Last updated: 2026-06-06

Privacy Policy

This policy describes the personal data Legible processes, the legal basis for that processing, the sub-processors we engage, how long we retain information, and the rights available to merchants and end users under the GDPR, the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and other applicable data protection laws.

1. About this policy

This Privacy Policy (the "Policy") explains how Legible ("Legible," "we," "us," or "our") collects, uses, discloses, transfers, retains, and protects personal data when you install or use the Legible Shopify application (the "App"), visit the marketing site at trylegible.com (the "Site"), or otherwise interact with us.

Legible is a Shopify app that audits a merchant's product catalog and produces a readiness score across six core pillars — AI description quality, image coverage, alt-text coverage, metafield coverage, taxonomy consistency, and duplicate detection — plus a multilingual coverage pillar for stores that sell in multiple languages. Legible also publishes AI-generated product content — description rewrites, structured product metafields (such as a subtitle or care guide), and category/taxonomy attributes — back to a merchant's Shopify catalog when, and only when, the merchant clicks Apply on a specific suggestion. The App requests four read scopes at install — read_products, read_locales, read_translations, and read_orders — plus one optional write scope, write_products, which Shopify prompts the merchant to grant separately the first time they choose to Apply a change. The App uses read_orders in a strictly data-minimized way: it reads only an order's identifier, creation date, line-item quantities with the associated product, and order total — never a customer name, email, phone number, or address — and persists only non-personal per-product daily sales aggregates (units sold and revenue), discarding the raw order immediately. This supports the before/after sales-impact view that shows merchants the effect of their catalog optimizations. The App does not request the read_customers scope and does not access, store, or transmit Shopify customer, payment, fulfilment, or staff data.

Plain-language summary. We process the product catalog of merchants who install the App in order to generate quality scores, recommendations, and AI-generated content (description rewrites, product metafields, and category/taxonomy attributes) that the merchant manually approves before they are published to Shopify. We also read a data-minimized slice of order data (quantities, product, and order total — never any customer detail) to show before/after sales impact, and we keep only non-personal per-product daily sales aggregates from it. We do not process shopper, payment, fulfilment, or staff data, and we do not store any customer-identifying information. The write capability is optional: a merchant can install and run the full audit with read-only access, and is asked to grant write access only when they decide to Apply a change. We do not sell personal data. We do not use merchant data to train artificial-intelligence models, and our AI sub-processors (Anthropic and Voyage AI) are contractually prohibited from training on our submissions. Where we engage sub-processors, they act on our written instructions under appropriate transfer safeguards.

2. Who we are (data controller)

For the purposes of Article 4(7) of the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and Article 4(7) of the UK GDPR, the data controller for personal data processed in connection with the App and the Site is:

Hamza Ziouine, sole proprietor trading as Legible
Rabat, Kingdom of Morocco
Email (privacy and data protection requests): hamza@trylegible.com

Legible operates as a sole-proprietor business and does not have a designated Data Protection Officer because the legal threshold for mandatory appointment under Article 37 GDPR is not met. Privacy enquiries are handled by the founder directly at the email above.

Where Legible is acting as a processor on behalf of a merchant in respect of personal data contained within the merchant's product catalog (for example, where a merchant has elected to include personal data in product copy), the merchant is the controller and Legible processes such data only on the merchant's documented instructions.

3. Information we collect

We collect only the categories of information described below. We do not collect categories of information we do not need.

3.1 Shop information

Shop primary domain (for example, your-store.myshopify.com) and shop ID.
Shopify plan tier and locale, where exposed by the Shopify Admin API.
Install, uninstall, and re-install events with timestamps.
OAuth access token issued by Shopify at install time, used solely to authenticate API calls back to your shop.

3.2 Catalog data

Product titles, descriptions, body HTML, vendor, product type, tags, and handle.
Product variants and SKUs (text only; we do not record inventory levels).
Product image URLs (we read the URLs published on Shopify's CDN; we do not download or store the image files themselves).
Product metafields (namespace, key, type, and value).
Product translations and locale data exposed by read_translations and read_locales.
Vector embeddings derived from product text, used for duplicate and near-duplicate detection.
AI-generated description rewrites cached against each product (these are the suggestions presented to the merchant before they click Apply).

