Your store data is safe with us

We know giving an app access to your Shopify store is a big decision. Here's exactly how ManyDone protects your data at every step.

Minimal Shopify permissions

ManyDone requests only the access it needs — nothing more.

  • Read access for scanning. We read your product data to identify issues like missing descriptions, broken images, or SEO gaps.
  • Write access only when you opt in. Changes to your store are only made after you explicitly approve each action. Nothing happens behind your back.
  • Revocable anytime. Disconnect ManyDone from your Shopify admin at any time. Access is immediately revoked — no questions asked.

You approve every change

ManyDone operates on a human-in-the-loop model. Our AI agent can scan, analyze, and draft changes — but nothing goes live in your store without your explicit approval. You always have the final say.

Data handling

Your data is protected at every layer.

  • Encrypted in transit. All connections use TLS encryption. Data moving between your browser, our servers, and Shopify is always encrypted.
  • Encrypted at rest. Your data is stored in Supabase Postgres with encryption at rest enabled. Database access is restricted with Row Level Security policies.
  • Never sold. Your store data is never sold, shared with advertisers, or used to train AI models. It exists solely to power your ManyDone experience.

Infrastructure

Built on trusted, battle-tested infrastructure.

  • Cloudflare edge network. Traffic is routed through Cloudflare for DDoS protection, TLS termination, and global CDN caching.
  • Isolated agent containers. Each task runs in its own ephemeral Docker container on an isolated network. Your data never crosses paths with another user's.
  • No shared environments. There is no multi-tenant compute. Every user's agent runs in a fully separate, short-lived container that is destroyed after the task completes.

Data retention

We keep only what we need, for as long as we need it.

  • Scan data is temporary. Product data fetched during scans is used for analysis and not retained long-term.
  • Account data retained while active. Your account information and task history are kept for as long as your account is active.
  • Deleted on request. Email hello@manydone.com and we will delete your data within 30 days.

Third-party providers

We work with a small number of industry-standard providers, each chosen for their security track record.

Stripe

PCI DSS Level 1 compliant. Handles all payment processing. We never see your full card number.

Supabase

SOC 2 Type II compliant. Hosts our database and authentication layer with encryption at rest.

Cloudflare

Enterprise-grade edge security, DDoS mitigation, and global CDN for fast, reliable access.

Have a security concern?

If you have questions about how we handle your data, or if you want to report a security issue, reach out to us directly.

hello@manydone.com