Last updated: 17 June 2026 · SEO Elite Agency LLC
RankShield ("we", "us") is a fraud- and abuse-protection app for Shopify merchants. This policy explains exactly what data the app processes, why, and how it is protected. We designed RankShield to do its job with the minimum data possible — we store salted hashes and network prefixes, not raw personal information.
The merchant who installs RankShield is the data controller for their store's data.
SEO Elite Agency LLC acts as a data processor, processing data on the merchant's behalf
solely to provide fraud-prevention services. Processing runs on our backend
(sea-shield-production.up.railway.app).
| Data | Form stored | Purpose |
|---|---|---|
| Customer/order email | Salted SHA-256 hash only | Detect card-testing & fake-account velocity (link attempts without storing the address) |
| Visitor / order IP address | Truncated network prefix (/24 IPv4, /48 IPv6) + salted hash | Detect attack bursts from one network; build ad-exclusion lists |
| Card BIN (first 6 digits) | Salted hash only | Detect carding (many distinct cards from one source). We never see or store full card numbers. |
| Storefront behavioral signals | Aggregated booleans/counts (e.g. headless browser, time-on-page) | Bot detection via the Shopify Web Pixel |
| Ad click identifiers (gclid, fbclid, etc.) | As provided in the URL | Attribute invalid paid clicks so merchants can recover wasted ad spend |
| Order / checkout / cart metadata | Amounts, status, gateway, country, discount codes | Card-testing, denial-of-inventory, promo-abuse and chargeback-risk scoring |
We do not collect or store: raw payment card numbers, full names linked to identifiers, passwords, or any special-category personal data.
Data reaches us only through (a) Shopify webhooks you authorize at install (orders, checkouts,
customers, carts, and the mandatory GDPR topics), each verified with an HMAC signature, and (b) the
RankShield Web Pixel running on your storefront. We request only the access scopes needed:
read_orders, write_orders, read_checkouts, read_customers, read_products, read_discounts.
To stop attackers faster, confirmed malicious network prefixes (never personal data) may be shared across the RankShield protection network so one store's attacker is blocked on others. Only high-confidence, non-personal indicators (IP prefixes, attack type) are shared.
Operational records are retained only as long as needed for fraud prevention and then expire automatically. We fully honor Shopify's mandatory GDPR webhooks:
customers/data_request — we surface the hashed data we hold for that customer.customers/redact — we delete all records tied to that customer's hashed identifiers.shop/redact — 48 hours after uninstall, we purge all data for the shop.Data is transmitted over TLS and processed on access-controlled infrastructure. Identifiers are salted and hashed at rest. Webhook authenticity is verified by HMAC.
Depending on your jurisdiction (GDPR, CCPA, etc.) you may request access, correction, or deletion of personal data. Merchants can trigger deletion by uninstalling the app or via the GDPR webhooks above.
Questions or data requests: hello@seoeliteagency.com.