Privacy Policy

Effective 2026-06-06 · Paperfort, Inc.

Paperfort produces Shopify accessibility audit documentation. We designed the service so that we never collect or store customer personally identifiable information (PII) from your storefront. This policy explains what we do collect, what we don’t, and how to reach us.

1. What we scan

When a merchant installs our Shopify app or orders an audit bundle, we fetch publicly-available pages of the storefront (the same pages a customer or Google bot would see). We run an automated WCAG 2.2 AA scan against the rendered HTML, CSS, and JavaScript output. We do not log into the Shopify admin, we do not access order data, and we do not crawl authenticated or checkout-only pages.

2. What we store

For each audit we retain:

• the shop domain (e.g. example.myshopify.com);
• the URLs we scanned and the timestamp of the scan;
• the accessibility findings (element selectors, WCAG rule IDs, severity);
• the generated audit PDF, VPAT 2.5 report, and hosted /accessibility statement;
• Shopify Billing metadata, including subscription status and Shopify subscription identifiers. Payment details stay with Shopify.

3. What we do not store

• No customer names, emails, phone numbers, or addresses from your storefront.
• No order history, cart data, or product purchase data.
• No protected health information (PHI) of any kind.
• No passwords, API tokens, or session cookies beyond the OAuth access token Shopify issues to us for the app install.

4. Shopify OAuth access token

When a merchant installs the Paperfort app, Shopify issues Paperfort an OAuth access token scoped to read-only access of products, themes, and content. We use the token only to fetch public storefront content for scanning. If the merchant uninstalls the app, Shopify sends us an app/uninstalled webhook and we mark the token inactive within 30 days, as required by Shopify’s Partner Program agreement.

5. Third parties

Paperfort uses the following sub-processors:

• Shopify — app install, subscription billing, webhook delivery, and theme app extension hosting.
• Fly.io — API hosting (Ashburn, VA).
• Vercel — marketing site and merchant dashboard hosting.
• Resend — transactional email (audit-ready notifications).
• Cloudflare — DNS and DDoS protection.

6. GDPR and CCPA

Shopify requires that every app respond to three privacy webhooks, regardless of whether the app stores customer data. Paperfort responds to all three:

• customers/data_request — we return a 200 and log that no customer data is stored.
• customers/redact — same.
• shop/redact — we delete the merchant record and all audits within 30 days.

EU and UK merchants can email privacy@paperfort.app to exercise GDPR rights. California residents can email the same address to exercise CCPA rights.

7. Data retention

Audit reports are retained for the life of the merchant’s subscription plus 30 days, so that they can be re-downloaded after cancellation for pending litigation. After 30 days post-cancellation, audit records are permanently deleted.

8. Security

All traffic is encrypted in transit (TLS 1.2+). Audit reports and merchant records are encrypted at rest on Fly.io Postgres. Shopify webhooks are validated by HMAC-SHA256 against Shopify’s signing key before we process them.

9. Changes to this policy

We post changes to this page and update the effective date. Material changes are sent to the admin email on file for each merchant.

10. Contact

Email privacy@paperfort.app with any privacy question, data access request, or deletion request.