RankShield for Shopify — Privacy Policy

Last updated: 14 July 2026 · SEO Elite Agency LLC

RankShield ("we", "us") is a fraud- and abuse-protection app for Shopify merchants. This policy explains exactly what data the app processes, why, and how it is protected. We designed RankShield to do its job with the minimum data possible — we store salted hashes and network prefixes, not raw personal information.

1. Who is the data controller / processor

The merchant who installs RankShield is the data controller for their store's data. SEO Elite Agency LLC acts as a data processor, processing data on the merchant's behalf solely to provide fraud-prevention services. Processing runs on our backend (sea-shield-production.up.railway.app).

2. What we collect and why

DataForm storedPurpose
Customer/order emailSalted SHA-256 hash onlyDetect card-testing & fake-account velocity (link attempts without storing the address)
Visitor / order IP addressTruncated network prefix (/24 IPv4, /48 IPv6) + salted hashDetect attack bursts from one network; build ad-exclusion lists
Card BIN (first 6 digits)Salted hash onlyDetect carding (many distinct cards from one source). We never see or store full card numbers.
Storefront behavioral signalsAggregated booleans/counts (e.g. headless browser, time-on-page)Bot detection via the Shopify Web Pixel
Ad click identifiers (gclid, fbclid, etc.)As provided in the URLAttribute invalid paid clicks so merchants can recover wasted ad spend
Order / checkout / cart metadataAmounts, status, gateway, country, discount codesCard-testing, denial-of-inventory, promo-abuse and chargeback-risk scoring
Connected ad accounts (Google Ads, Meta, TikTok, Microsoft)Read-only performance metrics (impressions, clicks, spend, conversions) — only if you connect the accountShow ad performance and tie invalid clicks to wasted spend (Ads tab)
Google Search Console & Analytics (GA4)Read-only rankings, impressions, clicks, sessions, conversions — only if you connect themOrganic-search and revenue reporting (SEO & ROI tab)
Storefront session paths & acquisition sourcePseudonymous session records (pages viewed, referring source; bots filtered) — no names or emailsCustomer-journey and attribution analytics (Customer journey tab)
AI-agent activityAI-agent identity signals and the categories of catalog data an agent read (fingerprints only)Verify authorized AI shopping agents and flag spoofed ones (AI agents tab)

We do not collect or store: raw payment card numbers, full names linked to identifiers, passwords, or any special-category personal data.

Connected accounts are optional and read-only. The Ads and SEO & ROI tabs work only if you connect your own Google (Search Console, Analytics, Ads), Meta, TikTok, or Microsoft accounts via their official OAuth. We request read-only scopes, never change your campaigns or store, and you can disconnect at any time in Settings or in the platform. Data from those platforms is used only to display your own reporting inside RankShield.

Subprocessors & international transfers. We host on Cloudflare (edge / WAF) and Railway (application / database) in the United States. When you connect them, Google, Meta, TikTok, and Microsoft process the relevant advertising / analytics data under their own terms. We share only de-identified digests with the cross-store threat network (section 4). Where personal data is transferred internationally we rely on appropriate safeguards such as Standard Contractual Clauses. A current subprocessor list and a Data Processing Addendum are available on request at hello@seoeliteagency.com.

3. How we receive data

Data reaches us only through (a) Shopify webhooks you authorize at install (orders, checkouts, customers, carts, and the mandatory GDPR topics), each verified with an HMAC signature, and (b) the RankShield Web Pixel running on your storefront. We request only the access scopes needed: read_orders, write_orders, read_checkouts, read_customers, read_products, read_discounts.

4. Cross-store threat intelligence

To stop attackers faster, confirmed malicious network prefixes (never personal data) may be shared across the RankShield protection network so one store's attacker is blocked on others. Only high-confidence, non-personal indicators (IP prefixes, attack type) are shared.

5. What we never do

6. Retention & deletion

Operational records are retained only as long as needed for fraud prevention and then expire automatically. We fully honor Shopify's mandatory GDPR webhooks:

7. Security

Data is transmitted over TLS and processed on access-controlled infrastructure. Identifiers are salted and hashed at rest. Webhook authenticity is verified by HMAC.

8. Your rights

Depending on your jurisdiction (GDPR, CCPA, etc.) you may request access, correction, or deletion of personal data. Merchants can trigger deletion by uninstalling the app or via the GDPR webhooks above.

9. Contact

Questions or data requests: hello@seoeliteagency.com.