Privacy Policy

Last updated: April 22, 2026

This Privacy Policy explains how Outprice LLC (“we,” “us,” or “Outprice”) collects, uses, stores, and deletes data when you install and use Gritwrite, our Shopify app that rewrites product copy in a trained brand voice. It is written for Shopify merchants and applies to the data we hold about your shop and your use of the app.

1. Who we are

Gritwrite is developed and operated by Outprice LLC. For privacy questions or to exercise the rights described below, contact us at staff@gritwrite.com. For the purposes of GDPR and similar laws, Outprice LLC is the data controller for merchant data we collect through Gritwrite.

2. What data we collect

When you install Gritwrite on a Shopify store and use it, we collect and store the following categories of data — and nothing more:

Shop identity. Your Shopify shop domain (for example, your-store.myshopify.com) and the Shopify-issued OAuth access token that authorizes Gritwrite to read and write product data on your behalf.
Brand voice settings. The values you enter during onboarding and in Settings: brand name, one-sentence description of what you sell, tone descriptors, target customer description, optional example product description, banned phrases, and inspiration brands.
Product data sent for rewriting. When you request a rewrite or a Brand Fit score, we read the selected product’s title, description (HTML), product type, and tags from your Shopify store and send them to the AI model (see Section 5). We do not copy your whole catalog in advance.
Rewrite history. For each rewrite you generate: the original title, description, SEO meta fields, and alt text; the AI-generated versions of the same; the rewrite mode you used; the Brand Fit analysis (scores for brand match, human-sounding, cliché risk, SEO coverage, and publish readiness); whether you applied the rewrite to Shopify; and timestamps.
Plan and usage metadata. Which billing plan your shop is on, how many rewrites you have generated, install and uninstall timestamps.
Operational logs. Standard server-side logs generated by the app and our hosting provider in the course of normal operation, including request timestamps, IP addresses, response status codes, and error traces. These logs are used for debugging and security monitoring and are typically retained for no more than 30 days.

3. What we do NOT collect

Gritwrite is a merchant-facing app and does not process end-customer (shopper) data. Specifically, we do not collect or store:

Names, email addresses, phone numbers, or any other contact information of your customers or shoppers
Order data, cart data, or transaction data
Payment card numbers or any payment instrument data (all billing is processed by Shopify — see Section 5)
Shopper browsing behavior, IP addresses of your shoppers, or analytics events from your storefront
Any data from apps other than Gritwrite itself

4. How we use the data

We use the data listed in Section 2 only for the following purposes:

Authenticating your shop and maintaining your session with Shopify so the app can function.
Generating AI rewrites and Brand Fit scores on your request, by sending the relevant inputs to Anthropic’s Claude API.
Storing your rewrite history so you can review what you have generated, compare before and after, and revert applied rewrites if you change your mind.
Enforcing your plan limits (for example, the five-rewrite free plan ceiling) and verifying your current billing status with Shopify.
Responding to webhooks and support requests, including Shopify’s mandatory GDPR webhooks described in Section 10.
Operating, securing, and improving the app, including debugging, preventing abuse, and enforcing usage limits.

We do not use your data to train any AI or machine learning model. We do not use it for advertising or marketing unrelated to your use of Gritwrite. We do not profile you or your customers.

5. Data sharing and third-party processors

We share the data in Section 2 only with the following service providers, each used for a specific and limited purpose:

Anthropic, PBC (Claude API). When you request a rewrite or a Brand Fit score, the product copy and brand voice inputs listed in Section 2 are sent to Anthropic’s API for processing. Anthropic is the AI model provider. Anthropic’s handling of this data is governed by its own privacy policy at anthropic.com/legal/privacy and its commercial terms at anthropic.com/legal/commercial-terms. Under those commercial terms, Anthropic does not use API inputs or outputs to train its models.
Shopify, Inc. Gritwrite operates inside the Shopify admin and uses Shopify’s Admin API and Shopify’s Billing API. Shopify processes your account, merchant, and billing information under Shopify’s Privacy Policy. All Gritwrite billing is processed by Shopify; Outprice LLC does not receive, process, or store your payment card information.
Railway Corp. Gritwrite’s application servers and database are hosted on Railway, which stores the data described in Section 2. Railway’s handling of that data is governed by its privacy policy at railway.com/legal/privacy.

We do not sell, rent, or trade your data. We do not share your data with any advertising, analytics, or data-brokerage third party. We only disclose data outside the list above when required by law (for example, in response to a lawful subpoena) or to protect the rights, property, or safety of Outprice LLC, our merchants, or the public.

6. Data retention and deletion

While the app is installed: we retain the data in Section 2 for as long as your shop has Gritwrite installed, so your brand voice and rewrite history persist across sessions.
When you uninstall: Shopify fires the app/uninstalled webhook. On receiving it, we delete your session record and your shop record, which cascades to delete all associated rewrite history.
Shop redaction (48-hour window): Shopify fires the shop/redact webhook 48 hours after uninstall. On receiving it we perform a confirming deletion pass to remove any remaining data associated with your shop within 48 hours.
Operational logs are automatically purged on our hosting provider’s rolling retention cycle, typically no more than 30 days.
Backups: database backups may retain deleted records for up to 30 additional days before being cycled out. Backups are access-controlled and used only for disaster recovery.

