Privacy Policy
Last updated: June 2, 2026
This Privacy Policy describes how Shopify Theme Create (the “Service”, “we”, “us”) collects, uses, stores, and deletes the personal data of its users (“you”). The Service is an independent product and is not affiliated with Shopify Inc. See the Shopify Disclaimer for details.
1. Data controller
The Service is currently operated by an independent operator reachable at harundede84@gmail.com. Once the operator is registered as a legal entity, this section will be updated with the company name, registered address, and (where applicable) tax/registration numbers.
2. Personal data we collect
We only collect data that is strictly necessary to operate the Service:
- Account data: name, email address, hashed password (we never store the plaintext password), email-verification status.
- OAuth identifiers (optional): if you sign in with Google, we receive your Google account ID, email, name, and profile picture URL.
- Shopify connection data (optional): if you connect a Shopify store, we store the shop domain and an encrypted access token so we can publish themes on your behalf. Tokens are envelope-encrypted (AES-256-GCM) before storage.
- Theme brief and uploaded media: the description of your store, brand tone, colour choices, and any logo/photo/video you upload through the wizard. Media is stored in Supabase Storage.
- Generated themes: the .zip bundles produced by the Service, retained so you can re-download them.
- Operational logs: request timestamps, IP address, user-agent, error traces. Used only to debug and to detect abuse.
- Billing data (when applicable): handled entirely by our future payments processor. We never see or store your card numbers.
3. Why we process your data
- To create and maintain your account (contract).
- To generate, deliver, and let you re-download themes (contract).
- To send transactional emails — e.g. email verification, password reset (contract).
- To protect the Service from abuse, fraud, and security incidents (legitimate interest).
- To meet legal obligations such as tax law or lawful requests from authorities (legal obligation).
4. Sub-processors
We rely on the following processors. Each has its own privacy notice and is bound by data-protection terms:
- Vercel — application hosting and edge functions.
- Supabase — PostgreSQL database and file storage (EU region).
- Anthropic — AI inference (theme copy and self-healing).
- Resend — transactional email delivery.
- Google — OAuth sign-in only (optional).
- Shopify — only when you choose to connect a store; we exchange tokens with the Shopify Admin API on your explicit consent.
5. International transfers
Some sub-processors operate outside the European Economic Area. Where applicable we rely on Standard Contractual Clauses or equivalent safeguards published by those vendors. EU users can request a copy of the relevant clauses by email.
6. Retention
- Account data: kept while your account is active and for up to 30 days after deletion to satisfy backups and rollback.
- Generated theme bundles: kept while your account is active. You can delete them at any time from the panel.
- Uploaded media: kept while referenced by a theme; deleted within 30 days after the related theme is removed.
- Operational logs: rotated after 90 days.
7. Your rights (GDPR & KVKK)
Under the EU GDPR and the Turkish KVKK you have the right to access, rectify, delete, restrict, and port your personal data, as well as the right to object to certain processing activities. To exercise any of these rights write to harundede84@gmail.com. We will respond within 30 days.
Turkish residents may additionally lodge a complaint with KVKK (Kişisel Verileri Koruma Kurumu). EU residents may complain to their national supervisory authority.
8. Cookies
We use a minimal set of strictly-necessary cookies: an authentication session cookie and a CSRF/anti-fixation cookie. We do not run third-party analytics or advertising cookies by default.
9. Children
The Service is not directed at users under the age of 16. We do not knowingly collect data from children.
10. Changes
We may update this policy. Material changes will be communicated by email and announced on this page at least 14 days before they take effect.