Privacy Policy

Last updated: May 2026

1. What We Collect

Store Speed Doctor collects the following data to provide its service:

• Shop domain — to identify your Shopify store.
• Access token — a Shopify OAuth token used to read your store's theme and installed script tags. It is stored securely and never shared.
• OAuth session data — temporary session records required by Shopify's authentication flow.
• Scan results — performance scores, Core Web Vitals, Lighthouse audit findings, and detected third-party scripts for your storefront.
• Fix checklist state — which recommended fixes you have marked as completed, stored per shop to persist your progress across sessions.
• Email address — optionally provided by you for weekly performance alert emails (Pro plan only).
• Billing status — your current plan tier (free, starter, or pro), managed via Shopify's Billing API.

2. How We Use Your Data

• Run automated performance scans against your storefront using Google PageSpeed Insights.
• Display scan results, trends, and recommended fixes in the app dashboard.
• Persist your fix checklist progress so it is available across sessions.
• Send weekly performance alert emails when your score changes significantly (Pro plan, if opted in).

3. Data Retention

Scan results and fix checklist data are retained for 90 days from the date of each scan. Upon app uninstallation, your shop record is marked inactive and your access token is deactivated immediately. All remaining shop data — including scan history, checklist state, and session records — is permanently deleted within 48 days of uninstallation in accordance with Shopify's GDPR requirements. You may request earlier deletion by contacting us.

4. Third-Party Services

• Google PageSpeed Insights API — your store URL is sent to Google to run performance analysis.
• Supabase — our database provider, hosted on AWS. Data is stored in the US.
• Vercel — our hosting and compute platform. All web requests are processed through Vercel's infrastructure. Vercel may collect standard request metadata (IP address, user agent) in accordance with their privacy policy.
• Resend — used to send transactional emails. Your email address is sent to Resend only when you enable alerts.

5. GDPR & Data Subject Rights

We honor all Shopify GDPR mandatory webhooks:

• Customer data requests (customers/data_request) — we hold no per-customer PII. Only shop-level performance data is stored.
• Customer data erasure (customers/redact) — no customer-level records to erase.
• Shop data erasure (shop/redact) — all shop data is permanently deleted upon receipt, which Shopify sends 48 days after uninstallation.

Regardless of your location, you may request access to, correction of, or deletion of your data at any time by contacting us directly.

6. Contact

Questions? Email us at contactus@webpioneers.ca