Privacy Policy

1. Who we are

AccessBinder is a Shopify application operated by Romain Lacube EI (SIREN 848 852 356), trading as RLC. Contact: [email protected].

2. What data we collect

From Shopify merchants (app users):

• Shop domain and OAuth access token (required to read store configuration via Shopify API)
• Email address provided during installation (used for billing and support)
• Store plan tier (Free/Pro/Defense) and billing status

From store pages we audit:

• Publicly accessible HTML content, DOM structure, and rendered screenshots of storefront pages
• No customer data, order data, or personal information is read or stored
• Audit targets are only pages accessible without authentication

From landing page visitors:

• Email address if voluntarily submitted via the waitlist form
• Anonymized visit analytics via Google Analytics 4 (GA4) — no cross-site tracking, IP anonymization enabled

3. Why we process it

• App function — running WCAG audits, generating PDF reports, storing evidence on your behalf
• Billing — Shopify Billing API subscription management
• Communication — sending audit completion emails via Resend
• Analytics — understanding aggregate usage to improve the product (no individual profiling)

4. Data retention

• Free plan — scan results and PDF reports retained for 3 months
• Pro plan — 12 months
• Defense plan — 24 months (immutable evidence vault, object lock enabled)
• On app uninstall, merchant data is deleted within 30 days per Shopify GDPR requirements. Immutable vault objects (Defense) are retained for the contractual evidence period.

5. Who we share data with

• Cloudflare R2 (EU infrastructure) — encrypted PDF and screenshot storage
• Neon Postgres (US-East, encrypted at rest) — structured audit data
• Resend (US) — transactional email delivery
• Shopify — OAuth, billing, and storefront access

We do not sell data to third parties. We do not use your data for advertising targeting.

6. Your rights (GDPR / CCPA)

If you are in the EU, UK, or California, you have the right to access, correct, export, or delete your data. To exercise these rights, email [email protected]. We respond within 30 days.

Shopify GDPR webhooks are implemented: customers/data_request, customers/redact, shop/redact.

7. Cookies

The landing page (accessbinder.com) uses Google Analytics 4 with anonymized IPs. No marketing cookies. No cross-site tracking. GA4 data is retained for 14 months.

The Shopify app (embedded) uses session cookies required by Shopify OAuth.

8. Security

All data in transit is encrypted via TLS 1.2+. Stored PDFs and screenshots use AES-256 encryption at rest on Cloudflare R2. Defense plan objects use R2 Object Lock (WORM) to prevent alteration.

9. Changes to this policy

We will update this page and email active subscribers for material changes. The "Last updated" date above reflects the current version.

10. Contact

Romain Lacube EI · 315 chemin de la Croix Verte, 13090 Aix-en-Provence, France
[email protected]