BETA LAUNCH — 50% OFF ALL PLANS FOR YOUR FIRST 3 MONTHS · APPLIED AUTOMATICALLY →
HOME

Wassel MCP (Shopify) Privacy Policy

EFFECTIVE 19 MAY 2026

This policy explains what data the Wassel MCP application ("Wassel", "we") accesses from a connected Shopify store, why we access it, how long we keep it, and how it is deleted. It applies to merchants who install Wassel MCP and to the people whose data passes through it.

Who we are

Wassel is an integration layer that lets a merchant's own AI agent (for example Claude, ChatGPT, or a custom agent) call Shopify and other regional services through one secure interface. Wassel acts as a data processor on the merchant's behalf. For privacy questions, contact hello@wassel.cloud.

What Shopify data we access

When a merchant connects a store, they grant an OAuth token with only the scopes the app's tools need. Depending on the actions the merchant's agent performs, this can include reading and writing orders, products, inventory, customers, discounts, and reading store locations.

How we use it

Wassel is a real-time pass-through. When the merchant's agent requests an action, Wassel calls the Shopify API, returns the result to that merchant's agent, and the data is not retained. We do not use store or customer data for advertising, profiling, training models, or any purpose other than executing the merchant-requested action.

What we store

We do not maintain a copy of your orders, products, or customer records. The only Shopify-related data we persist is the OAuth access token for the connected store, together with the store domain. The token is encrypted at rest and is used solely to call Shopify when the merchant's agent requests an action.

Sharing and sub-processors

We do not sell data and do not share store or customer data with third parties. Data is transmitted only to the merchant's own connected agent. Wassel runs on the following infrastructure sub-processors, used only for hosting and secure storage:

  • Railway — application hosting
  • Supabase — database and encrypted secret storage
  • Cloudflare — edge delivery and network security

Retention and deletion

The stored OAuth token is deleted when any of the following occurs: the merchant disconnects the integration, the merchant uninstalls the app, or Shopify sends a shop redaction request. Because we hold no customer records, customer data requests and customer redaction requests are honored with no stored data to return or erase. We implement Shopify's mandatory compliance webhooks (customers/data_request, customers/redact, shop/redact) and the app/uninstalled lifecycle webhook, each verified by HMAC signature.

Security

Access tokens are encrypted at rest. All Shopify webhooks are verified using an HMAC signature before any action is taken. OAuth connections request the least scopes required for the merchant's chosen tools.

Your rights

Merchants and data subjects may request access to, correction of, or deletion of personal data, and may withdraw consent by disconnecting or uninstalling the app. To exercise any right, contact hello@wassel.cloud. We respond within the period required by applicable law, including the GDPR where it applies.

Changes

We may update this policy. Material changes will be reflected by a new effective date at the top of this page.

Contact

Questions about this policy or your data: hello@wassel.cloud.