Privacy Policy — MCPWeave

Last updated: 2026-04-25 · Effective: 2026-04-25

MCPWeave ("we", "us", "our") is operated by TaskSynapse. We provide a Shopify app that exposes your store's Admin API to AI agents (such as Claude Desktop) through the Model Context Protocol (MCP). Contact: privacy@mcpweave.com.

a. Shop and merchant data

Shop domain (e.g. your-store.myshopify.com)

Shopify-issued OAuth access tokens (encrypted at rest with AES-256-GCM)

Shop owner's email (used to fulfil GDPR data requests we receive on your behalf)

Subscription status, billing line items, and usage records (received from Shopify webhooks)

b. Customer data (only what AI agents request)

When you (or an AI agent acting under your authorization) call MCP tools that read Customer objects (e.g. shop_customers.list, shop_orders.get), Shopify returns customer fields to us in real time. We do not store this data — we forward it to the calling AI agent and discard it from memory immediately after the request completes. We only retain a tool-call audit log containing tool name, timestamp, and shop domain, never customer PII.

Customer-related MCP tools require Shopify's Protected Customer Data approval, which we obtain through Shopify's app review process.

c. Technical data

IP address (for rate-limiting and security; rotated/discarded within 30 days)

User agent and request metadata

Webhook delivery audit (Shopify's X-Shopify-Webhook-Id, payload SHA-256, timestamp)

Contract (GDPR Art. 6(1)(b)) — to deliver the MCPWeave service you subscribed to.

Legal obligation (Art. 6(1)(c)) — to honour Shopify's GDPR webhook requirements.

Legitimate interests (Art. 6(1)(f)) — to secure our service against abuse, fraud, and to maintain audit logs.

All data is processed and stored on infrastructure located in Ashburn, Virginia, USA (Hetzner Cloud). Backups are encrypted and stored in the same region. We do not transfer data outside the United States except as required by law or to deliver the service to AI agents that you authorize (e.g. Anthropic's Claude Desktop).

Active retention while your app is installed:

Shop record + encrypted tokens — until uninstall

Subscription/usage records — until uninstall + 7 years (tax records)

Webhook audit logs — 90 days

Webhook payloads (billing only, PII-free) — 7 days then nullified

GDPR webhook payloads (customers/data_request, redact, shop/redact) — never stored

After uninstall: Shopify automatically sends us a shop/redact webhook 48 hours later. Within 48 hours of receiving it we cascade-delete shop tokens, subscriptions, usage records, and nullify webhook payloads. Tax-relevant aggregates may be retained for 7 years per applicable law.

As a merchant or as a customer of a merchant, you have the right to:

Access — request a copy of the personal data we hold

Rectification — correct inaccurate data

Erasure — request deletion ("right to be forgotten")

Portability — receive your data in a machine-readable format

Restriction — limit processing

Objection — object to processing based on legitimate interests

Withdraw consent — applicable where consent is the basis

Contact privacy@mcpweave.com. We respond within 30 days. Customers of a merchant should contact the merchant first; Shopify forwards customer data requests to us through its customers/data_request webhook, which we relay to the merchant for fulfilment.

We share data only with:

Shopify Inc. — to call Admin GraphQL API on your behalf

AI agents you authorize (e.g. Anthropic Claude Desktop) — only the data they explicitly request through MCP tool calls

Hetzner Online GmbH — our infrastructure provider, under their privacy policy and a Data Processing Agreement (DPA)

SendGrid (optional) — to send GDPR notification emails to merchants when Shopify forwards a customers/data_request

We do not sell, rent, or share personal data for advertising or marketing purposes.

Tokens encrypted with AES-256-GCM (HKDF-derived keys)

HTTPS-only (TLS 1.2+, HSTS preload)

HMAC-SHA256 verification on every Shopify webhook

OAuth 2.1 with PKCE for AI agent authorization

Database access restricted to internal Docker network (no public exposure)

Daily encrypted backups, 30-day retention

MCPWeave is a B2B service for Shopify merchants. We do not knowingly process data of children under 16.

Material changes will be announced via email to merchants (using the email Shopify provides via shop.email) at least 30 days in advance. The "Last updated" date above reflects the most recent revision.

Privacy questions: privacy@mcpweave.com

General support: support@mcpweave.com

Data Protection Officer (EU representatives, if applicable): forthcoming