What we collect, what we don't, and why.

1. Who we are

SourceCraft ("the app") is operated under the brand name Shinoki Lab by an independent developer based in Taiwan (R.O.C.). For the purposes of GDPR and analogous data-protection laws, the operator of Shinoki Lab is the data controller of any personal data processed through the app. For questions about this policy or to exercise your rights described in section 9, contact us at support@shinokilab.com.

2. The short version

SourceCraft is an embedded Shopify app that helps merchants pick products to source. We read shop-level information from Shopify (shop domain, country, currency, session tokens) and the search queries the merchant types into the app. We do not read, copy, or store any of the shop's customers, orders, inventory, or existing product catalog. The only call that writes anything to the merchant's Shopify store is a draft-product creation, and only when the merchant explicitly clicks "Create draft for this product". Other Shopify Admin API calls we make are limited to authentication, session exchange, a read-only query for shop currency and country (so prices and regional filters render correctly), the AppSubscription billing flow, and acknowledging Shopify's webhooks.

3. What we collect from Shopify

• Shop identity: shop domain, country code, currency — captured at install and refreshed when Shopify notifies us of a change (e.g., on the app/scopes_update webhook).
• Session tokens: the Shopify-issued OAuth session, persisted by Shopify's official session-storage library so the app can authenticate with the Admin API on the merchant's behalf.
• Granted scope: currently write_products only. We do not request read_products or any customer / order / inventory scope. The granted write_products scope is exercised solely to create a draft product when the merchant explicitly clicks "Create draft for this product" — we never call the read side of that scope.

We do not request, receive, or store customer profiles, customer email addresses, order data, payment data, or storefront inventory. The database schema (prisma/schema.prisma) contains no customer-level table.

4. What the merchant gives us

• Search prompts: the natural-language queries the merchant types in (for example, "trending pet feeders for autumn"). Stored on RecommendationRun.query.
• Recommendation history: the products served back for each query, plus any items the merchant starred or drafted. Stored on RecommendationRun, RecommendationItem, and SavedProduct. When the merchant creates a draft, the resulting Shopify product GID is also stored against the recommendation so the UI can mark it "Drafted" on later visits.

5. Third parties

To produce recommendations, the merchant's search prompt, the structured search intent we derive from that prompt (target regions, price range, platform preferences), and the shop's country and currency (so results are filtered to the right region and priced in the right currency) are forwarded to OpenAI for intent parsing and web-search candidate generation (Chat Completions and Responses APIs). No store-side data is forwarded — no customer information, no order data, no existing catalog. Per OpenAI's current API data-usage policies (linked below), data submitted via its API is not used to train OpenAI's models by default; we link rather than restate so this section stays accurate if OpenAI's policy changes. OpenAI's API data usage policies.

We do not sell, rent, or share merchant data with anyone else, and we do not run any advertising or analytics network inside the app. For the purposes of the California Consumer Privacy Act and California Privacy Rights Act, we do not "sell" or "share" personal information as those terms are defined under those statutes.

Automated decisions. Recommendations are generated by automated systems, including large language models. They are informational only: every action that materially affects the merchant's store (creating a draft product, choosing a supplier, setting a price) requires an explicit click by the merchant. We do not make decisions with legal or similarly significant effect about the merchant solely by automated means, and so GDPR Article 22 does not apply to these recommendations.

6. Legal basis for processing

We process the data described above on the following legal bases (Article 6 GDPR and equivalent provisions in other jurisdictions):

• Performance of a contract — running the recommendation pipeline, persisting the merchant's history, and creating drafts on request are necessary to provide the service the merchant installed the app for.
• Compliance with a legal obligation — handling Shopify's mandatory GDPR webhooks (customers/data_request, customers/redact, shop/redact).
• Legitimate interest — keeping minimal server logs for debugging and security, and pruning stale candidate data on a fixed schedule.

7. International data transfers

The application server runs in Taiwan (R.O.C.). OpenAI processes data in the United States. Where data is transferred outside the European Economic Area, United Kingdom, or other jurisdictions with cross-border restrictions, the transfer relies on contractual safeguards equivalent to the European Commission's Standard Contractual Clauses provided by the receiving processor (OpenAI's terms include such clauses for EEA / UK data).

