Privacy Policy
GuardianStack - Shopify App
Last Updated: 2 March 2026
TL;DR (Plain English Summary)
- We scan your Shopify store to find compliance gaps and suggest fixes.
- We store limited customer personal data only when you run retention exports.
- We store your shop domain, scan results, and account details needed to run the service.
- We store generated compliance artefacts (for example retention exports and review certificates) so you can re-download audit evidence.
- We share data only with trusted providers (e.g., Supabase, OpenAI, Shopify) to operate the service.
- You can request access, correction, or deletion of your data at any time.
1. Who We Are
GuardianStack is operated by MikaHari Labs Ltd, a company registered in England and Wales (Company No. 14894353).
Contact Details:
- Registered Address: 71-75 Shelton Street, London, England, WC2H 9JQ
- Company No.: 14894353
- Email: support@guardianstack.com
- Website: https://guardianstack.com
GuardianStack acts as the Data Controller for data processed through our app.
2. Information We Collect
2.1 Information from Shopify (via Shopify API)
When you install GuardianStack, we access the following data to run scans and generate recommendations:
| Data Type | Purpose | Stored? | Retention |
|---|---|---|---|
| Shop domain | Identify your store | Yes | While subscribed + 30 days |
| Privacy policies | Check policy completeness | No (processed in real-time) | Not stored |
| Installed apps | Identify processors | No (processed in real-time) | Not stored |
| Script tags | Detect tracking/analytics | No (processed in real-time) | Not stored |
| Customer/order metadata (limited fields) | Retention analysis and export generation | Yes (when you run Retention Export) | 30 days, unless deleted sooner |
Important: GuardianStack stores limited customer personal data only when you explicitly run retention exports. These artefacts are stored privately for audit and re-download, then removed under our retention schedule or on request.
2.2 Information You Provide
- Business context (industry, company size, jurisdiction)
- Onboarding responses and questionnaire answers
- Company profile details used for penalty estimation (e.g., turnover, headcount)
- Support communications
2.3 OAuth Access Token
We securely store your Shopify OAuth token to access your store. This token:
- Is encrypted at rest
- Is never exposed to frontend applications
- Is only accessed by server-side functions
- Is deleted when you uninstall the app
3. Data Subjects and Data Categories
3.1 Data Subjects
We may process data relating to:
- Shopify merchants and store owners
- Store staff authorised to use the app
- Store customers where required for retention export artefacts
3.2 Data Categories
- Account data (store domain, account identifiers)
- Store configuration data (installed apps, scripts, policies)
- Compliance scan outputs (gaps, scores, action items)
- Company profile information (sector, headcount, turnover)
- Support communication data
4. How We Use Your Information
We use your information to:
- Provide compliance scanning and diagnostics
- Generate compliance recommendations and action plans
- Calculate risk and penalty exposure estimates
- Improve our detection accuracy and product experience (using aggregated, anonymised data)
- Provide support and troubleshoot issues
- Generate and store compliance artefacts you trigger (for example retention exports, DPA drafts, and review certificates)
We do not:
- Sell your data
- Use your data for advertising
- Share individual store data publicly
5. Legal Basis for Processing (UK GDPR)
| Processing Activity | Legal Basis |
|---|---|
| Providing the Service | Contract performance (Article 6(1)(b)) |
| Storing OAuth tokens | Contract performance (Article 6(1)(b)) |
| Service improvement analytics | Legitimate interests (Article 6(1)(f)) |
| Security logging | Legitimate interests (Article 6(1)(f)) |
6. Data Sharing and Sub‑Processors
We use trusted service providers to operate GuardianStack:
| Recipient | Purpose | Location | Safeguards |
|---|---|---|---|
| Supabase | Database and storage | EU/UK | Encryption, EU data residency |
| OpenAI | AI analysis (non‑training) | US | DPA + SCCs |
| Shopify | App integration | Global | Shopify Partner Agreement |
We maintain a list of sub‑processors and will notify customers of material changes. View the current list here: https://guardianstack.com/legal/subprocessors.
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Shop connection (domain, token) | Until app uninstalled + 30 days |
| Onboarding responses | Until app uninstalled |
| Compliance scan results | 12 months or until deleted |
| Retention export artefacts | 30 days or until deleted |
| Review certificates and audit artefacts | 12 months or until deleted |
| Generated DPA artefacts | 12 months or until deleted |
| Audit logs | 24 months |
| Support communications | 24 months |
When you uninstall GuardianStack, we:
- Mark your connection inactive immediately
- Delete your OAuth token within 48 hours
- Respond to Shopify GDPR webhooks to delete all data
8. Data Security
We implement technical and organisational measures including:
- TLS 1.3 encryption in transit
- AES‑256 encryption at rest
- Row‑level security on databases
- Access control and audit logging
- Routine security testing and monitoring
9. Your Rights (UK GDPR)
You have the right to:
| Right | How to Exercise |
|---|---|
| Access | Request a copy of your data via support@guardianstack.com |
| Rectification | Update data through the app or contact support |
| Erasure | Uninstall the app or email support |
| Restriction | Request processing limits via support |
| Portability | Request data export in machine‑readable format |
| Object | Object to processing based on legitimate interests |
| Withdraw consent | Where processing is based on consent |
We may request verification to protect your data. We respond within 30 days.
10. International Transfers
Your data may be processed in the UK, EU, and the US. For transfers outside the UK/EU, we rely on Standard Contractual Clauses (SCCs) and equivalent safeguards.
You can request copies of relevant safeguards by emailing support@guardianstack.com.
11. Cookies
GuardianStack uses minimal cookies required for authentication and security:
| Cookie | Purpose | Duration |
|---|---|---|
| Session cookie | Maintain login state | Session |
| OAuth state | CSRF protection during install | 10 minutes |
We do not use advertising or tracking cookies.
12. Children’s Privacy
GuardianStack is a B2B service and is not intended for use by individuals under 18. We do not knowingly collect data from children.
13. Changes to This Policy
We may update this Privacy Policy periodically. We will notify you of material changes by:
- Email (if we have your contact details)
- In‑app notification
- Updating the “Last Updated” date above
14. Complaints
If you have concerns:
- Contact us: support@guardianstack.com
- You can also lodge a complaint with the ICO:
- Website: https://ico.org.uk/make-a-complaint/
- Phone: 0303 123 1113
15. Contact Us
Data Controller:
MikaHari Labs Ltd
Registered Address: 71-75 Shelton Street, London, England, WC2H 9JQ
Company No.: 14894353
Email: support@guardianstack.com
Website: https://guardianstack.com
This Privacy Policy is effective as of 2 March 2026.