3.3 Write-back audit log

When a merchant clicks Apply on a specific AI-generated suggestion, Legible publishes the change to Shopify and records the event in a tenant-isolated WriteLog audit table. Two kinds of change are supported: a product description rewrite (published via the productUpdate mutation) and a structured product metafield value (published via the metafieldsSet mutation). Both write paths require the optional write_products scope and run through the same approval, audit, undo, and conflict-guard machinery. Each row contains: shop ID, product ID, the field written (description or the metafield namespace/key), the previous value (captured from Shopify immediately before the write), the new value (what we wrote), the AI model identifier, the apply timestamp, the expiry timestamp (30 days after apply), and the row status (applied / reverted / conflict). The previous and new values are required to support the 30-day undo and the conflict-resolution guard described in Section 13.

3.4 Billing and subscription data

Subscription, plan, trial-state, charge ID, and billing status are received from Shopify's Billing API. We never receive, store, or process payment-card numbers, card-verification values, or bank account information. All payment instruments are handled by Shopify.

3.5 Diagnostic and usage data

Sync timestamps and durations.
Error codes and stack traces (with product content redacted before logging).
Aggregated counts of products processed, scores produced, and webhook events received.
Compliance audit-log entries recording receipt and processing of mandatory Shopify privacy webhooks.

3.6 Marketing site information

When you visit trylegible.com we receive standard server-log information (IP address, user-agent, referrer, request path) and aggregated analytics described in Section 12. We do not place advertising or behavioural-tracking cookies.

3.6a Order-derived sales aggregates

Under the read_orders scope, the App reads a strictly limited slice of each order for the sole purpose of measuring the before/after sales impact of catalog optimizations. The orders query reads only: the order identifier, the order creation date, line-item quantities and the associated product identifier, and the order total amount. It does not read — and the App never stores — customer names, email addresses, phone numbers, shipping or billing addresses, order notes, payment methods, or any other customer-identifying field. The raw order is held only transiently in memory while it is aggregated; nothing customer-keyed is persisted. The only data retained is a per-product, per-day aggregate (units sold and revenue in the shop's currency) stored in the OrderDailyRollup table. Because these aggregates carry no customer linkage, they are not personal data of any shopper. The reading window is the trailing 60 days available under read_orders; the App measures forward from the date of an optimization and does not backfill historical data.

3.7 Information we do NOT collect

The App does not request and does not have access to: customer personal data (names, email addresses, phone numbers, shipping addresses), order-level customer detail, draft orders, abandoned checkouts, customer accounts, payment data, gift-card data, or staff-account data. While the App holds the read_orders scope, it reads orders in the data-minimized way described in Section 3.6a and never stores any customer-identifying field. The App does not request the read_customers, read_payment_mandate, read_files, or related scopes. The optional write_products scope — granted by the merchant only when they choose to Apply a change — is used solely to publish two kinds of merchant-approved product content: AI-generated description rewrites and structured product metafield values. No other product field, and no non-product resource, is ever written.

4. Lawful basis for processing (GDPR Article 6)

For each category of processing, the legal basis on which we rely is set out in the table below.

Purpose	Categories of data	Legal basis
Provision of the App, including authentication, syncing the catalog, generating pillar scores, generating AI description rewrites and metafield suggestions for merchant review, publishing approved description and metafield changes to Shopify on merchant click (under the optional `write_products` scope), and presenting all of the above in the embedded admin UI.	Shop information; catalog data; diagnostic data; write-back audit log.	Performance of a contract — Article 6(1)(b) GDPR.
Billing, plan management, trial management, invoice generation, and subscription enforcement.	Billing and subscription data.	Performance of a contract — Article 6(1)(b) GDPR.
Service improvement, error monitoring, fraud and abuse prevention, and security analytics.	Diagnostic and usage data; aggregated counts.	Legitimate interests — Article 6(1)(f) GDPR. We have conducted a balancing test and concluded that our interest in operating a reliable, secure service does not override the rights and freedoms of data subjects, given the limited scope of data and the absence of profiling or automated decision-making with legal effect.
Measuring the before/after sales impact of catalog optimizations, by reading a data-minimized slice of order data (Section 3.6a) and retaining only non-personal per-product daily sales aggregates.	Order-derived sales aggregates (units and revenue per product per day). No customer-identifying data is read or stored.	Performance of a contract — Article 6(1)(b) GDPR, in respect of the merchant. The retained aggregates contain no shopper personal data; the limited order fields read to produce them are processed transiently and never persisted in customer-identifiable form.
Compliance with mandatory Shopify privacy webhooks (`customers/data_request`, `customers/redact`, `shop/redact`) and responding to data-subject requests.	Compliance audit log; shop information.	Compliance with a legal obligation — Article 6(1)(c) GDPR.
Marketing-site analytics in aggregated, cookieless form.	Aggregated visit counts, country, device class.	Legitimate interests — Article 6(1)(f) GDPR. No personal identifiers are collected; no behavioural profile is constructed.

