Legal

Privacy Policy

Moonsalt builds AI apps for Shopify merchants. This policy explains what we collect, why, how long we keep it, and the choices you and your customers have — with special attention to the photos used for virtual try-on.

Last updatedJune 2, 2026
Applies tomoonsalt.app & the ChatGPT Bulk AI Image Editor
Contactprivacy@moonsalt.app
Note: this policy is provided in good faith and written to meet Shopify App Store requirements, but it is not legal advice. Please have it reviewed by a qualified professional before relying on it for your business.

1. Overview

This Privacy Policy describes how Moonsalt ("Moonsalt", "we", "us") handles information when a merchant installs one of our apps and when that merchant's customers use features we power — in particular the ChatGPT Bulk AI Image Editor, which generates and edits product imagery in bulk (plus video and an optional virtual try-on) for Shopify stores.

2. Who this covers

There are two groups of people whose data may flow through our apps:

  • Merchants — Shopify store owners and staff who install and use our apps in the Shopify admin.
  • End customers — shoppers on a merchant's storefront who use the virtual try-on widget. We process their data on behalf of the merchant.

3. Information we collect

From merchants

  • Your Shopify store domain and the session/authentication tokens Shopify issues to the app.
  • Product information we read or write to deliver the service (the app requests the write_products scope so it can add generated images and videos to your products).
  • Plan, billing status, credit usage and app settings.
  • Support correspondence you send us.

From end customers (via the merchant's store)

  • Photos uploaded for virtual try-on. A shopper voluntarily uploads an image to preview a product on themselves.
  • The generated try-on image produced from that photo.
  • Basic technical data needed to process and return the result.

Automatically

  • Standard log and device data, and product-analytics events used to improve the app.

4. How we use information

  • To provide the core features: virtual try-on, AI photoshoots and product video.
  • To add generated media to your products when you choose to.
  • To meter credits, handle billing, and prevent abuse.
  • To provide support and to operate, secure and improve the apps.

We do not sell personal information, and we do not use customer photos to train AI models.

5. AI processing & providers

Generating a try-on or product image requires sending the relevant image to an AI model. In practice:

  • The image is uploaded to our object storage (Cloudflare R2) so it can be referenced by a secure URL.
  • That URL is passed to an AI provider — primarily Google (Gemini / Veo), and in some configurations an image-to-image try-on model — which returns the generated result.
  • The generated output is stored and returned to the storefront or the admin.

We rely on these providers' commitments not to use submitted content to train their models. We send only what is needed to perform the generation you requested.

6. Storage, hosting & retention

  • Uploaded photos and generated outputs are stored in Cloudflare R2; media URLs are served from a CDN host.
  • Application data is stored in a PostgreSQL database; the app runs on managed hosting (Railway).
  • We retain data for as long as needed to provide the service and meet legal obligations, and we delete or anonymise it when it is no longer required, on request, or when an app is uninstalled (subject to the Shopify redaction process below).

7. Sub-processors

We use a small set of trusted providers to run the service:

  • Shopify — app platform, authentication, billing and store data.
  • Google (Gemini / Veo) — AI image and video generation.
  • Cloudflare R2 — storage and CDN delivery of images and video.
  • Railway — application hosting and database.
  • Resend — transactional email (e.g. install notifications).
  • PostHog — privacy-conscious product analytics.

An image-to-image try-on provider may also be used depending on configuration. We'll update this list as our providers change.

8. Sharing & disclosure

We share data only with the sub-processors above to run the service, when required by law, or to protect our rights and the safety of users. We never sell personal information.

9. Your rights

Depending on where you live (for example under GDPR or CCPA), you may have the right to access, correct, delete or export your personal data, and to object to or restrict certain processing. For end-customer data, the merchant is the controller — requests are typically made to the merchant, who can ask us to action them. To exercise a right or ask a question, email privacy@moonsalt.app.

10. Shopify data & GDPR webhooks

As a Shopify app, our app implements Shopify's mandatory compliance webhooks and acts on them:

  • customers/data_request — we provide the customer data we hold when a merchant relays a request.
  • customers/redact — we delete the relevant customer's data.
  • shop/redact — we delete a shop's data after the app is uninstalled.

11. Cookies & analytics

We use a minimal set of cookies/local storage needed to run the embedded admin app, and privacy-conscious analytics (PostHog) to understand feature usage and improve the product.

12. Security

We use industry-standard measures — encryption in transit, scoped access tokens, and access controls — to protect data. No method of transmission or storage is 100% secure, but we work to protect your information and to respond quickly to any incident.

13. International transfers

Our providers may process data in countries other than yours. Where required, we rely on appropriate safeguards for those transfers.

14. Children

Our apps are built for merchants and are not directed to children. We do not knowingly collect personal information from children.

15. Changes

We may update this policy as the product evolves. We'll revise the "Last updated" date above and, for material changes, take reasonable steps to let merchants know.

16. Contact

Questions about this policy or your data? Email privacy@moonsalt.app or hello@moonsalt.app.