NP Search — Privacy Policy
Effective date: 19 April 2026 · Last updated: 14 July 2026
This Privacy Policy describes how Neuroplugin collects, uses, and discloses information when merchants and their end shoppers use the NP Search app on Shopify. Questions: info@neuroplugin.com.
1. Information we collect
From the merchant
Shopify grants us two read-only catalog scopes, read_products and read_inventory, plus write_app_proxy for the signed /apps/npsearch storefront route. Shopify also requires write_pixels and read_customer_events to connect the consent-aware Web Pixel used for completed-purchase attribution. NP Search does not request protected customer scopes, so customer email, phone and address fields are unavailable. We read product catalog data (title, description, vendor, tags, SKU, price, stock, images, variant options, collections) and shop configuration (domain, currency, timezone, language). We never modify your catalog, inventory or publications, and never collect payment details or admin user emails.
From end shoppers
When a shopper uses search or the optional pre-query product shelf: query text when a query exists; product clicks; successful direct add-to-cart metadata; the interaction surface used (results, predictive suggestions, zero-result recovery, or pre-query discovery); price, availability or merchant-defined product-option filter refinements and their resulting product count; response latency; and random shop-local search/session identifiers. Discovery-shelf events contain no search query and do not create a search record. For a Shopify-consented completed checkout, the pixel sends only a matching attributed line's product/variant ID, quantity, discounted merchandise value, currency, non-customer order ID, attribution type and interaction surface. It never sends unrelated order lines, customer identity, contact/address details or payment data. These identifiers are not Shopify customer IDs. Events are logged per shop, not per person.
The browser keeps at most 24 anonymous product-interaction touchpoints for seven days in that shop's local storage. A direct NP Search add also carries private _nps_* line-item properties so the matching purchase can be attributed precisely. These values contain only random search/session IDs, query text when one exists, and the non-personal interaction-surface label; they are not used across shops or for advertising.
The consent-aware Web Pixel sends its allowlisted purchase-attribution payload directly to our EU-hosted NP Search endpoint so it also works when a storefront is password-protected or otherwise access-gated. A shop-isolated HMAC authentication token generated from our app secret is sent inside the non-persisted request body, not in the URL. The token identifies the installed shop, not a shopper, and carries no customer or order information. Invalid or modified tokens and non-allowlisted payloads are rejected.
Repeated successful query phrases may appear in that same shop's storefront “Trending” panel. A phrase is eligible only after at least three occurrences; queries shaped like email addresses, URLs, phone numbers, or order identifiers are suppressed. The optional discovery shelf ranks published, in-stock products from aggregate purchases, adds, and opens in that shop. Neither surface includes shopper identity, and data is never mixed across shops.
Machine learning inputs
Queries, clicks, and product metadata train a per-shop learning-to-rank model. No cross-shop data mixing.
Anonymous usage metering
For plan allowances and usage billing, we store a random shop-local search-intent identifier, the installed plan at the time of the event, event time, whether the event is billable, and delivery/retry status for Shopify billing. This ledger does not contain the query, a Shopify customer ID, shopper identity, contact details, payment data, or device fingerprint. It remains active when optional search analytics are disabled so we can apply the Free allowance, prevent duplicate charges, and report paid usage accurately.
2. How we use information
- Return relevant search results to shoppers in real time.
- Display analytics to the merchant (top queries, zero-result, CTR, filter impact, add-to-cart outcomes, purchases, search-attributed revenue, and separately reported discovery-shelf commerce).
- Show privacy-filtered, shop-specific popular searches and published in-stock products as discovery shortcuts.
- Re-rank results over time based on actual clicks (LTR).
- Compute per-shop synonym and merchandising suggestions.
- Apply plan allowances, deduplicate billable searches, enforce merchant-configured cost protection, and report paid usage to Shopify.
- Detect abuse and enforce rate limits.
We do not use this data for advertising, resale, or cross-shop profiling.
3. How we share information
Only with: Shopify (platform), our EU-based hosting infrastructure, legal authorities when required, or an acquirer in the event of a business transfer. We do not sell personal data. We do not use third-party analytics (no Google Analytics, no Meta pixel, no Segment).
4. Data retention
- Search, click, filter, add-to-cart and search-attributed purchase event logs: up to 180 days on every current plan.
- Anonymous usage-metering ledger: while the app is installed, as needed to enforce allowances, prevent duplicate charges, and support Shopify billing records; deleted from our systems within 48 hours of uninstall.
- Anonymous browser purchase-attribution touchpoints: up to 7 days, removable by clearing site storage.
- Product index: while app is installed; deleted within 48 hours of uninstall.
- ML model weights: life of subscription; reset on uninstall.
- Merchant config (synonyms/rules/redirects): until deleted by merchant or 48h post-uninstall.
5. Your rights
Access, correction, deletion, restriction, portability, and objection rights as per GDPR / UK GDPR / CCPA. Email info@neuroplugin.com. We respond within 30 days. Uninstalling triggers full data deletion within 48 hours.
6. Security
Data at rest: LUKS disk encryption. In transit: TLS 1.3. Access tokens: encrypted in DB, rotated per re-auth. Production access: two staff with MFA + SSH keys, least-privilege app-level DB credentials. Breach notifications within 72 hours.
7. Children
NP Search is a merchant tool. Not directed at children under 16; we don't knowingly collect their data.
8. Changes
Material changes will be emailed to merchants at least 30 days before taking effect.
9. Contact
Data controller: YCY CONSULTING AND INVESTMENT SL (NIF B22450688), a Sociedad Limitada registered in Spain, trading as Neuroplugin
Email: info@neuroplugin.com
Postal: Calle Mester de Clerecía 34, 28978 Cubas de la Sagra (Madrid), Spain
For Shopify-platform privacy questions: privacy@shopify.com.