Effective Date: June 17, 2026
Last Updated: June 17, 2026
ContentGuard is a Shopify application developed and operated by CGN Media Group LLC ("we," "us," or "our"). Our registered address is 5036 3rd Ave S, St Petersburg FL 33707. You can reach our privacy team at chad@tide-flow.com.
ContentGuard is a compliance-aware product-copy scanner and rewriter for Shopify merchants. It reads a merchant's product descriptions, classifies each claim sentence as safe, risky, or prohibited against a selected compliance profile (US Dietary Supplement, US Cosmetics / OTC Drug, or Generic FTC), cites the governing FDA/FTC rule, scores the page 0–100, and — on merchant approval — writes a compliant rewrite back to the product. This policy explains how ContentGuard collects, uses, stores, and protects data in the course of providing that service.
The most important fact in this policy: ContentGuard requests only the read_products and write_products API scopes. It does not access, store, or process any end-customer personal data — no customer names, emails, phone numbers, addresses, orders, or customer identifiers. It works exclusively with the merchant's own product marketing copy.
This policy applies to:
Because ContentGuard never touches end-customer data, there is no end-customer category of data subject for this app.
ContentGuard accesses data through the Shopify Admin API when a merchant installs the app and when products are scanned. We request only the data strictly necessary to scan and rewrite product copy. We do not perform customer exports, engage in marketing or advertising, build customer profiles, or sell any data to third parties.
What we access: Product title, product type, tags, the product description (descriptionHtml), and ContentGuard's own contentguard metafield, for the products in the merchant's catalog.
Why: The product description is the marketing copy ContentGuard scans for regulatory claim issues. Title, type, and tags provide context for accurate classification (for example, distinguishing a cosmetic from an OTC drug).
Scope used: read_products
Data minimization: ContentGuard reads product objects only. It never queries customers, orders, returns, fulfillments, or draft orders.
What we store: For every product scanned, ContentGuard writes a Scan record to our database. This record includes: the product GID and title, the compliance profile used, the 0–100 risk score, the verdict (safe/risky/prohibited), the per-claim findings (offending sentence, classification, cited rule, explanation, rewrite), the intent-preserving compliant rewrite, the stricter ad-feed variant, a snapshot of the original descriptionHtml the model saw, and the write-back status (pending, applied, dismissed, failed, simulated, skipped_shadow, auto_applied) with the approval source and timestamp.
Why: The scan log is the authoritative audit trail of what was flagged, what was rewritten, and who approved each change. It supports reproducibility, re-scanning when copy changes, and evidence that the merchant actively reviews their claims.
PII note: None of this is customer data. It is the merchant's own product marketing copy and ContentGuard's analysis of it.
What we store: The merchant's ContentGuard configuration in a ShopSettings record: selected compliance profile, custom banned phrases, brand voice, autonomy mode (shadow/assisted/autonomous), and the auto-apply risk threshold.
Why: Persists the merchant's preferences between sessions and drives the scan and autonomy behavior.
What we store: The Shopify offline access token issued to ContentGuard after OAuth (stored in the Session table) and the merchant's shop domain. The Session table may also store the merchant account owner's first name, last name, email, locale, and account-owner flag if Shopify includes them on the session during the OAuth handshake. This is merchant/staff account data, not end-customer data.
Why: The access token is required to call the Shopify Admin API on the merchant's behalf.
To be explicit, ContentGuard does not collect, access, store, or transmit any of the following:
ContentGuard does not request the API scopes that would expose this data (read_customers, read_orders, read_returns, read_fulfillments, read_draft_orders, etc.). As a result it is exempt from Shopify's Protected Customer Data (PCD) review (see DATA-ACCESS-AND-PCD.md).
We use the data described above exclusively to:
1. Scan product copy — classify each claim sentence against the merchant's selected compliance profile and cite the governing rule.
2. Generate compliant rewrites — produce an intent-preserving rewrite of the description and a stricter ad-feed variant in the merchant's brand voice.
3. Write approved copy back — on merchant approval (or autonomous auto-apply below the risk threshold), update the product's descriptionHtml and stamp the contentguard scan metafield.
4. Maintain an audit trail — log every scan and write-back for the merchant to review and export.
We do not use your data to advertise, build profiles, sell to third parties, or train AI models (see Section 5).
ContentGuard relies on the following subprocessors:
Role: AI inference engine (the compliance scanner), used when a live Anthropic API key is configured.
Data received: Product marketing copy (title and description), the selected compliance ruleset, the brand voice string, and the merchant's custom banned phrases. No customer personal data is transmitted — ContentGuard holds none.
Location: United States.
Training opt-out: Anthropic does not use API inputs or outputs to train their models. This is a commitment in Anthropic's API terms and applies to all API customers, including ContentGuard. Merchants can verify this at [https://www.anthropic.com/legal/privacy](https://www.anthropic.com/legal/privacy). ContentGuard does not opt into any model training program.
Role: Application hosting and managed Postgres database.
Data received: All data stored in the production database — Scan, ShopSettings, and Session records. No customer personal data is present.
Location: United States (default). The current production provider is Render (or equivalent managed cloud provider) and is disclosed on our website at [URL].
Role: OAuth session broker and API platform.
Data received: The Shopify OAuth flow transmits the app access token and shop domain. Shopify also transmits webhook payloads (including the GDPR webhooks) to ContentGuard.
Location: Canada / United States.