8. How long we keep things

• Shop record, recommendation runs, saved products: kept for as long as the app is installed. On uninstall, all shop-scoped rows are cascade-deleted without undue delay — typically as part of processing Shopify's app/uninstalled webhook; the shop/redact webhook that Shopify fires roughly 48 hours later runs as a defense-in-depth against an already-empty record (see section 10).
• Server logs (request lines, pipeline traces): held on the application server only as long as needed for debugging and incident response — typically no more than 30 days — and rotated automatically by the host.

9. Your rights

Depending on where you are based, you may have the following rights under GDPR, UK GDPR, CCPA, or other applicable data-protection laws:

• Access — request a copy of the personal data we hold about you.
• Rectification — ask us to correct inaccurate or incomplete data.
• Erasure — ask us to delete your data (subject to legal-retention exceptions). Uninstalling the app also triggers deletion via Shopify's shop/redact webhook.
• Restriction — ask us to limit processing while a dispute is resolved.
• Portability — receive your data in a structured, machine-readable format.
• Objection — object to processing based on our legitimate interests.
• Withdraw consent — where processing relies on consent, withdraw that consent at any time (uninstalling the app is the most direct way).
• Lodge a complaint with the data-protection supervisory authority in your jurisdiction.

To exercise any of these rights, email us at support@shinokilab.com. We aim to respond within 30 days.

10. GDPR and Shopify mandatory webhooks

SourceCraft implements the three Shopify compliance webhooks:

• customers/data_request — acknowledges with HTTP 200. We have no customer-level data to deliver.
• customers/redact — acknowledges with HTTP 200. We have no customer-level data to delete.
• shop/redact — runs the same transactional cascade delete described below, as defense-in-depth. By the time this webhook arrives (Shopify fires it roughly 48 hours after uninstall), the shop's data has typically already been removed by our app/uninstalled handler.

The primary deletion trigger is the app/uninstalled webhook, which Shopify fires immediately when the merchant uninstalls. Our handler transactionally cascade-deletes the shop record and every row scoped to that shop (sessions, recommendation runs, recommendation items, saved products, source snapshots linked to that shop's runs) before returning HTTP 200. Merchants can also request immediate deletion at any time by emailing us at support@shinokilab.com.

11. Security

We follow standard practices to protect the data we hold:

• All traffic to and from the app is served over TLS / HTTPS.
• The database holding merchant data — including the Shopify session and the OAuth access token used to call the Admin API on the merchant's behalf — is not exposed to the public internet.
• Administrative endpoints (/api/admin/*) are gated by a server-side token; the diagnostics page requires the same token to load.
• Only the developer behind Shinoki Lab accesses shop-scoped data, and only for operating, maintaining, debugging, or supporting the service — limited to what's necessary for the task at hand.

No system is impenetrable. If a security incident materially affects merchant data, we will notify affected merchants without undue delay, and — where we are the controller required by applicable law to do so — the relevant supervisory authorities within the timeframes that law sets (for example, GDPR Article 33's 72-hour window).

12. Cookies and local storage

The app uses only the session cookies that Shopify itself sets for embedded apps. We do not set any analytics, advertising, or tracking cookies of our own.

We write a single key to the browser's localStorage (under the name sourcecraft.trialBanner.dismissed.v1) to remember when the merchant has dismissed the in-app trial banner. This value is never transmitted back to our server and contains no personal information. Shopify's App Bridge framework, which powers the embedded admin experience, may also write to browser storage to support its own session handling and navigation; those values are controlled by Shopify, not by us.

13. Children's privacy

SourceCraft is a business-to-business tool for Shopify merchants. It is not directed to, and we do not knowingly collect personal information from, individuals under the age of 16. If you believe a child has provided us with personal data, email us at support@shinokilab.com and we will delete it.

14. Changes to this policy

We may update this policy from time to time. Material changes will be reflected in the "Last updated" date above and, where practical, communicated in-app or by email at least 30 days before they take effect. Continued use of the app after the effective date constitutes acceptance of the updated policy.

15. Contact

Questions about this policy, requests to exercise the rights in section 9, or anything else: support@shinokilab.com.