FeedDoctor Privacy Policy

Effective date: July 12, 2026

Publisher / data controller: Kalo Labs ("Kalo Labs", "we", "us", "our"), the developer of the FeedDoctor Shopify app ("FeedDoctor", the "App").

Contact: support@getfeeddoctor.com · Website: https://getfeeddoctor.com · App: https://app.getfeeddoctor.com

This policy explains what information FeedDoctor accesses, collects, uses, stores, shares, and deletes when a Shopify merchant installs and uses the App. It is written to match our actual data practices. If our practices change, we will update this policy and its effective date. This policy is publicly accessible without authentication and is linked from our Shopify App Store listing and from the Google OAuth consent screen, and it is hosted on the same domain as the App.

1. Who we are and what FeedDoctor does

FeedDoctor is a Shopify embedded app for merchants. It scans a merchant's Shopify product catalog for errors that cause products to be rejected or excluded from Google Merchant Center, Google Shopping, and AI-shopping surfaces; it quantifies the revenue at risk from those exclusions; it generates AI-suggested fixes that the merchant previews, approves, and can undo; and it monitors for future exclusions and emails the merchant a digest. FeedDoctor is a business-to-business tool that primarily processes product and catalog data, not the personal data of the merchant's own shoppers.

2. Information we access and collect

2.1 Data accessed through the Shopify Admin API

With the merchant's authorization, FeedDoctor accesses the following through the Shopify Admin API using the scopes read_products, write_products, read_markets, read_inventory, and read_locales:

Writes to your catalog. FeedDoctor writes product fields (product title, description, and vendor) only when the merchant explicitly approves a specific AI-suggested fix. Every write is shown in a preview before it is applied and every write is reversible through the App's undo function. FeedDoctor does not make automated or destructive changes to a catalog.

2.2 Protected customer data (Shopify)

FeedDoctor's features operate on product/catalog and shop-profile data and do not require access to the merchant's shoppers' personal information (such as customer names, addresses, phone numbers, or email addresses). We do not request protected customer data fields to deliver the App's functionality. Where Shopify nonetheless routes customer-related compliance requests to installed apps, we honor them through the mandatory compliance webhooks described in Section 8.

2.3 Information you provide directly to us

Billing and account information is handled by Shopify through Shopify-managed app pricing; we do not collect or store your payment card details. FeedDoctor does not request information about your customers from you.

2.4 Data accessed through the Google Merchant API

If the merchant chooses to connect a Google Merchant Center account, FeedDoctor accesses the merchant's Merchant Center product statuses and item-level issues through the Google Merchant API using the restricted content scope. This access occurs only after the merchant grants consent through Google's own OAuth flow. This Google data is used solely to show the merchant which of their products Google has flagged and to reconcile those findings against FeedDoctor's own scan. See Section 4 for our full Google API disclosure.

2.5 Data we generate or derive

In the course of providing the App, we generate and store: detected feed issues, scan-run history, revenue-at-risk estimates, and AI-fix history (including the before-and-after values of changed product fields, retained so that changes can be undone).

2.6 Cookies, tracking, and automated logs

FeedDoctor is an embedded merchant tool. We do not drop advertising or tracking cookies on your shoppers' devices, and we do not log, record, or track the navigation or behavior of your store's shoppers. FeedDoctor uses only the cookies/session tokens strictly necessary to authenticate the embedded App session within the Shopify admin. Our hosting infrastructure keeps standard operational/security logs (for example, request and error logs) used to run and protect the service.

3. How we use information

We use collected information only to provide and support the App's core functionality as described above. We do not use your data for advertising, we do not sell it, and we do not use it to train third-party or general-purpose AI models. Product text sent to our LLM provider is used only to generate suggestions for you.

4. Google user data — access, use, storage, and sharing

FeedDoctor's use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Scope requested and feature it powers. FeedDoctor requests the Google Merchant API restricted content scope. We use it to read the merchant's Merchant Center product statuses and item-level issues, in order to power a user-facing feature that shows the merchant which products Google flagged and reconciles those issues against FeedDoctor's own feed-health scan. FeedDoctor does not write to the merchant's Google Merchant Center account.

