Legal
Privacy Policy
Last updated: 15 May 2026
Plain-English summary: Sauron is a Shopify app. To provide the service, we store your store's product and collection data, your Google Search Console and GA4 OAuth tokens, and your SEO settings. We send product data to AI providers (OpenRouter/Anthropic/Google) to generate SEO copy. We never sell your data. We never access your customers' personal data. You can request deletion at any time by uninstalling the app or emailing us.
1. Who we are
Sauron ("we", "us", "our") is a Shopify application operated by Sauron Labs. Our registered contact email is privacy@sauron.so.
This Privacy Policy explains how we collect, use, disclose, and safeguard information when you install and use the Sauron Shopify app (the "Service").
2. Information we collect
2.1 Information from Shopify
When you install Sauron from the Shopify App Store, Shopify provides us with access to your store data under the OAuth scopes you approve. This includes:
- Store URL, shop name, owner name, and owner email address
- Product titles, descriptions, images, tags, types, and variants
- Collection titles and descriptions
- Blog article titles, content, and metadata
- Published SEO meta titles and meta descriptions
- Theme file access (for schema markup and hreflang injection)
- Billing subscription status
We access only the data necessary to provide the Service. We do not access your customers' personal data (orders, customer profiles, addresses, payment details).
2.2 Information you provide directly
- Brand voice settings (tone, industry, audience description, USPs, words to avoid)
- LocalBusiness details (if you configure local schema)
- Alert thresholds and notification preferences
- Onboarding survey responses
2.3 Google integrations
If you connect Google Search Console or Google Analytics 4, we store:
- OAuth access tokens and refresh tokens for your Google account
- Search Console data: queries, impressions, clicks, average positions, URL coverage
- GA4 data: sessions, organic conversions, and revenue by landing page (for stores that connect GA4)
We use this data exclusively to display rank tracking, performance dashboards, and alerts within the Service. We do not share this data with third parties except as described in Section 4.
2.4 Usage data
- AI token usage per shop (counts of API calls and estimated cost) for billing enforcement and plan limits
- SEO job status and logs (AI generation runs, scan results, error logs)
- Backlink exchange activity if you opt in to the backlink network
2.5 Information we do NOT collect
- Your customers' names, email addresses, or personal data
- Order details or transaction data
- Payment card information (Shopify handles all billing)
- Cookies on your storefront (we do not inject tracking cookies)
3. How we use your information
We use the information we collect to:
- Provide the Service — generate AI SEO titles, meta descriptions, image alt text, schema markup, and blog content for your store
- Keyword research — send product and collection names to DataForSEO to retrieve search volume data
- Rank tracking — sync keyword positions from your connected Google Search Console account
- Performance analytics — display GA4 organic traffic and revenue data in the dashboard
- Backlink exchange — if you opt in, match your published blog articles with complementary articles from other opted-in stores
- Email alerts — send weekly digests and rank-drop alerts to your store owner email via Resend
- Billing enforcement — track AI generation counts to enforce plan limits
- Service improvement — aggregate, anonymised usage patterns to improve AI prompt quality and feature development
Legal basis (GDPR)
For merchants in the UK and European Economic Area, our legal bases for processing are:
- Contract performance — processing necessary to deliver the Service you have subscribed to
- Legitimate interests — improving the Service, preventing fraud, and maintaining security
- Consent — for optional features such as the backlink exchange network and weekly digest emails
4. Third parties we share data with
We share the minimum necessary data with the following sub-processors to provide the Service:
| Sub-processor | Purpose | Data shared | Location |
|---|---|---|---|
| OpenRouter / Anthropic (Claude) | AI SEO copy generation, alt text, blog posts | Product titles, descriptions, brand voice settings | USA |
| Google (Gemini) | AI SEO copy generation for collections and keywords | Product and collection metadata | USA |
| DataForSEO | Keyword search volume and SERP data | Keyword strings (not personal data) | Ukraine / global CDN |
| Resend | Transactional email delivery | Store owner email, alert content | USA |
| Railway | Application hosting and database | All app data (encrypted at rest) | USA |
| Upstash / Redis | Background job queue processing | Transient job payloads (auto-deleted on completion) | USA |
| Google (GSC & GA4 APIs) | Search Console and Analytics data sync | OAuth tokens (stored encrypted) | USA |
We do not sell your data to any third party. We do not share your data with advertisers or data brokers.
5. Data retention
- Active subscription — data is retained for the duration of your subscription plus 30 days after uninstalling
- Uninstall — on uninstall, your Shopify access token is invalidated immediately. All store data is deleted within 30 days unless you reinstall
- Explicit deletion request — email privacy@sauron.so to request immediate deletion of all data associated with your store
- Google OAuth tokens — deleted immediately upon disconnecting GSC or GA4, or upon uninstalling the app
- Backlink network data — if you opt out of the backlink network, your articles are removed from the matching pool within 48 hours
- Anonymised analytics — aggregate, anonymised usage statistics may be retained indefinitely for service improvement
6. Data security
We implement the following security measures:
- All data is encrypted in transit using TLS 1.2 or higher
- Database data is encrypted at rest on Railway infrastructure
- OAuth tokens are stored encrypted using AES-256
- Access to production data is restricted to authorised personnel only
- Shopify HMAC verification on all webhook payloads
Despite these measures, no system is completely secure. We cannot guarantee absolute security of your data transmitted to or from the Service.
7. Your rights
All merchants
- Access — request a copy of the data we hold about your store
- Deletion — request deletion of all store data by emailing privacy@sauron.so or uninstalling the app
- Correction — request correction of inaccurate data we hold
- Opt-out of optional features — disconnect GSC/GA4 at any time, opt out of the backlink network, or disable weekly digest emails in settings
UK and EEA merchants (GDPR / UK GDPR)
- Portability — request your data in a machine-readable format
- Restriction — request that we restrict processing of your data in certain circumstances
- Objection — object to processing based on legitimate interests
- Lodge a complaint — you have the right to lodge a complaint with your national data protection authority (UK: ICO at ico.org.uk)
California merchants (CCPA)
California residents have the right to know what personal information we collect, request deletion, and opt out of sale. We do not sell personal information. To exercise your rights, email privacy@sauron.so.
8. Children's privacy
The Service is intended for use by business owners and is not directed at individuals under 18. We do not knowingly collect data from anyone under 18.
9. Changes to this policy
We may update this Privacy Policy from time to time. We will notify active merchants of material changes by email to the store owner address on file. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the Service after a policy update constitutes acceptance of the revised policy.
10. Contact us
For privacy-related questions, data requests, or to exercise your rights:
- Email: privacy@sauron.so
- Response time: within 5 business days for general enquiries; within 30 days for formal GDPR requests