Data Protection & Processing
Last updated: 12 July 2026
This page summarises how Ignite AI Reviews processes data on behalf of merchants (the "controller"). It complements our Privacy Policy and is written to support GDPR/UK-GDPR and CCPA obligations and Shopify's Protected Customer Data requirements.
Roles
The merchant is the data controller. Ignite is a data processor acting only on the merchant's documented instructions (installing the app and pressing Generate).
Scope of processing
- Categories of data processed: product content (title, description, specs, page text) and the store's Admin API access token. Optionally, a merchant-supplied AI provider key held only in memory.
- Categories we do NOT process: customer personal data — no names, emails, phone numbers, addresses, or order history. Ignite neither reads nor stores customer PII.
- Purpose: to generate product-review content and author images and write them to the merchant's own store.
Protected Customer Data
Because Ignite does not access Shopify's protected customer data, no customer PII is collected, stored,
shared, or used for profiling, advertising or model training. Shopify's mandatory compliance webhooks
are implemented; as no customer PII is retained, customers/data_request and
customers/redact return "nothing on file", and shop/redact deletes the
store's stored connection.
Security measures
- Encryption in transit (TLS) for all requests.
- Admin tokens stored as encrypted server-side secrets; bring-your-own AI keys never persisted.
- Authenticated, anti-enumeration API surface; least-privilege Shopify scopes (write product content and files only).
Sub-processors
- Cloudflare — compute, storage, DNS, and image generation.
- Your chosen AI provider — Anthropic, OpenAI or Google — receives product content to generate text and images when you press Generate.
International transfers
Processing occurs on globally distributed edge infrastructure. Where personal data of the merchant (e.g. contact email) is involved, transfers rely on the providers' standard contractual clauses.
Retention & deletion
Generated content lives on the merchant's own store and is deleted by the merchant at will. Connection
records are deleted on uninstall, on shop/redact, or on request to
support@ignitehk.org.
Contact
Data protection enquiries: support@ignitehk.org.