Privacy Policy

Effective: May 3, 2026 · Version 2026-05-03

This is a short, plain-English summary of what SchemaFix stores about you and why. Defined terms match the Terms & Conditions.

The short version

The only personal data SchemaFix stores is your account email, a bcrypt hash of your password, and a billing record for any paid Audit Passes or Extensions you buy (Stripe session ID, SKU, quantity, and the resulting pass / credit ledger entries). Everything else SchemaFix touches — the URLs you submit, the HTML at those URLs, the structured data we extract, the model's findings, your dismissals and history — is information that's already public on the open internet. We cache it so we can render your reports back to you. We don't sell it, we don't track you across other sites, and we don't use it to build a profile of you.

1. Personal data we store

• Account: the email you sign up with and a bcrypt hash of your password. Passwords are never stored in plaintext.
• Billing: for paid purchases, the Stripe Checkout session ID, the SKU and quantity, and the resulting per-site pass / credit ledger entries. Full card numbers stay with Stripe — we never see them.
• Agreement record: the timestamp and version of these documents you accepted at signup.
• Operational: a single first-party session cookie (sc_session) that keeps you signed in for 30 days, plus short-lived server logs (timestamps, request paths, IP addresses, user-agent strings) for debugging and abuse prevention.

2. Public-web data we cache to render your reports

When you submit a URL, we fetch the page (or you paste the HTML yourself), extract the JSON-LD and other structured data, and run it through our model and ruleset. The fetched HTML, the extracted structured data, the generated findings and snippets, and your dismissals and history of those findings are stored against your account so we can show you the report later and so re-running an audit is cheap.

We treat this as a cache of public information, not as personal data we've collected about you. If you'd prefer we didn't keep it, ask us to delete it (see section 5) and we will.

3. Sub-processors

We use these third parties to run the Service. Each only sees what it needs:

• PostgreSQL hosting provider — stores account, audit, and billing data at rest.
• Stripe — processes payments and stores card details.
• OpenAI — receives the structured-data blocks and basic page metadata to generate findings and snippets. We don't send personally identifying information beyond the URL you submitted.
• Transactional email provider — receives your email address and the contents of receipts and account messages.

The owner of this SchemaFix installation keeps this list current. We don't sell, rent, or trade your data to third parties for their own marketing.

4. Cookies

One first-party cookie, sc_session, keeps you signed in across page loads. It's HTTP-only, SameSite=Lax, and Secure in production. No third-party advertising cookies, no cross-site tracking.

5. Your rights

Depending on where you live, you may have the right to access, correct, export, or delete the personal data we hold about you, and to object to or restrict certain processing. Email us (section 8) and we'll handle it within a reasonable period at no charge for routine requests. You can also ask us to delete your cached audit data without closing your account.

6. Retention

We keep account, billing, and cached audit data while your account is active and for a reasonable period afterwards to handle disputes, accounting, and legal obligations. Server logs roll over on a short window (typically 30 days).

7. Security & breach notification

We use TLS in transit, bcrypt for passwords, isolated database credentials, and least-privilege access. No system is perfectly secure; if you find a vulnerability, please report it responsibly to the email in section 8 and we'll work with you in good faith. If a security incident materially affects your personal data, we'll notify affected users by email without undue delay and within any timeframe required by law.

8. Contact

Questions about your data, or want to exercise a right above? Email the SchemaFix team — see the contact address at the bottom of the application or in your purchase receipt.

9. Children

SchemaFix is a B2B tool for Shopify merchants and isn't aimed at children under 16. We don't knowingly collect personal data from children. If you think a child has given us data, contact us and we'll delete it.

10. International transfers

Your data may be processed in countries other than the one you live in (notably the United States, where some of our sub-processors are based). Where required by law we use appropriate safeguards (e.g. standard contractual clauses) for those transfers.

11. Changes to this Policy

We may update this Policy. Material changes are reflected in a new Version and Effective Date at the top of this page. Continued use of the Service after a change means you accept the updated Policy.

Last updated: May 3, 2026.