Privacy Policy

Last updated: 1 May 2026

This Privacy Policy describes how Deepseatools ("we", "us", or "our") collects, uses, and protects information when you use the StorePulse Shopify application (the "Service"). By installing or using StorePulse, you agree to this Policy.

Contents

Scope
Information we collect
How we use information
When we share information
Subprocessors
Data retention
Cookies & similar technologies
Your rights
Security
Children
Changes to this policy
Contact

1. Scope

This policy applies to merchants who install StorePulse on their Shopify store, and to the storefront visitors of those merchants whose interactions are captured by the Service for monitoring purposes.

Merchants are the data controllers for their storefront visitor data. Deepseatools is the data processor acting on the merchant's behalf.

2. Information we collect

2.1 From the merchant

Shop domain (example.myshopify.com) and Shopify store ID.
OAuth access token, scope, and session, encrypted at rest.
Notification email address(es) you configure for alerts (up to 3).
Configuration preferences (alert thresholds, scheduled scan settings, etc.).
Plan tier, billing status, and Shopify subscription metadata.

2.2 From the merchant's storefront

StorePulse captures technical signals from your storefront for monitoring purposes:

JavaScript errors — error message, stack trace, page URL, browser user agent, viewport size.
Core Web Vitals — LCP, CLS, INP, FCP, TTFB measurements with the page URL where they were recorded.
Funnel events — checkout-funnel signals (page viewed, product viewed, add-to-cart, checkout started/completed) emitted by Shopify's Web Pixel API. We receive aggregate event names, page URL, monetary value, currency, and Shopify-issued checkoutId / orderId when present.
Session ID — a random opaque string generated by our snippet to deduplicate events from the same browser session. Not linked to a specific person.
Shopify webhooks — order, refund, and inventory webhooks for the merchant's store. We process these to fire alerts; we do not store customer PII from order webhooks.

2.3 What we do NOT collect

StorePulse does not capture, store, or transmit:

Customer names, email addresses, phone numbers, or postal addresses.
Order line items or product names from individual orders.
Payment information, credit card numbers, or any payment instrument data.
Form input values, keystrokes, or session replay video.
IP addresses — our application code never reads, stores, or logs the storefront visitor's IP. Cloudflare may transiently see the IP at the network edge for routing and abuse protection, but it is not persisted in our database or attached to any event we ingest.

3. How we use information

We use the data described above only for the following purposes:

Display monitoring data, errors, and alerts inside the StorePulse admin app.
Generate AI-assisted fix proposals via Anthropic's Claude API (only when a merchant explicitly requests an AI fix or theme review).
Send alert emails to the merchant's configured notification addresses.
Operate, maintain, debug, and improve the Service.
Comply with legal obligations.

We do not use merchant or storefront data to train AI models, sell to third parties, or for advertising.

We share information only with:

Subprocessors listed in section 5, strictly to operate the Service.
Legal authorities when required by law (court order, valid subpoena, etc.).
Successors in the event of a merger, acquisition, or asset sale, with notice to merchants.

We never sell your data or your customers' data.

5. Subprocessors

StorePulse uses the following third-party services to operate. Each is bound by a data processing agreement.

Subprocessor	Purpose	Data accessed
Cloudflare, Inc.	Hosting, edge compute, database (D1), object storage, DNS, queues, browser rendering	All Service data
Anthropic PBC	AI error fixes and theme review (Claude API)	Error message, stack trace, theme code (only when merchant requests AI fix)
Resend, Inc.	Transactional email delivery for alerts	Recipient email, alert content
Shopify Inc.	App distribution, OAuth, billing, webhooks, theme rendering	Shop domain, OAuth token, webhook payloads

Anthropic's API has zero data retention enabled by default — they do not store or train on data we send.

6. Data retention

Storefront monitoring data is retained according to the merchant's plan tier:

Free — 7 days
Starter — 30 days
Pro — 90 days
Max — 180 days

Older data is automatically and irreversibly purged daily.

On uninstall, all merchant and storefront data is permanently deleted within 48 hours, in accordance with Shopify's GDPR mandatory webhooks (customers/redact, shop/redact, customers/data_request).

7. Cookies & similar technologies

The StorePulse admin app (inside Shopify) relies on Shopify's session cookies for authentication. We do not set marketing or analytics cookies.

Our storefront snippet generates a random session ID per browser session, stored in sessionStorage (not a cookie). It is purely a deduplication identifier and contains no personal data.

8. Your rights

Merchants and their customers have the following rights regarding personal data:

Access — request a copy of data we hold about you.
Correction — ask us to correct inaccurate data.
Deletion — request permanent deletion (auto-honoured on uninstall, or on demand).
Objection & restriction — object to specific processing activities.
Portability — receive a machine-readable export.

To exercise any right, email support@deepseatools.in with your shop domain. We respond within 30 days. Customers of merchants should contact the merchant directly; we will respond on the merchant's behalf when authorised.

9. Security

We implement industry-standard safeguards:

TLS 1.2+ encryption in transit for all network connections.
Encryption at rest for OAuth tokens and merchant secrets (AES-256).
Cloudflare Workers' isolate-based execution model for tenant isolation.
Internal Workers have public URLs disabled where they are not user-facing endpoints.
Per-merchant rate limits on AI features to cap any abuse impact.
Regular security reviews of dependencies and infrastructure.

No system is 100% secure; we make commercially reasonable efforts to protect data.

10. Children

StorePulse is a B2B service for Shopify merchants. We do not knowingly collect personal data from children under 16. If you believe a child has provided personal data, contact us and we will delete it.

11. Changes to this policy

We may update this policy from time to time. Material changes will be communicated via in-app notice or email to the merchant's registered address at least 14 days before they take effect. The "Last updated" date at the top reflects the most recent revision.

12. Contact

Questions, requests, or complaints about this policy:

Email: support@deepseatools.in
Operator: Deepseatools (India)