Last Updated: November 21, 2025

Privacy Policy

We protect your brand. We also protect your data. Here's exactly how.

📅 Effective: November 21, 2025
⏱️ ~10 minute read
🔒 GDPR & CCPA Compliant

👋 Introduction

TL;DR
We only collect the minimum data needed to protect your brand (domain info, DNS records, SSL certificates). We never touch customer data, orders, or payment info. You own your data and can delete it anytime.

Recon Bot Brand Protection ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Shopify application ("the App").

By installing and using Recon Bot Brand Protection, you agree to the collection and use of information in accordance with this policy.

📊 What We Collect (and Don't)

TL;DR
We collect: your shop name, domain, DNS records, SSL certificates, and audit history. That's it. No customer data, no orders, no products, no payments.
We Collect
  • Shop name and domain URL
  • Contact email (for support)
  • DNS records (SPF, DMARC, DKIM, CAA, MX)
  • SSL certificate data (validity, expiration)
  • Security audit history (last 10 scans)
  • Basic app usage metrics
We Never Collect
  • Customer personal information
  • Order data or transactions
  • Product information
  • Payment or financial data
  • Customer browsing behavior
  • Any sensitive business data

Information You Provide

When you install the App, we collect:

  • Shop Information: Your Shopify store's name and primary domain URL
  • Contact Information: Email address associated with your Shopify account (for support communications)

Information Automatically Collected

The App automatically collects publicly available security data:

  • DNS Records: SPF, DMARC, DKIM, CAA, MX, and nameserver configurations for your domain
  • SSL/TLS Data: SSL certificate validity, expiration date, and issuer information
  • Audit History: Records of security scans, timestamps, and results
  • Usage Data: App installation date, last access, and feature usage (for improvements)

🎯 How We Use Your Information

TL;DR
We use your data to run security audits, show you results, maintain audit history, fix bugs, and send critical security notifications. That's it.

Core Services

  • Perform automated brand security audits on your domain
  • Generate security scores and actionable recommendations
  • Monitor DNS, email authentication, and SSL/TLS configurations
  • Display audit results within the Shopify admin
  • Maintain audit history for your reference

App Improvement

  • Analyze aggregate usage patterns to enhance features
  • Identify and fix bugs or technical issues
  • Develop new security checks and recommendations

Communication

  • Send important service updates or critical security notifications
  • Respond to your support requests
  • Provide onboarding assistance (if requested)

🔐 Storage & Security

TL;DR
US-based secure servers, encrypted connections, auto-deletion of old data (10 scans max), no third-party access. Industry-standard security measures throughout.

Data Retention Timeline

Active Use
Shop info and contact data retained while app is installed
Audit History
Last 10 security scans kept; older scans automatically deleted
Usage Data
Aggregate metrics retained for 90 days maximum
After Uninstall
All data deleted within 48 hours (or immediately upon request)

Security Measures

  • Encryption in Transit: All data uses TLS/SSL encryption between your browser and our servers
  • Encryption at Rest: Database credentials and sensitive configuration are encrypted
  • Access Controls: Strict access controls limit who can view stored data
  • Regular Updates: We regularly update dependencies and apply security patches
  • No Third-Party Access: We never share or sell your data to third parties

Storage Location: All data is stored on secure servers in the United States using SQLite/PostgreSQL databases with encrypted connections.

🤝 Data Sharing & Disclosure

TL;DR
We never sell your data. Period. We only share minimal info with trusted hosting providers and only when legally required.

We Do NOT Sell Your Data

We will never sell, rent, or trade your information to third parties for marketing purposes.

Trusted Service Providers

We may share limited information with service providers who help us operate the App:

  • Hosting Providers: To store application data and host the service
  • Infrastructure Services: For application monitoring and performance

These providers are contractually required to protect your data and use it only to provide services to us.