We do not rely on consent (Article 6(1)(a)) as a legal basis for processing in connection with the App. We do not engage in special-category processing under Article 9 GDPR. We do not carry out automated decision-making producing legal or similarly significant effects under Article 22 GDPR.

5. How we use information

We use the information described in Section 3 only for the purposes listed below:

To authenticate the App against your shop and execute Shopify Admin GraphQL queries on your behalf.
To synchronise your product catalog into our database for analysis.
To generate readiness scores across the six core pillars — plus the multilingual pillar for stores that sell in multiple languages — and to surface remediation suggestions in the embedded admin UI.
To send product titles and descriptions to Anthropic for (a) AI-readability scoring and (b) generation of suggested description rewrites, which are presented in the embedded admin UI for merchant review (see Section 6).
To publish an AI-generated change — a description rewrite (via the productUpdate mutation), a structured product metafield value, or a category/taxonomy attribute (both via the metafieldsSet mutation, the taxonomy attribute written as a product_taxonomy_value_reference) — back to your Shopify product, but only when you have granted the optional write_products scope and clicked Apply on a specific suggestion. The previous and new values, along with the apply and expiry timestamps, are recorded in the WriteLog audit table described in Section 3.3 to support the 30-day undo and conflict-resolution guard described in Section 13.
To generate vector embeddings of product text via Voyage AI for duplicate and near-duplicate detection.
To monitor sync performance, detect errors, and operate the service reliably.
To bill the merchant in accordance with the selected plan, via Shopify's Billing API.
To respond to merchant support requests.
To comply with mandatory Shopify privacy webhooks and applicable law, and to maintain an audit log of compliance actions.
To detect, prevent, and respond to fraud, abuse, and security incidents.

We do not use merchant data to train artificial-intelligence or machine-learning models, whether our own or those of any third party. Anthropic does not train on our API inputs per its commercial Data Processing Addendum. We have opted out of Voyage AI's data retention and model-training program under its Section 3(iii) opt-out (see Section 6); going forward, Voyage AI retains zero data from our submissions and does not use it to train any model. We do not sell personal data. We do not share personal data with advertising networks or data brokers. We do not engage in cross-context behavioural advertising.

6. Sub-processors

We engage the following third parties to process personal data on our behalf. Each sub-processor is bound by a written agreement that incorporates obligations no less protective than those set out in Article 28 GDPR. We update this list when we add or replace a sub-processor.