7. Security

We take reasonable and commercially appropriate measures to protect merchant data, including:

Encryption in transit. All data moving between your browser, Gritwrite’s servers, Shopify’s APIs, and Anthropic’s APIs is protected using TLS 1.2 or higher.
Network isolation. The production database sits behind our hosting provider’s private network perimeter and is not exposed to the public internet.
Least-privilege access. Access to the production environment is restricted to authorized Outprice LLC personnel on a need-to-know basis, using platform-managed credentials.
Authentication. All app access is authenticated through Shopify OAuth. We do not issue or manage passwords for merchant accounts.
Input validation and rate limiting. Every API endpoint validates inputs against a strict schema and enforces per-shop rate limits to mitigate abuse.

On access tokens specifically: Shopify access tokens are stored in our production database and are protected by the network and credential controls described above. At the time this policy is published, these tokens are not separately encrypted at the application layer beyond those platform controls. We are evaluating adding application-layer encryption as part of our ongoing security program and will update this section when that change ships.

No security measure is ever absolute. We cannot guarantee that the data described in Section 2 will never be subject to unauthorized access. In the event of a data breach that materially affects your shop, we will notify you in accordance with applicable law.

8. Your GDPR rights (European Economic Area, United Kingdom, and Switzerland)

If you are a merchant established in the EEA, the UK, or Switzerland, you have the following rights under the GDPR and equivalent laws regarding the personal data we hold about your shop and the individuals associated with it:

Access — request a copy of the data we hold about you.
Rectification — ask us to correct inaccurate data.
Erasure — ask us to delete your data. Uninstalling the app is itself a complete erasure request and is the fastest way to exercise this right.
Portability — request your data in a structured, machine-readable format.
Restriction and objection — ask us to pause or stop certain processing.
Withdrawal of consent — where processing is based on consent, you may withdraw consent at any time.

To exercise any of these rights, email staff@gritwrite.com. We will respond within 30 days of receiving a valid request. You also have the right to lodge a complaint with your local supervisory authority.

Our legal basis for processing is (i) performance of the contract between Outprice LLC and your business (these Terms of Service together with Gritwrite’s use), (ii) our legitimate interest in operating, securing, and improving the service, and (iii) compliance with our legal obligations.

9. Your CCPA rights (California merchants)

If you are a California resident or a California business, the California Consumer Privacy Act (CCPA) and its amendments give you the right to:

Know what personal information we collect about you and how we use it (described in Sections 2, 3, 4, and 5 above).
Request deletion of the personal information we hold about you.
Opt out of the “sale” or “sharing” of your personal information.
Not be discriminated against for exercising these rights.

We do not sell or share personal information within the meaning of the CCPA. To exercise any CCPA right, contact us at staff@gritwrite.com. We will respond within 45 days.

10. Shopify mandatory GDPR webhooks

Shopify requires all apps to implement three privacy-related webhooks. Here is exactly how Gritwrite handles each:

customers/data_request — triggered when a shopper asks a merchant for their personal data. Gritwrite does not collect or store any shopper personal data (see Section 3), so there is nothing for us to produce. On receiving this webhook, we acknowledge it and confirm in writing, within 30 days, that we hold no data on the individual.
customers/redact — triggered when a shopper asks a merchant to delete their personal data. Because we do not hold any shopper data, there is nothing for us to delete. We acknowledge the webhook and confirm in writing within 30 days.
shop/redact — triggered 48 hours after a shop uninstalls Gritwrite. On receiving this webhook, we permanently delete all merchant data associated with the shop — including the session, brand voice, rewrite history, and plan metadata — within 48 hours.

11. International data transfers

Outprice LLC is based in the United States and our service providers (Anthropic, Shopify, Railway) operate infrastructure primarily in the United States. If you install Gritwrite from outside the United States, your data will be transferred to and processed in the United States. Where required by law (including the GDPR), we rely on appropriate transfer safeguards such as the EU Standard Contractual Clauses in the agreements we hold with our processors.

12. Children’s privacy

Gritwrite is a business-to-business service intended for use by Shopify merchants. It is not directed to children under the age of 13, and we do not knowingly collect personal data from children. If we learn that we have inadvertently collected data from a child, we will delete it.

13. Changes to this policy

We may update this Privacy Policy from time to time. If the update is material — for example, a change in what we collect, how we use it, or who we share it with — we will notify you at least 30 days before the change takes effect, by email to the address associated with your Shopify account or by a prominent notice inside the app. The “Last updated” date at the top of this page always reflects the most recent revision. Continued use of Gritwrite after the effective date of the update constitutes acceptance.

14. Contact

Outprice LLC
Email: staff@gritwrite.com
Web: gritwrite.com

If you believe we are handling your data in a way that does not comply with this policy or applicable law, please contact us first so we have an opportunity to address your concern.