Privacy Policy

1. Who we are

WCAG Accessibility Checker (“the app”) is published by Logic AI (“we”, “us”). Logic AI is the data controller for the merchant data the app processes.

The app is a Shopify-embedded tool that scans a merchant’s storefront for WCAG 2.1 / 2.2 AA accessibility violations using Playwright (headless Chromium) and the axe-core accessibility engine.

For any privacy question or request, contact us at info@logicai.nl.

2. What we collect from merchants

When you install and use the app, the following data is stored in our MySQL database:

• Shop information — your myshopify.com domain, the plan you are on, your Shopify subscription identifier, and any auto-scan preferences you configure (frequency, on/off).
• Shopify session — the OAuth access and refresh tokens issued by Shopify, plus the admin user’s name and email address as provided by Shopify during authentication. These are managed by Shopify’s official session storage library.
• Storefront password (optional) — if your storefront is password-protected (for example a development or pre-launch store) and you choose to enter the password in Settings, we store it so the scanner can reach your pages. It is used only to authenticate the scanner against your storefront and is deleted when you uninstall the app.
• Scan results — the URLs we scanned, scan status and timing, the accessibility violations detected (rule identifier, severity, the CSS selector and HTML snippet of the affected element, and the WCAG criterion referenced), and a small PNG screenshot of each affected element used as visual evidence in the report.
• Free-tier scan timestamp — the date of your most recent successful free scan, used solely to enforce the free plan’s 7-day cooldown.

3. What we do not collect

The app does not collect, store, or process any customer or shopper personal data. We do not request Shopify scopes that grant access to customer records, orders, or checkout. The mandatory Shopify GDPR webhooks (“customers/data_request” and “customers/redact”) are implemented as no-ops because there is no customer data to return or delete.

We do not capture or store any information about visitors to your storefront. Scans inspect the rendered HTML and styling of public pages; they do not record user behaviour, IP addresses, or session data of your shoppers.

4. Third parties

We do not share merchant data, scan results, screenshots, or any other information with third-party services. The app does not send data to any LLM, AI provider, analytics service, advertising network, or external reporting tool.

During a scan, common third-party trackers embedded in your storefront (such as Google Analytics, Segment, Mixpanel, Klaviyo, Meta Pixel, and similar services) are explicitly blocked at the network layer so the scanner does not generate spurious traffic or events on your analytics dashboards.

5. Cookies and tracking

The app does not set any cookies in your browser. Authentication is handled entirely server-side through Shopify’s session storage and through App Bridge bearer tokens for in-admin requests.

Links to per-element screenshots inside the app are signed with a short-lived (1 hour) HMAC token so that screenshots cannot be accessed by anyone without an active, valid link generated for that specific shop.

6. Hosting and sub-processors

We rely on the following infrastructure providers to operate the app:

• Shopify — provides the OAuth identity, embedded admin surface, and webhook delivery for the app.
• Fly.io — hosts the application servers and the headless Chromium scanner.
• Managed MySQL — stores the data described in section 2. The database is operated on infrastructure controlled by Logic AI.

We do not use any other sub-processors. We do not transfer your data to advertising networks, data brokers, or marketing tools.

7. Data retention and deletion

• When you uninstall the app, Shopify sends us an app/uninstalled webhook. We delete your Shopify session and your shop record; deleting the shop record cascades and removes all of your scans, scan pages, violation records, and screenshot blobs from our database.
• When Shopify sends a shop/redact GDPR request (48+ hours after uninstall), we perform the same cascade deletion. For abuse prevention, we keep a single record of your most recent free-tier scan timestamp so the 7-day free cooldown cannot be bypassed by uninstalling and reinstalling; no other shop data is retained.
• Signed screenshot URLs expire after one hour, even if the underlying screenshot is still present in the database.

You can request deletion of your data at any time by emailing info@logicai.nl; uninstalling the app from your Shopify admin also triggers deletion automatically.

8. Your rights (GDPR / CCPA)

If you are a merchant in a jurisdiction with data-protection laws such as the EU/EEA GDPR, the UK GDPR, or the California Consumer Privacy Act, you have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your data, subject to the abuse-prevention exception described in section 7.
• Object to or restrict processing where you believe processing is not justified.
• Lodge a complaint with your local data-protection authority.

To exercise any of these rights, contact info@logicai.nl. We will respond within the timeframe required by applicable law.

9. Security

All traffic between the app, Shopify, and your browser is transmitted over TLS. Shopify OAuth tokens, storefront passwords, and scan data are stored in our managed MySQL database with access restricted to the app servers. Screenshot links are short-lived and signed. We do not store payment information; Shopify Managed Pricing handles all billing on Shopify’s infrastructure.

10. Changes to this policy

We may update this policy from time to time. When we do, we will change the effective date at the top of the page. Material changes will be communicated through the app or by email to the address on file with Shopify.

11. Contact

Questions, deletion requests, or other privacy concerns: info@logicai.nl.