Privacy Policy
Ghost Code — Shopify Theme Audit App
Effective date: March 22, 2026
This Privacy Policy explains how Alpenglow Software LLC ("we," "us," "our"), operator of Ghost Code ("the App") collects, uses, stores, and protects information when you install and use the App through the Shopify platform.
1. Information We Collect
Data from Shopify APIs
When you install the App, we access the following through the Shopify Admin API using the read_themes scope:
- Theme files — Liquid templates, sections, snippets, and layout files from your published theme. We access these files in read-only mode to scan for orphaned code left by previously uninstalled apps.
- Theme metadata — Theme name and ID to identify which theme was scanned.
We do not request write access to your themes. We do not modify any theme files.
Permission Audit feature (optional)
If you activate the Permission Audit feature, the App requests an additional read_apps scope through Shopify's consent flow. This scope allows us to access:
- Installed app information — App name, handle, description, and installation date for apps currently installed on your store.
- Permission snapshots — The API access scopes granted to each installed app, captured at the time of each audit run.
This data is used to identify apps with excessive permissions, detect permission changes over time, and generate a risk score for each installed app. You must explicitly grant the read_apps scope before this feature collects any data. The scope can be revoked at any time through your Shopify admin.
Data collected through Shopify session
Shopify provides the following data as part of the standard app authentication process:
- Shop domain
- Staff member name, email address, and user ID
- Account role (store owner or collaborator) and email verification status
- Locale preference
- Session tokens, access tokens, and refresh tokens
This session data is managed by Shopify's official session storage library and is required for the App to function within the Shopify Admin.
Data we do NOT collect
- Customer or shopper personal information
- Order or transaction data
- Payment or financial information
- Analytics or visitor behavior data
- Marketing or advertising data
2. How We Use Your Information
We use the data we collect solely to provide and improve the App's services:
- Theme scanning — We analyze your theme files in memory to detect orphaned code patterns (ghost scripts, stylesheets, snippets, and sections) left by previously uninstalled apps.
- Scan results — We store findings (file name, line number, a short code snippet of up to 300 characters, severity, and the identified app name) so you can review results in the App.
- Subscription management — We store your current billing plan to gate features appropriately.
- App functionality — We use your shop domain and session data to authenticate requests and deliver the App within the Shopify Admin.
3. How We Process Theme Data
Your theme files are processed as follows:
- Theme files are fetched from the Shopify API and processed in memory.
- Pattern matching detects orphaned code artifacts.
- Only the scan findings (metadata and short code snippets) are stored in our database.
- Full theme file contents are not stored — they are discarded after processing.
4. Data Storage and Security
- All data is stored in a PostgreSQL database hosted on Railway (United States).
- Shopify access tokens are encrypted at rest using AES-256 encryption.
- All connections use HTTPS/TLS encryption in transit.
- We do not sell, rent, or share your data with third parties for marketing purposes.
5. Third-Party Services
The App uses the following third-party services to operate:
| Service | Purpose | Data shared |
|---|---|---|
| Shopify Admin API | Theme file access and authentication | Session tokens, theme queries |
| Inngest | Background job scheduling | Shop ID, theme ID, scan metadata (not theme content) |
| Railway | Application and database hosting | All stored data (encrypted) |
No theme file contents are transmitted to Inngest or any other external service. Theme files are fetched directly from the Shopify API and processed on our application server.
6. Data Retention
- While installed — Scan results, findings, and shop data are retained for as long as the App is installed on your store.
- On uninstall — All data associated with your shop is permanently deleted immediately and automatically. This includes: sessions, scans, findings, and your shop record. Deletion is atomic and irreversible.
- GDPR shop/redact — If Shopify sends a shop data erasure request, all shop data is deleted within 48 hours.
7. Your Rights
You have the right to:
- Access — View all scan data and findings through the App's dashboard.
- Deletion — Uninstalling the App immediately deletes all your data. You can also contact us to request deletion without uninstalling.
- Data portability — Contact us to request an export of your stored data.
- Correction — Contact us if you believe any stored data is inaccurate.
We respond to all data requests within 30 days.
8. International Data Transfers
Your data is processed and stored on servers located in the United States. By using the App, you consent to the transfer of your data to the United States for processing.
9. Cookies and Tracking
The App does not use cookies, tracking pixels, or any analytics or advertising technologies. We do not track your behavior within the Shopify Admin.
10. Children's Privacy
The App is designed for use by Shopify merchants (business users) and is not directed at children under 13. We do not knowingly collect data from children.
11. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will update the effective date at the top of this page. Continued use of the App after changes constitutes acceptance of the updated policy.
12. Contact Us
If you have questions about this Privacy Policy or want to exercise your data rights, contact us at: