# GEO Agent App Review Data Use

Use this as the protected-customer-data and data-minimization appendix for Shopify App Store review.

## Data Access Summary

GEO Agent requests only product and app-proxy scopes:

- `read_products`: reads product titles, descriptions, images, variants, and product metafields so the app can audit whether product data is readable by AI assistants.
- `write_products`: writes product-description fixes only after the merchant reviews generated copy and clicks Apply Fix.
- `write_app_proxy`: configures the `/apps/geo` storefront app proxy for merchant-controlled llms.txt, UCP, and product-schema outputs.

GEO Agent does not request `read_customers`, `write_customers`, `read_orders`, `write_orders`, `read_themes`, `read_content`, or `read_metaobjects`.

## Protected Customer Data

GEO Agent does not collect, store, or process Shopify customer PII. The customer compliance webhooks are implemented because Shopify requires them, but their behavior is acknowledgement-only:

- `customers/data_request`: acknowledges that no customer data exists to return.
- `customers/redact`: acknowledges that no customer data exists to delete.

The app does not need access to customer names, emails, addresses, phone numbers, order history, payment data, or buyer account data to provide AI visibility audits.

## Stored Merchant Data

While the app is installed, GEO Agent stores shop-scoped operational data:

- Shopify session records needed for authenticated Admin API calls.
- Store domain, plan state, and granted-scope string.
- Product audit results, benchmark results, product records, and generated fix drafts.

This data is scoped to the installing shop and is used only to provide the embedded app workflow.

## AI Provider Data Minimization

Benchmark prompts sent to OpenRouter/Kimi use product names and buyer-intent query text. GEO Agent does not send customer PII, order data, payment data, or buyer account data to the AI provider.

Generated product-description fixes are based on merchant product data and are applied only after merchant review.

## Deletion Behavior

`app/uninstalled` and `shop/redact` both delete shop-scoped app data through the shared shop-data deletion helper. This includes stored sessions, audit results, benchmark results, product records, and generated fixes.

Customer redaction webhooks do not delete shop data because GEO Agent does not store customer records.

## Review Evidence

- Privacy policy: https://geo-agent.fly.dev/privacy
- Human review packet: https://geo-agent.fly.dev/app-review
- Machine-readable review packet: https://geo-agent.fly.dev/app-review.json
- Data-use appendix: https://geo-agent.fly.dev/app-review-data-use.md