS/TLS
- Encryption keys stored separately from the database
- Key material zeroed from memory after use
- Documented incident response and key rotation procedures
6. Your Rights
You may at any time:
- Access your data by contacting us
- Delete your data by uninstalling the app (immediate effect)
- Request information about how your data is processed
For any privacy-related request: support@plugstore.io
7. Changes to This Policy
We may update this policy as needed. Changes will be published at this URL with an updated "Last updated" date.