Legal Requirements

We may disclose information only when legally required to:

  • Comply with court orders or government requests
  • Enforce our Terms of Service
  • Protect rights, property, or safety
  • Investigate fraud or security issues

⚖️ Your Rights & Choices

TL;DR
You can access, export, correct, or delete your data anytime. Uninstalling the app auto-deletes everything within 48 hours. You're in control.
🔍
Access Your Data
Request a copy of all information we hold about you
✏️
Correct Inaccuracies
Request correction of any inaccurate or incomplete data
📦
Export Data
Download your audit history in JSON format
🗑️
Delete Everything
Uninstall the app or request immediate deletion
✉️
Opt-Out Communications
Unsubscribe from non-essential emails anytime
🚫
Do Not Track
We don't track users across websites

Data Deletion

When you uninstall Recon Bot from your Shopify store, we automatically delete:

  • All audit history and scan results
  • Session tokens and authentication data
  • Shop information and contact details

Timeline: Automatic deletion within 48 hours, or immediately upon request by contacting privacy@reconbot.io

🍪 Cookies & Tracking

TL;DR
We only use session cookies for authentication. No advertising cookies, no third-party trackers, no cross-site tracking.

Cookies We Use:

  • Session Cookies: Required for authentication within the Shopify admin
  • Shopify App Bridge: Browser storage for app-to-admin communication

We Do NOT Use:

  • Advertising or retargeting cookies
  • Third-party analytics beyond basic usage stats
  • Cross-site tracking cookies

🌍 GDPR & CCPA Compliance

TL;DR
EU/EEA users have full GDPR rights (access, rectification, erasure, portability, etc.). California residents have CCPA rights. We don't sell personal information.

European Economic Area (EEA) - GDPR Rights

If you're located in the EEA, you have these rights:

  • Right to Access: Request copies of your personal data
  • Right to Rectification: Request correction of inaccurate data
  • Right to Erasure: Request deletion of your data ("right to be forgotten")
  • Right to Restrict Processing: Limit how we use your data
  • Right to Data Portability: Receive data in a structured, machine-readable format
  • Right to Object: Object to our processing of your data
  • Right to Withdraw Consent: Withdraw consent at any time

Legal Basis for Processing:

  • Contractual Necessity: To provide the App's services
  • Legitimate Interests: To improve the App and prevent fraud
  • Legal Compliance: To comply with applicable laws

California Residents - CCPA Rights

California residents have these rights:

  • Right to Know: What personal information we collect, use, and disclose
  • Right to Delete: Request deletion of your personal information
  • Right to Opt-Out: We don't sell personal information, so no opt-out needed
  • Right to Non-Discrimination: No discrimination for exercising your rights

To exercise your rights, contact us at privacy@reconbot.io

✈️ International Data Transfers

TL;DR
Data is stored in the United States. For EEA users, we use Standard Contractual Clauses approved by the European Commission.

Recon Bot Brand Protection is operated in the United States. If you access the App from outside the United States, your information will be transferred to, stored, and processed in the United States.

For EEA Users: We use Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate protection when transferring data outside the EEA.

👶 Children's Privacy

Recon Bot Brand Protection is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children under 16.

If we discover that we have collected information from a child under 16, we will delete that information immediately. If you believe we have collected information from a child, please contact us at privacy@reconbot.io.

🔄 Changes to This Policy

TL;DR
We'll notify you via email and in-app if we make material changes. Continued use after changes means you accept the updated policy.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or operational needs.

When We Update:

  • We'll update the "Last Updated" date at the top
  • We'll notify you of material changes via email and in-app notice
  • Your continued use after changes constitutes acceptance

📧 Contact Us

Have questions about your privacy?
General Inquiries
privacy@reconbot.io
Support
support@reconbot.io
Data Protection Officer (GDPR)
dpo@reconbot.io
Response Time
Within 30 days

📋 Data Collection Summary

Data Type Examples Purpose Legal Basis Retention
Shop Info Shop name, domain URL Provide service Contract Until app uninstall
Contact Info Email address Support, notifications Contract Until app uninstall
DNS Records SPF, DMARC, CAA, MX Security auditing Contract Last 10 audits
SSL Data Certificate validity, issuer Security auditing Contract Last 10 audits
Audit History Scan timestamps, scores Service provision, history Contract Last 10 audits
Usage Data Feature usage, timestamps Service improvement Legitimate interest 90 days