WooScraper
Get started
Legal

Privacy policy

Last updated: 12 May 2026 (v1.3)

What we collect

When you sign up we collect your email, an optional display name, and a hashed password. If you sign in with Google we additionally store the Google account ID and any avatar URL Google provides. We do not collect, store, or transmit your social-security number, financial documents, or any government identifier.

What the extension does on a source store

The WooScraper Chrome / Edge extension reads publicly visible product data from any storefront you choose to scrape, exactly as a normal visitor's browser would. It does not:

  • access cookies belonging to the source store's checkout or admin pages
  • request payment-method, authentication, or PII permissions in its manifest
  • persist source-store responses inside the extension — they're streamed to our backend for processing and image rehosting

Destination-store credentials

If you save Woo REST keys or a Shopify Admin token in your dashboard, they are encrypted with AES-256-GCM before being written to our database, using a key derived from a per-environment secret you never see. Plaintext credentials are never logged.

Cookies & sessions

We set one session cookie via Better-Auth. It is HTTP-only, secure, and SameSite=Lax. Analytics (Vercel Web Analytics + Speed Insights) only load after you explicitly accept the consent banner on first visit. Reject the banner and no analytics scripts are loaded for your session. The consent choice is stored locally in localStorage under the key ws-consent-v1.

Newsletter

If you sign up to the newsletter we store your email plus the page that referred you and your IP address for abuse prevention. You can unsubscribe from any newsletter email or by emailing privacy@wooscraper.com. If a Resend Audience is configured we also sync your email there so we can send broadcast updates — unsubscribes propagate to both.

Operational telemetry

We log unhandled server-side errors to a private error_events table for debugging. These records include the route, HTTP method, truncated error message and stack, your user ID (if signed in), IP, and user agent. They are retained for 90 days and never used for marketing.

We dedupe incoming Stripe webhooks via a webhook_events table that stores the Stripe event ID, type, and processing timestamp. No customer or card data is stored in this table.

Bot protection

Sign-up, Stripe checkout, newsletter, contact, and intel-tool endpoints are protected by Vercel BotID. The challenge is browser-fingerprint and proof-of-work based; no third-party tracker is involved.

Sub-processors

  • Vercel — hosting, edge network, image / static asset CDN
  • Neon — managed Postgres database for product / job / user data
  • Vercel Blob — encrypted blob storage for rehosted product images and CSV/ZIP exports
  • Stripe — payment processing; we never store full card numbers
  • Resend — transactional email (sign-up confirmations, job-complete notifications)

Data retention

Free-tier scrape jobs expire after 24 hours. Paid tiers retain job data for 30 / 60 / 90 days based on plan (Small / Medium / Large & XL). After retention, all related products, images, exports, and reviews are permanently deleted by a daily cron. Account data is retained for as long as your account is active; deleting your account purges all linked records.

Your rights

We honour the GDPR Article 15 (access) and Article 17 (erasure) rights natively from your dashboard:

  • Export your data: a single click on Settings → Your data downloads a JSON dump of everything we hold tied to your account.
  • Delete your account: the Danger zone on Settings performs a confirmed hard delete with cascade across all our tables.

For anything that doesn't fit the in-app flows (correction requests, questions about scope), email privacy@wooscraper.com. We reply within 7 days.

Contact

WooScraper · operated by Anyshop · for privacy inquiries: privacy@wooscraper.com.