Privacy Policy

GreenClaims ("we", "our", "us") builds a compliance tool for Shopify merchants that scans a store's product and content copy for environmental marketing claims restricted by the EU Empowering Consumers for the Green Transition Directive (EmpCo, 2024/825). This policy explains what data we access, how we use it, who we share it with, and the choices merchants have. We follow Shopify's Partner Program requirements and the principle of least privilege.

1. Data we access

With the merchant's consent during install, GreenClaims requests only these Shopify Admin API scopes:

  • read_products - to read product titles, descriptions, and related fields so we can scan them for environmental claims.
  • read_content - to read store content (pages, blog articles) for the same claim scanning.
  • read_locales - to read which languages your storefront publishes, so we know which translations to scan.
  • read_translations - to read the translated versions of your product and content text (e.g. from Translate & Adapt) for the same claim scanning, on plans that include multilingual scanning.

GreenClaims is read-only: it holds no write scopes and never modifies your products, content, or any other part of your store. We do not request or access customer data, orders, or financial records.

2. How we use the data

  • To scan your product and content text and flag environmental claims that may be restricted under EmpCo.
  • To draft compliant rewrite suggestions and let you build an evidence-backed registry of your claims.
  • To maintain an audit trail and, on paid plans, immutable audit snapshots and monitoring of changes over time.
  • To send the alert and digest emails you opt into (see Subprocessors).

3. Data we do not collect

  • Customer personal data
  • Order history or financial data
  • Payment information

We run no third-party web analytics, no session recording, and no advertising trackers against your store or its data.

4. Storage and security

Session credentials, scan results, claims, and audit records are stored in a database on infrastructure we control. All data is encrypted in transit over TLS, and access to production data is limited to the smallest number of personnel necessary.

5. Subprocessors

We rely on the following vetted subprocessors to operate the service:

  • Anthropic (Claude API) - when a claim needs to be judged in context or rewritten, the relevant product/content text is sent to Anthropic's API for analysis. Only that text is sent - never customer, order, or payment data. Anthropic processes it to return a result and does not use data submitted through its API to train its models (Anthropic Privacy Policy).
  • Amazon Web Services (SES) - sends the alert and weekly digest emails you enable, to the notification address you provide in settings.
  • Amazon Web Services (hosting) - application hosting, database, and background job processing.
  • Shopify - the platform your store and our embedded app run on.

6. Email notifications

If you enable alerts, we store the notification email address you enter in settings and use it solely to send compliance alerts and digests via Amazon SES. Every email includes an unsubscribe link, and you can change or remove the address at any time in the app's settings.

7. GDPR webhooks

GreenClaims processes Shopify's mandatory compliance webhooks: customers/data_request, customers/redact, and shop/redact. Because we do not store customer data, customers/data_request and customers/redact are acknowledged with no records to return or redact. On shop/redact (sent by Shopify after uninstall), we delete all data associated with that shop.

8. Uninstall and data deletion

You can uninstall GreenClaims at any time from your Shopify admin. On uninstall we stop all processing for your store and delete its data on Shopify's shop/redact signal. To request deletion sooner, email [email protected].

9. Contact

Questions about this policy or your data: [email protected].