Privacy Policy

1. Introduction & Data Controller

ListHeal ("we," "us," or "our") is committed to protecting the privacy and security of our users. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the ListHeal platform ("Service").

For the purposes of the UK GDPR, EU GDPR, and applicable data protection regulations, the data controller is LAYER DECISION LTD, a company registered in England and Wales under Company Number 17255053, with its registered office in England and Wales (registered address: Office 19305 182-184 High Street North, East Ham, London, United Kingdom, E6 2JA). ListHeal is a product of LAYER DECISION LTD. Contact email: privacy@listheal.com.

ListHeal operates as an independent third-party service. We are not affiliated with, endorsed by, or sponsored by TikTok, Amazon, Google, or any of their subsidiaries. This policy covers only data processed by ListHeal within your Shopify environment.

2. Information We Collect

2.1 Account Information

• Name and email address (provided during registration or fetched from Shopify)
• Shop identifier and metadata associated with your connected Shopify store

2.2 Shopify Product Catalog Data

When you install ListHeal in your Shopify store, we access the following via Shopify's standard API:

• Product listing data: Product titles, descriptions, categories, tags, attributes, and custom metafields
• Product images: Processed by our AI vision models to extract compliance information (CE/UKCA markings, BPR registration numbers, Responsible Person data) from your product packaging images
• Shop identifier: Your `.myshopify.com` domain for webhook routing and API authorization

We do NOT access: Order data, customer databases, store sales transactions, financial accounts, or any personal data belonging to your customers.

2.3 Payment Information

All subscription payments, charges, and overage fees are processed securely through the Shopify App Store Billing infrastructure. ListHeal never collects, processes, or stores your credit card details or payment information on our servers.

2.4 Usage & Technical Data

• IP addresses and browser user-agent strings (for security and rate limiting)
• Timestamps of API requests and webhook events
• AI diagnosis logs (which compliance fields were extracted, confidence scores)
• Error logs for debugging purposes

3. How We Use Your Information

• Service Delivery: To monitor your product listings, run AI compliance analysis, and write corrected metadata back to your Shopify store database
• Billing: To track which listings were successfully fixed and generate accurate usage invoices via Shopify Billing
• Account Management: To authenticate you, manage your shop connections, and provide customer support
• Service Improvement: To improve our AI models' accuracy and confidence thresholds (using aggregated, anonymised data only)
• Security: To detect and prevent fraud, abuse, or unauthorised access
• Legal Compliance: To comply with applicable laws, regulations, and legal requests

4. Data Storage and Processing

• We access your Shopify catalog data only for the purpose you authorised — compliance remediation of product listings
• We do not sell, rent, or share your store or product data with third parties
• Product images are processed in-memory by our AI models and are not permanently stored after diagnosis is complete
• We retain listing metadata and fix history for audit and billing purposes for up to 24 months, after which it is automatically purged
• If you uninstall ListHeal from your Shopify Admin panel, we cease all data access immediately

5. Data Sharing & Third Parties

We share data only with the following categories of service providers, and only as necessary:

• Google Cloud / Gemini AI: Product images sent for AI vision analysis (processed under Google's enterprise data processing terms; not used for model training)
• Shopify: For billing integration and store data synchronization
• Supabase: Database hosting (encrypted at rest and in transit)

We do not sell your personal information. We do not share your data with advertisers or data brokers.

6. Data Security

• All data in transit is encrypted using TLS 1.3
• All data at rest is encrypted using AES-256
• Webhook payloads are verified using HMAC-SHA256 signature validation
• Admin access requires a separate authentication layer with audit logging
• API keys and secrets are stored in environment variables, never in source code

7. Data Retention

• Account data: Retained while your account is active, plus 90 days after deletion request
• Listing data & heal history: Retained for 24 months for billing audit trail, then automatically deleted
• Product images: Processed in-memory only; not retained after AI analysis
• Logs: Retained for 90 days, then automatically purged

8. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate data
• Deletion: Request deletion of your account and associated data
• Portability: Request your data in a structured, machine-readable format
• Objection: Object to processing of your data for specific purposes
• Revoke Access: Uninstall ListHeal from your Shopify Admin panel to cease all access immediately

To exercise any of these rights, contact privacy@listheal.com. We will respond within 30 days.

9. Cookies

ListHeal uses only essential cookies for session management and shop verification inside the Shopify Admin frame. We do not use tracking cookies, advertising cookies, or third-party marketing trackers.

10. Children's Privacy

ListHeal is a business-to-business service intended for Shopify merchants who are 18 years of age or older. We do not knowingly collect data from anyone under 18.

11. International Data Transfers

Your data may be processed in the United States and other countries where our service providers operate. We ensure appropriate safeguards are in place for international transfers, including Standard Contractual Clauses where applicable.

12. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email or in-app notification at least 14 days before taking effect.

13. Contact Us

For privacy-related inquiries:
Email: privacy@listheal.com
Subject Line: Privacy Inquiry — [Your Name]