BulkPilot

Privacy Policy

Last updated 17 June 2026

BulkPilot is an embedded Shopify app built and operated by Holt & Gander ("we", "us"). This policy explains what the app accesses, what we store, and your choices. We collect as little as possible.

What we access

With your authorization, BulkPilot uses the Shopify Admin API with the minimum scopes it needs: read and write products. This covers products, variants, prices, inventory, tags, SEO fields, images' alt text, collections, and (on the Pro plan) metafields. BulkPilot does not request or access your customers, orders, or storefront theme.

What we store

• Your shop record: your .myshopify.com domain, the Admin API access token (stored encrypted), and your current plan.
• Operations: the bulk edits you preview and apply, including the before-and-after of each affected product. We store this so we can show you a preview, keep a change history, and let you undo an operation to its exact prior state. This is product data only, never customer or order data.
• Saved segments: any reusable target filters you choose to save.

AI processing

On paid plans, the plain-English instruction you type is sent to Anthropic's Claude API to be parsed into a structured operation. Only the text of your instruction is sent. Your product catalog is not sent to the model. Anthropic processes the request as our subprocessor and does not train on data submitted through its API. You can avoid AI entirely by using the classic filter view.

Data retention & deletion

Operation history is retained according to your plan (7, 60, or 180 days) and then pruned. When you uninstall the app, your access token is revoked immediately and all data we hold for your shop is deleted. We also honor Shopify's mandatory compliance webhooks:

• customers/redact and customers/data_request: we hold no customer data, so there is nothing to erase or return; we acknowledge these requests.
• shop/redact: we erase all data for your shop (sent by Shopify ~48 hours after uninstall).

You may also request deletion at any time by emailing us.

Sharing

We do not sell your data or share it with third parties, except the infrastructure subprocessors required to run the service (our hosting provider and, for AI parsing, Anthropic). Each processes data only to provide the service.

Security

Access tokens are stored encrypted. All traffic is over HTTPS. The app requests the narrowest scopes that let it do its job.

Contact

Questions or a deletion request? Email holtandgander@gmail.com.