Sub-processor	Role	Data shared	Location	Transfer mechanism
Anthropic, PBC	AI inference for (a) description-quality scoring and (b) generation of suggested description rewrites, product metafield values, and category/taxonomy attributes that the merchant reviews and may explicitly Apply, all via Claude Haiku 4.5. Every suggestion is gated by our hallucination scan and prompt-injection guard before persistence (see Section 13).	Product titles, descriptions, existing metafield context, and product-type/taxonomy context only. No customer or order data.	United States.	Standard Contractual Clauses (Module 2 / Module 3, as applicable) under Anthropic's Data Processing Addendum. Anthropic does not train models on API inputs.
Voyage AI Innovations Inc.	Text embedding for duplicate and near-duplicate detection (`voyage-3-lite` model).	Product titles, descriptions, and tags. No customer or order data.	United States.	Standard Contractual Clauses under Voyage AI's Data Processing Addendum. We have opted out under Section 3 paragraph 2 of Voyage AI's Terms of Service (the "Section 3(iii) opt-out"); going forward, Voyage AI retains zero data from our submissions and does not use it to train any model.
Fly.io, Inc.	Application compute and persistent storage volume.	All App data while the App is in use, stored on an encrypted volume.	Paris, France (region `cdg`) — European Union.	Processing within the EEA. Fly.io is contracted under its standard Data Processing Addendum which incorporates Standard Contractual Clauses for any onward transfer. Fly.io does not use stored data to train artificial-intelligence or machine-learning models.
Cloudflare, Inc. — R2 Object Storage	Encrypted, point-in-time database backups via Litestream replication.	Encrypted backup snapshots of the application database.	European Union (R2 jurisdiction `eu`).	Processing within the EEA. Cloudflare's R2 Data Processing Addendum incorporates Standard Contractual Clauses for any onward transfer outside the EEA.
Vercel Inc.	Hosting of the marketing site at trylegible.com. The App itself does not run on Vercel and no merchant catalog data is stored there.	Marketing-site request logs only.	United States and global edge network.	EU-U.S. Data Privacy Framework (Vercel certification) and Standard Contractual Clauses where applicable, under Vercel's Data Processing Addendum.
Cloudflare, Inc. — Web Analytics	Aggregated, cookieless visit analytics on the marketing site.	Aggregated request metadata. No cookies, no cross-site identifiers, no personal data linkage.	Cloudflare global edge network.	Cloudflare's Data Processing Addendum incorporating Standard Contractual Clauses for any cross-border transfers.
Shopify Inc.	Source of merchant catalog data (Admin API), session authentication, and billing. Shopify is the platform on which the App operates and is treated as an independent controller for its own platform data.	The App authenticates as the merchant against the Shopify Admin API.	Canada / United States / global.	Shopify operates under its own published Data Processing Addendum and Standard Contractual Clauses. See Shopify's sub-processor list.

We will give merchants reasonable advance notice of material additions to or replacements of sub-processors via the App admin and the Site, so that merchants may exercise any right to object.

7. International data transfers

Legible is established in the Kingdom of Morocco. The primary processing location for App data is the European Union (Fly.io Paris region) and EU-region object storage (Cloudflare R2 eu jurisdiction). Certain sub-processors — notably Anthropic and Voyage AI — process limited categories of data in the United States.

Where personal data is transferred outside the European Economic Area or the United Kingdom to a country that has not been the subject of an adequacy decision under Article 45 GDPR or the UK equivalent, we rely on appropriate safeguards under Article 46 GDPR. In practice, these are:

The European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914), with the UK International Data Transfer Addendum where the UK GDPR applies, incorporated into each sub-processor's Data Processing Addendum.
Where available and applicable, certification under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework.
Supplementary technical and organisational measures, including encryption in transit (TLS 1.2 or higher), encryption at rest, scope minimisation (we send only product text, never customer or order data), and contractual prohibitions on onward transfer.

You may request a copy of the relevant transfer safeguards by contacting us at the address in Section 16.

8. Data retention

We retain personal data only for as long as is necessary for the purposes for which it was collected, including any retention required to comply with our legal obligations, resolve disputes, and enforce our agreements. The default retention periods are set out in the table below.

Data category	Retention period	Trigger for deletion
Catalog data, scores, embeddings, access tokens, and cached AI-generated description rewrites.	Duration of the active subscription, plus up to 30 days following uninstall.	Receipt of `app/uninstalled` or `shop/redact` webhook from Shopify, or merchant deletion request.
`WriteLog` audit table (records of description rewrites and metafield values applied to Shopify, including the field written, previous value, new value, model identifier, and apply/expiry/revert timestamps).	30 days from the apply date for rows in `applied` status. Rows in `reverted` or `conflict` status are retained for 2 years as metadata audit (with the value payload purged after 30 days).	Automated retention sweep removes applied rows and purges reverted/conflict value payloads once past the 30-day window; full delete on receipt of `shop/redact`.
`OrderDailyRollup` (non-personal per-product daily sales aggregates — units and revenue — derived from order data per Section 3.6a; no customer linkage).	Duration of the active subscription, plus up to 30 days following uninstall.	Cascade-deleted with the shop record on receipt of `shop/redact`, or on merchant deletion request. No customer-level redaction applies because no customer data is stored.
Compliance audit log (records of GDPR webhooks received and actions taken).	2 years from the date the entry is created.	Automated purge after the retention window.
Webhook deduplication records (used to prevent double-processing).	7 days from receipt of the webhook.	Automated purge after the retention window.
Billing records and invoices required for tax and accounting compliance.	Up to 10 years where required by applicable tax or accounting law, in line with the controller's local obligations.	End of the statutory retention period.
Encrypted database backups (Litestream → Cloudflare R2).	Rolling window aligned with the active backup policy; superseded snapshots are pruned automatically.	Backup retention policy expiry.
Marketing-site analytics.	As stated in the Cloudflare Web Analytics retention policy at the time of collection (aggregated, non-identifying).	Cloudflare-side retention expiry.
Diagnostic logs and error traces.	Up to 30 days, with product-content fields redacted before logging.	Automated rotation.