We do not use any analytics, error-monitoring, or email subprocessors that receive personal data at this time. If we add such services, we will update this section.
| Data | Retention Period | Deletion Trigger |
|---|---|---|
| Scan (product copy, findings, rewrites, status) | While the app is installed | shop/redact webhook (within 48 hours of uninstall) |
| ShopSettings (profile, banned phrases, autonomy mode) | While the app is installed | shop/redact webhook |
| Session (Shopify access token, optional staff name/email) | Until app uninstalled | app/uninstalled webhook, and shop/redact |
When a merchant uninstalls ContentGuard, the session is deleted via the app/uninstalled webhook. All remaining shop data — every Scan, ShopSettings, and Session row for that shop — is permanently deleted when Shopify sends the shop/redact webhook (typically 48 hours after uninstall). This is fully implemented in app/lib/compliance.server.ts → handleShopRedact.
ContentGuard implements all three Shopify-required GDPR compliance webhooks. Because ContentGuard stores no end-customer personal data, two of them are no-data attestations:
customers/data_request — Right of Access
When Shopify sends this webhook, ContentGuard returns a structured attestation stating that it processes product copy only and holds no customer personal data. There are no customer records to export, because none exist. (Implemented in handleCustomersDataRequest.)
customers/redact — Right to Erasure
When Shopify sends this webhook, ContentGuard returns a structured "0 records redacted" attestation. There is no customer PII to erase. (Implemented in handleCustomersRedact.)
shop/redact — Merchant Erasure
When a merchant uninstalls ContentGuard and Shopify sends shop/redact, ContentGuard permanently deletes all Scan, ShopSettings, and Session records for that shop and logs the per-table delete counts. This is the only privacy webhook that performs data deletion, because the only persisted data is the merchant's own product-derived scan history. (Implemented in handleShopRedact.)
All three webhooks are HMAC-verified by authenticate.webhook() before any handler runs.
Merchants may submit privacy requests directly by emailing chad@tide-flow.com. We will:
We do not sell personal data. Because ContentGuard does not collect end-customer data, end customers on a merchant's store have no ContentGuard-held data; their rights under the merchant's store are exercised through the merchant and Shopify.
If you are a merchant located in the European Economic Area, the United Kingdom, or Switzerland, the following applies.
Scope: ContentGuard processes the merchant's own product copy and the merchant/staff account data on the Shopify session. It does not process end-customer personal data.
Legal bases for processing:
| Processing activity | Legal basis |
|---|---|
| Scanning product copy and producing compliant rewrites | Performance of a contract with the merchant (Article 6(1)(b)) / legitimate interests (Article 6(1)(f)) |
| Storing scan results for audit and re-scan | Legitimate interests of the merchant (Article 6(1)(f)) |
| Responding to data-subject and erasure requests | Legal obligation (Article 6(1)(c)) |
Controller / Processor: ContentGuard processes the merchant's product copy as a processor acting on the merchant's instructions; the merchant is the controller of their product content. ContentGuard does not act as a processor of end-customer data, because it does not process any.
International transfers: Data is processed in the United States by ContentGuard and its subprocessors (Anthropic, hosting provider). Where required, transfers from the EEA/UK to the United States are conducted under the European Commission's Standard Contractual Clauses (SCCs). Merchants requiring specific data-residency arrangements should contact us at chad@tide-flow.com.
ContentGuard does not collect personal information from California consumers (end customers). It processes the merchant's product copy and the merchant's own account data on the Shopify session.
| CCPA Category | Collected? |
|---|---|
| Identifiers (customer name, email, customer ID) | No |
| Commercial information (orders, purchases, returns) | No |
| Internet/network activity | No |
| Geolocation | No |
| Merchant account identifiers (on Shopify session) | Yes — merchant/staff, not consumer |
Encryption in transit: All communications between ContentGuard, the Shopify Admin API, and the Anthropic API use HTTPS with TLS 1.2 or higher. HTTP is rejected at the application layer and HSTS is enforced in production.
Encryption at rest: The production database is a managed Postgres instance with encryption at rest enabled (standard on managed providers such as Render). Because no customer PII is stored, the data-at-rest risk surface is limited to the merchant's own product copy and the Shopify access token.
Least-privilege access: The application's database user has only the permissions necessary to read and write its own tables. The Session table (which holds the access token) is access-controlled to the app database user; no shared superuser credential is used by the application.
API secret management: The Anthropic API key and the Shopify API secret are stored as server-side environment variables. They are never transmitted to the browser, never included in client-side code or loader responses, and never committed to source control.
Incident response: We maintain an incident-response process covering detection, containment (credential and API-key rotation, Shopify secret revocation which invalidates access tokens), merchant notification within 72 hours per GDPR where applicable, and post-incident review.
ContentGuard surfaces likely regulatory issues (FDA/FTC) and proposes compliant rewrites, but its output is a tool, not legal advice. The merchant remains responsible for the claims they publish. The compliance profiles encode commonly-cited rules (the FDA cosmetic-vs-drug line, OTC monograph actives, DSHEA, FTC substantiation) and are not a substitute for review by qualified counsel on high-stakes claims.
ContentGuard is a B2B tool for Shopify merchants and is not directed at children. It does not collect personal data from individuals under 13.
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date, post a notice in the ContentGuard app dashboard for at least 30 days, and, for material changes to data processing, notify merchants by email. Continued use after the effective date constitutes acceptance. If you object to a change, you may uninstall the app, at which point your data is deleted per Section 6.
For privacy questions or data access/deletion requests:
CGN Media Group LLC
5036 3rd Ave S, St Petersburg FL 33707
Email: chad@tide-flow.com
Website: [URL]
For GDPR-specific inquiries, email chad@tide-flow.com with "Privacy Request" in the subject line. We aim to respond within 5 business days and to meet all statutory deadlines.
*ContentGuard is a Shopify app and is not affiliated with or endorsed by Shopify Inc. Shopify's own privacy practices are governed by Shopify's Privacy Policy at shopify.com/legal/privacy.*