Privacy policy

SEOBOSS Blog Engine – App Privacy Policy
Effective date: 31 January 2026

This Privacy Policy explains how Dotcom Publishing (trading as SEOBOSS) (“SEOBOSS”, “we”, “us”, “our”) collects, uses, discloses, and retains information when a merchant installs or uses the SEOBOSS Blog Engine Shopify application (the “App”), including:
- the embedded Shopify Admin app experience,
- the Theme App Extension (storefront section), and
- any related services that support the App (together, the “Services”).

This policy applies to information processed in connection with the App and Services. It does not replace a merchant’s own store privacy policy.

1) Contact details
Dotcom Publishing (trading as SEOBOSS)
Email: robbie@seoboss.com
Address: 4 Ranfurly Tce, Mt Cook, Wellington, New Zealand

2) Roles (merchant data vs. customer data)
Merchants (store owners) control the data in their Shopify stores and are typically the “controller” for that data. SEOBOSS processes merchant store data as needed to provide the Services and may act as a controller for limited data such as support communications and security/operations records.

If you are an end customer of a merchant using the App, please contact the merchant first.

3) Information we collect or access

A. Information accessed from Shopify
When a merchant installs and uses the App, we access store data through Shopify APIs only as needed to provide the Services. This can include:
- Shop identifiers (such as shop domain)
- Blog and content data needed to create, update, and publish blog posts (titles, body content, tags, and related metadata)
- Files/media library data needed to upload or attach assets used in blog posts (such as featured/hero images), where the merchant chooses to use this functionality
- App installation and billing/subscription status (to gate paid features and enforce plan limits)

The App does not request access to Orders or Payments. The App does not require customer-list access through Shopify API scopes.

B. Information provided directly by merchants
Merchants (or their staff) may provide:
- Contact information for onboarding and support (for example, name and email address)
- Configuration and preferences (language, tone, niche, seed keywords, target audience)
- Content inputs submitted for generation/editing and drafts saved within the App

C. Information processed on storefront (Theme App Extension / App Proxy)
If the merchant adds the Theme App Extension to their theme, the storefront may load App-provided assets and/or call App Proxy endpoints. We do not intentionally use this to track customers. Like most online services, we may receive standard server log data (for example IP address, user-agent, request timestamp) when requests reach our servers.

D. Operational and security data
We may collect and store:
- Encrypted Shopify access credentials required to operate the App for the merchant (offline token), stored encrypted at rest
- Job/request metadata (timestamps, status, usage counts/units, and related diagnostics)
- Error and security logs (for example request IDs and error traces) to operate, debug, and protect the Services

E. Shopify compliance webhooks
Shopify may send mandatory compliance webhooks to apps (including customers/data_request, customers/redact, shop/redact). These payloads may contain limited customer identifiers (for example, an email address) depending on the request. We use webhook payloads only to comply with the request and do not use them for marketing.

4) How we use information
We use the information described above to:
- Provide the Services (generate, edit, and publish blog content)
- Upload and manage blog-related media assets when merchants use that feature
- Authenticate requests, verify signatures/webhooks, and secure the Services
- Enforce Shopify-managed billing gates and plan limits
- Provide support and troubleshoot issues
- Comply with legal obligations and Shopify requirements

We do not sell personal information.

AI/ML Usage (Important)

AI and Machine Learning Usage
We use artificial intelligence services to generate content for merchants within the scope of delivering the App’s features. We do not use any merchant or customer data accessed through Shopify APIs to train, improve, or develop AI or machine learning models outside of this real-time service delivery. This means no data accessed via Shopify APIs is stored or repurposed for improving internal models or datasets.

Rights & How to Exercise

Your Data Rights
Depending on applicable laws, merchants and individuals may have rights to access, correct, delete, or restrict the processing of personal information we hold. Merchants can contact us at robbie@seoboss.com to submit such requests. For end-customers of a merchant’s store, the merchant should first be contacted. Where Shopify compliance webhooks (e.g., customers/data_request, shop/redact) are provided, we process these automatically as required.

5) How we disclose/share information
We disclose information only as needed to run the Services, including:
- With Shopify (to read/write store content and receive webhooks)
- With infrastructure providers used to operate the Services (for example hosting, database/storage, and workflow/processing systems)
- With support tools if a merchant contacts us for help

We require service providers to protect information and use it only to provide services to us.

6) International data transfers
We are based in New Zealand and may process data in New Zealand and other locations where our infrastructure and service providers operate. Where required, we use appropriate safeguards for cross-border transfers.

7) Data retention
We retain data only for as long as necessary to provide the Services and for legitimate operational purposes (security, fraud prevention, debugging), unless a longer retention period is required by law.

Our current retention approach:
- While installed: We retain shop-scoped operational data (such as encrypted access tokens, plan/billing state, saved drafts, and job metadata) to provide the Services.
- Uninstall / shop redaction: When the App is uninstalled and/or we receive a valid shop/redact request from Shopify, we delete shop-scoped data associated with the shop. In most cases this occurs immediately or within a short operational window.
- Operational logs: We retain limited operational/security logs for up to 30 days to troubleshoot and protect the Services.
- Manual exports: If we create temporary internal operational exports (for example spreadsheets used for support or reconciliation), we delete them on a monthly schedule and no later than 30 days after they are no longer needed.
- Backups: Residual copies may persist in encrypted backups for a limited period (typically up to 30 days) before being overwritten.

If a merchant wants earlier deletion (where legally permitted), they can contact us at robbie@seoboss.com.

8) Security
We use reasonable safeguards designed to protect information, including encryption for sensitive credentials/tokens at rest, HTTPS/TLS in transit, and access controls. No system is 100% secure, but we work to protect the Services and data we process.

9) Requests and individual rights
Depending on applicable law, individuals may have rights to access, correct, delete, or restrict processing of personal information. Merchants can contact us at robbie@seoboss.com.

For end-customer requests, the merchant should be contacted first. Shopify’s mandatory compliance webhooks can also trigger requests we must process in accordance with Shopify requirements.

10) Changes to this Privacy Policy
We may update this Privacy Policy from time to time. We will update the effective date at the top when changes are made.

11) Contact
Questions or requests related to this Privacy Policy or the App’s data practices:
Email: robbie@seoboss.com
Address: 4 Ranfurly Tce, Mt Cook, Wellington, New Zealand