How Google user data is accessed. We access the merchant's Google Merchant Center data only via authorized OAuth, after the merchant grants consent on Google's consent screen, and only to the extent needed for the disclosed feature.

How Google user data is used (Limited Use). Our use of Google user data is limited to providing and improving the user-facing features described above, which are prominent in FeedDoctor's user interface. We do not use Google user data for any other purpose.

How Google user data is stored. FeedDoctor stores the merchant's Google OAuth refresh token encrypted at rest using AES-256-GCM, so that it can retrieve Merchant Center statuses on the merchant's behalf. Google product-status and item-issue data is retrieved to power the reconciliation feature and is retained only as needed to provide that feature. All Google data is transmitted over HTTPS/TLS in transit and protected at rest. Google data and the stored refresh token are deleted when the merchant disconnects their Google account, uninstalls the App, or requests deletion. We handle restricted-scope data consistent with Google's secure-handling and annual security-assessment expectations for restricted scopes.

How Google user data is shared / transferred. We do not transfer Google user data to others except in the narrowly allowed cases: (a) to provide or improve prominent user-facing features, with the merchant's consent (for example, transmitting data to the infrastructure and processing subprocessors that operate the feature); (b) for security purposes, such as investigating abuse; (c) to comply with applicable law; or (d) as part of a merger, acquisition, or sale of assets, with the merchant's prior explicit consent.

No selling / no data-broker transfer. We do not sell or transfer Google user data to third parties such as advertising platforms, data brokers, or information resellers.

No advertising use. We do not transfer, sell, or use Google user data for serving ads, including retargeting and personalized or interest-based advertising.

No credit / lending use. We do not use Google user data to determine credit-worthiness or for lending purposes.

Human-access limitation. Humans at Kalo Labs do not read the merchant's Google user data unless: the merchant gave affirmative agreement to view specific data; it is necessary for security purposes (such as investigating abuse); it is necessary to comply with applicable law; or the data has been aggregated or anonymized and is used for internal operations.

Explicit Limited Use statement. FeedDoctor's use and transfer of information received from Google APIs to any other app will comply with (adhere to) the Google API Services User Data Policy, including the Limited Use requirements.

Compliance flow-down. Kalo Labs ensures that its employees, agents, contractors, and successors also comply with the Google API Services User Data Policy and its Limited Use requirements.

5. AI processing of product text

To generate suggested fixes, FeedDoctor sends product text (such as product titles and descriptions) to a third-party large language model provider — OpenRouter, which routes the request to an Anthropic Claude model. The output is a suggested rewrite that the merchant reviews before anything is written back to the catalog; no change is applied automatically. Product text is sent only to generate suggestions for that merchant and is not used by us to train models. Please note that AI-generated suggestions can be imperfect and should be reviewed before approval.

6. Subprocessors and third-party sharing

We share data with the following service providers (subprocessors), each acting as a data processor on our behalf and only for the purpose stated:

We do not share data with advertising networks and we do not resell data to analytics providers or data brokers. We may also disclose information where required by law, to protect the security or rights of FeedDoctor and its users, or in connection with a merger, acquisition, or sale of assets (subject, for Google user data, to the consent requirements in Section 4).

7. Data retention

We retain merchant and App data for as long as the App remains installed and the merchant's account is active, so that we can provide the service (including scan history and undo capability). Operational and security logs are kept for a limited period consistent with running and protecting the service. When the App is uninstalled, or upon a valid redaction/deletion request, we delete the associated data as described in Section 8. We do not keep personal data longer than needed for the purposes described in this policy or as required by law.