Where deletion is not technically feasible immediately (for example, residual copies in encrypted backups), we isolate the data, prevent further processing, and overwrite or expire it through the backup rotation, with the maximum residency described above.

9. Your rights

9.1 Rights under the GDPR and the UK GDPR

If you are located in the European Economic Area, the United Kingdom, or Switzerland, or if your personal data is otherwise subject to the GDPR or the UK GDPR, you have the following rights:

Right of access (Article 15) — to obtain confirmation as to whether or not we are processing your personal data and, if so, a copy of that data.
Right to rectification (Article 16) — to obtain the rectification of inaccurate personal data and the completion of incomplete personal data.
Right to erasure (Article 17), also known as the right to be forgotten — to obtain the erasure of personal data without undue delay where one of the grounds in Article 17(1) applies.
Right to restriction of processing (Article 18) — to obtain the restriction of processing in the circumstances set out in Article 18(1).
Right to data portability (Article 20) — to receive personal data you have provided to us in a structured, commonly used, and machine-readable format, and to transmit it to another controller.
Right to object (Article 21) — to object on grounds relating to your particular situation to processing carried out under Article 6(1)(f) (legitimate interests). Where you exercise this right, we will cease such processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
Rights in relation to automated decision-making (Article 22) — not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. Legible does not engage in such processing.
Right to withdraw consent (Article 7(3)) — where processing is based on consent. Legible does not rely on consent for any App processing, so this right is generally not engaged in respect of the App.
Right to lodge a complaint with a supervisory authority (Article 77) — see Section 17 below.

9.2 Rights under the California Consumer Privacy Act (CCPA/CPRA)

If you are a California resident, you have the following rights under the CCPA, as amended by the CPRA:

Right to know the categories and specific pieces of personal information we have collected about you, the categories of sources, the purposes of collection, and the categories of third parties with which we share personal information.
Right to delete personal information we have collected from you, subject to the statutory exceptions.
Right to correct inaccurate personal information.
Right to opt out of the sale or sharing of personal information. Legible does not sell personal information and does not share personal information for cross-context behavioural advertising, so this right is not engaged.
Right to limit the use of sensitive personal information. Legible does not collect sensitive personal information within the meaning of CPRA § 1798.140(ae).
Right to non-discrimination for exercising any CCPA right. We will not deny service, charge a different price, or provide a different level of quality because you exercised a privacy right.

You may exercise these rights yourself or through an authorised agent acting on your behalf, in accordance with CCPA Regulations § 7063.

9.3 Other jurisdictions

Residents of other U.S. states with comprehensive privacy laws (including but not limited to Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and Montana) have analogous rights. We honour verifiable requests on the same basis described above.

10. How to exercise your rights

To exercise any right described in Section 9, send an email to hamza@trylegible.com with the subject line "Privacy request". Please include:

Your name and the email address associated with the request;
If you are a Shopify merchant, the .myshopify.com domain of the relevant shop;
The right you wish to exercise and a brief description of the request;
Sufficient information for us to verify your identity. For merchant requests, verification will normally consist of confirming the request from the email address registered as the Shopify store owner.

We will acknowledge receipt of your request without undue delay and will respond substantively within 30 days, in accordance with Article 12(3) GDPR. Where the request is complex or where we receive a high volume of requests, we may extend this period by up to a further two months and will inform you of any extension within the initial 30 days.

