Privacy Policy

Effective June 12, 2026

Octopus is a Shopify app that helps merchants generate SEO collection and editorial pages from keyword lists, while preventing cannibalization with their existing content. This document explains what data we collect, what we deliberately do not collect, and how a merchant can have all their data removed.

1. What we collect

When you install Octopus on your Shopify store, we store the following:

• Shop identity: your *.myshopify.com domain and Shopify-issued OAuth access token, required to make Admin API calls on your behalf.
• App settings: minimum products per collection, slug prefix/suffix, publish status, RAG thresholds, cannibalization threshold, sitemap toggles.
• Your Anthropic API key (optional): if you choose to provide one, it is stored encrypted at rest with AES-256-GCM and decrypted only at job processing time.
• Keywords you import via CSV: the text of each keyword, its processing status, the resulting Shopify resource ID, and timestamps.
• Content index: titles, handles and vector embeddings of your existing Shopify Pages, Collections and blog Articles — used only for anti-cannibalization detection. We do not store the full body of your content.
• Operational logs: structured JSON logs of API calls and job runs, retained 30 days, used for debugging.

2. What we deliberately do NOT collect

Octopus operates entirely on your catalog and content, not on your customers. We never request, read, or store:

• Customer personal information (names, emails, addresses, phone numbers).
• Order data, payment information, or fulfillment details.
• Cart contents or checkout activity.
• Marketing consent records.

Our OAuth scope is limited to read_themes, write_content, write_products, write_publications, write_online_store_navigation — none of which grants access to customer or order data.

3. How we use the data

• To create and update Shopify Collections and Pages on your behalf.
• To detect cannibalization with your existing content (anti-cannibalization engine).
• To regenerate your HTML sitemap when your generated pages change.
• To debug issues if you contact support.

We never sell, rent, or share your data with third parties for marketing.

4. Third-party processors

Octopus relies on three infrastructure providers:

• Shopify (Admin GraphQL API) — to read your catalog and write new resources. Their privacy policy applies.
• Anthropic (Claude API) — if you provide an API key, your keywords and shop context (niche, tone, generic article excerpts) are sent to Anthropic to generate the page intros. Anthropic does not train on API inputs by default. Their privacy policy applies.
• Railway (hosting) — the database (PostgreSQL) and worker processes run on Railway's EU infrastructure. Their privacy policy applies.

5. Data retention & deletion

When you uninstall Octopus, Shopify automatically notifies us via the app/uninstalled webhook. We then delete:

• Your OAuth session and access token (immediately).
• Your shop settings, keywords, jobs, content index, blog embeddings, blacklist (within 48 hours).

We comply with Shopify's privacy compliance webhooks (customers/redact, customers/data_request, shop/redact). Since we hold no customer data, the customer webhooks return success but have nothing to delete.

You can also request manual deletion at any time by emailing support@seoctopus.app.

6. Security

• All traffic over HTTPS (TLS 1.3).
• OAuth tokens and Anthropic API keys encrypted at rest (AES-256-GCM).
• Strict scope limitation — no access to customer or order data.
• Logs scrubbed of sensitive values; no plaintext credentials persisted.

7. Your rights (GDPR)

If you are based in the EU, you have the right to access, rectify, erase, or port your data, and to object to processing. Contact support@seoctopus.app and we will respond within 30 days.

8. Changes to this policy

We will notify installed merchants via in-app banner at least 14 days before any material change to this policy.

9. Contact

Email: support@seoctopus.app