8. Data deletion, redaction, and Shopify compliance webhooks

FeedDoctor implements and honors Shopify's mandatory compliance webhooks:

For each webhook we verify the Shopify HMAC signature header (returning HTTP 401 on an invalid signature), acknowledge valid requests with a 2xx status, and complete the requested action within the required timeframe (within 30 days). These compliance topics are registered via the Shopify CLI / shopify.app.toml compliance_topics configuration. Merchants may also request access to, or deletion of, their data at any time by emailing support@getfeeddoctor.com.

9. Data minimization

We process only the minimum personal data required to provide FeedDoctor's functionality. We do not request protected customer data fields we do not need, and we design the App to operate primarily on product/catalog and shop-profile data rather than shopper personal data.

10. Security

All traffic between the merchant, Shopify, Google, our infrastructure, and our subprocessors travels over HTTPS/TLS (encryption in transit). Sensitive credentials, including the Google OAuth refresh token, are encrypted at rest (AES-256-GCM), and data is stored with our infrastructure providers using their at-rest protections. We restrict internal access to personal data and follow the secure-handling practices expected for Shopify protected customer data and Google restricted scopes.

11. International data transfers

Kalo Labs and its primary infrastructure subprocessors (Neon and Render) are located in the United States, and data is stored and processed in the United States. If you or your customers are located in the European Economic Area, the United Kingdom, or another region, your data will be transferred to and processed in the United States and other countries where we or our subprocessors operate. Where required, such transfers are made under appropriate safeguards. Kalo Labs is not established in Europe.

12. Your rights as a merchant

As our merchant customer, you can access, correct, export, and delete the data associated with your FeedDoctor account. You can view your scan and fix history within the App, undo AI-applied changes, opt out of the digest, and uninstall the App at any time (which triggers deletion as described in Section 8). To exercise any of these rights, contact support@getfeeddoctor.com.

13. Rights of individuals (data subjects)

Individuals whose personal data may be processed in connection with a store — including the merchant's own customers — have rights that may include the right to access, delete/erase, correct, port, and object to the processing of their personal data. Because FeedDoctor operates on a merchant's store data, requests from a store's shoppers are generally fulfilled through Shopify's data-subject-request flow and the compliance webhooks in Section 8, with the merchant acting as the controller of their customers' data. Consistent with Shopify's requirements, we extend the same core privacy rights to all individuals regardless of their location. Individuals may also contact us at support@getfeeddoctor.com.

14. GDPR

For merchants and individuals in the EEA/UK, we process personal data under the EU/UK General Data Protection Regulation. In providing the App, Kalo Labs generally acts as a data processor for the merchant's store data (the merchant is the controller) and as a controller for the limited account, billing-adjacent, and support information we manage directly. Our lawful bases include performance of our contract with the merchant, our legitimate interests in operating and securing the service, compliance with legal obligations, and consent where required (for example, the merchant's Google OAuth consent). We maintain records of processing, support data-subject rights as described above, and enter into data processing terms with our subprocessors. Consistent with Shopify's requirements, the privacy rights described in this policy are extended to all individuals regardless of location.

15. California / US privacy rights (CCPA/CPRA)

If you are a California resident (or in a US state with comparable law), you may have the right to know what personal information is collected, to access and delete it, to correct it, and to opt out of the "sale" or "sharing" of personal information. We do not sell or share personal information as those terms are defined under the CCPA/CPRA, and we do not use personal information for cross-context behavioral advertising. To exercise your rights, contact support@getfeeddoctor.com. We will not discriminate against you for exercising these rights.

16. Policy currency and consistency

We keep this policy current with our actual data practices and consistent with the App's requested Shopify API scopes and protected-data access, the Google restricted scope we request, and our data processing obligations. If we materially change how we handle data, we will update this policy and its effective date and, where required, notify affected merchants.

17. Contact us

For any privacy question or request, contact:

Kalo Labs — FeedDoctor
Email: support@getfeeddoctor.com
Website: https://getfeeddoctor.com
Business/mailing address: 28 Quinton Drive, Markham, Ontario, Canada, L6C 0N8

If you have an unresolved concern, EEA/UK individuals may also have the right to lodge a complaint with their local data protection authority.