Where we are unable to verify your identity to a reasonable degree of certainty, we may decline the request and will explain why. There is no fee for exercising your rights, save for the limited circumstances permitted under Article 12(5) GDPR.

11. Mandatory Shopify privacy webhooks

The App implements the three mandatory Shopify privacy webhooks. Each is HMAC-verified on receipt. Records of receipt and the action taken are written to the compliance audit log described in Sections 3.4 and 8.

11.1 `customers/data_request`

Triggered when a shopper exercises a right of access against a merchant who uses the App. Although the App holds the read_orders scope, it reads orders only in the data-minimized way described in Section 3.6a and stores no customer-identifying data — the only order-derived data retained is non-personal per-product daily sales aggregates with no customer linkage. The App does not request the read_customers scope. We therefore respond to the merchant confirming that no shopper personal data is held. The acknowledgement is logged.

11.2 `customers/redact`

Triggered when a shopper exercises a right to erasure against a merchant who uses the App, 48 hours after the merchant receives the request. The webhook is acknowledged; because the App stores no shopper or customer data, no further action is required. The acknowledgement is logged.

11.3 `shop/redact`

Triggered 48 hours after a merchant uninstalls the App. On receipt, we initiate full deletion of shop information, catalog data, scores, embeddings, the WriteLog audit table, the non-personal OrderDailyRollup sales aggregates, diagnostic logs, and the access token associated with the shop. Deletion is completed within 30 days of receipt. The compliance audit-log entry retained under Section 8 contains only the shop ID and the timestamps of the deletion lifecycle, not catalog content.

12. Cookies and analytics

The App. The App is embedded in the Shopify admin via App Bridge. The only cookies set are the strictly-necessary session cookies issued by Shopify itself and a first-party session cookie used to persist authenticated state across reloads. We do not use advertising cookies, behavioural-tracking cookies, or third-party analytics cookies inside the App.

The marketing site. The Site uses Cloudflare Web Analytics, a privacy-respecting, cookieless analytics service that records aggregated visit counts and high-level metadata (country, device class, referrer) without setting cookies, without a fingerprinting identifier, and without building a cross-site behavioural profile. The Site does not use Google Analytics, Meta Pixel, or comparable advertising trackers.

Because we do not place non-essential cookies, we do not display a cookie consent banner. Strictly-necessary session cookies are exempt from consent under Article 5(3) of the ePrivacy Directive (2002/58/EC) and the UK PECR equivalent.

13. Security

We have implemented technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, in accordance with Article 32 GDPR. These measures include:

Encryption in transit. All traffic between the merchant browser, Shopify, the App, and our sub-processors is encrypted using TLS 1.2 or higher.
Encryption at rest. The Fly.io persistent volume hosting the application database is encrypted at rest by the underlying infrastructure. Cloudflare R2 backup objects are encrypted at rest by R2.
Continuous backup. The application database is replicated to Cloudflare R2 (EU jurisdiction) using Litestream, providing point-in-time recovery and disaster-recovery capability.
Access controls. Production credentials are scoped per environment and held in Fly.io secrets. Administrative access to production is limited to the founder.
Webhook integrity. All inbound Shopify webhooks are HMAC-verified before processing, with replay protection by deduplication record.
Log hygiene. Application logs redact product-content fields. We do not log access tokens or webhook payloads in plain text.
Scope minimisation. The App installs with four read scopes — read_products, read_locales, read_translations, and read_orders — and requests one optional write scope, write_products, which Shopify prompts the merchant to grant separately the first time they choose to Apply a change. A merchant can run the full audit without ever granting write access. read_orders is used only to produce non-personal per-product daily sales aggregates for the before/after sales-impact view, in the data-minimized manner described in Section 3.6a: the orders query reads only order id, creation date, line-item quantity and product, and order total, and never a customer-identifying field. The write_products scope is used solely to publish merchant-approved product content — a description rewrite (via productUpdate), a structured product metafield value, or a category/taxonomy attribute (both via metafieldsSet, the taxonomy attribute written as a product_taxonomy_value_reference); no other product field, and no non-product resource, is ever written. The App does not request the read_customers, read_payment_mandate, read_files, or other scopes. A server-side scope guard verifies the live granted scope set before every write and refuses the operation with an insufficientScope error if write access has not been granted.
Hallucination scan. Each AI-generated description rewrite must pass a regex-based hallucination scan before it is persisted as a suggestion. The scan rejects rewrites that introduce unsupported regulatory claims (for example, references to organic, certified, FDA, ISO, gluten-free, cruelty-free, vegan, fair-trade, hypoallergenic, or "cures/treats/prevents"), unsupported numeric claims with units (currency, dimensions, weight, capacity, percentages), or brand names not present in the source description. A failed rewrite is not shown to the merchant.
Prompt-injection guard. A versioned prompt-injection test battery and system-prompt hardening are enforced to resist instruction-override attempts embedded in product text. Any rewrite that contains hallucinated regulatory, numeric, or brand claims resulting from a successful injection is caught by the hallucination scan and rejected before persistence.
Per-plan daily catalog-write cap. Successful catalog writes (descriptions, metafields, and taxonomy attributes) are capped per shop in a rolling 24-hour window (Starter 500, Pro 2,000, Business 10,000). Undoing a previous write does not consume the cap. The cap is enforced server-side before the Shopify mutation fires.
30-day undo with conflict guard. Every applied write logs a row to the WriteLog audit table allowing the merchant to undo for 30 days. Before performing an undo, Legible reads the current value of the affected field from Shopify and compares it to what we wrote. If the two differ — meaning another tool or the merchant edited that field in Shopify between our apply and the undo — Legible refuses to silently overwrite the foreign edit and presents a three-way diff for manual review.
Tenant isolation. Every WriteLog query is filtered by Shopify shop ID. A forged identifier from a client cannot retrieve another shop's records.

Incident notification. If we become aware of a personal-data breach affecting merchant data, we will notify the affected merchants without undue delay, and in any event within 72 hours of becoming aware of the breach where the breach is likely to result in a risk to the rights and freedoms of natural persons, in accordance with Article 33 GDPR. The notification will include the nature of the breach, the categories and approximate volume of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach.

To report a vulnerability, please email hamza@trylegible.com before public disclosure.

14. Children

The App and the Site are intended for use by Shopify merchants in the operation of their businesses and are not directed to children. We do not knowingly collect personal data from children under the age of 16 (or the equivalent minimum age in the relevant jurisdiction). If you believe a child has provided personal data to us, please contact hamza@trylegible.com and we will take appropriate steps to delete such information.

15. Changes to this policy

We may update this Policy from time to time to reflect changes in our practices, in our sub-processor list, or in applicable law. The "Last updated" date at the top of this page identifies the current version. Where we make material changes, we will provide notice through one or more of the following channels, as appropriate:

An in-app banner shown on the next admin login by the merchant after the change takes effect;
An email to the merchant's billing or technical contact, where we hold one;
A post on the Site changelog at /changelog.

Where the change materially affects the categories of data processed, the sub-processors engaged, or the rights of data subjects, we will provide reasonable advance notice before the change takes effect, so that merchants may exercise any right to object or to terminate their subscription.

16. Contact

For any question, request, or complaint relating to this Policy or to our processing of personal data, please contact:

Hamza Ziouine
Sole proprietor, trading as Legible
Founder and privacy contact
Rabat, Kingdom of Morocco
Email: hamza@trylegible.com

We aim to respond to all enquiries within five business days and to substantive privacy requests within the timeframes set out in Section 10.

17. Supervisory authorities

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a competent supervisory authority if you consider that the processing of your personal data infringes applicable data protection law.

European Economic Area. A complete list of national data protection authorities is maintained by the European Data Protection Board at edpb.europa.eu/about-edpb/about-edpb/members_en. You may lodge a complaint with the supervisory authority of your habitual residence, place of work, or place of the alleged infringement.
United Kingdom. The UK Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF — ico.org.uk/make-a-complaint.
Switzerland. Federal Data Protection and Information Commissioner (FDPIC) — edoeb.admin.ch.
California. California Privacy Protection Agency — cppa.ca.gov; or the California Office of the Attorney General — oag.ca.gov/privacy.
Morocco. Commission Nationale de contrôle de la protection des Données à caractère Personnel (CNDP) — cndp.ma.

We would, however, appreciate the opportunity to address your concerns directly before you contact a supervisory authority. Please feel free to reach out to us first at the address in Section 16.