Effective date: 2 July 2026
Last updated: 2 July 2026
This policy explains how HiveMorph collects, syncs, stores, processes, and
protects your Shopify store data — with specific detail on file synchronization, which is central to how our Service works.
For general privacy rights and contact information, see our Privacy Policy.
1. Overview
HiveMorph is an AI-powered website engineering tool for Shopify merchants.
To provide features like theme exploration, AI bug fixing, audits, preview,
and publish, we must maintain a synchronized copy of your theme source code
on our secure servers.
We never:
- Sell or share your theme files with third parties
- Use one merchant’s theme data to serve or train models for other merchants
- Publish your theme source code externally
- Access Shopify customer personal data or order data (we do not request
those API permissions)
2. What data we sync and collect
2.1 Theme files (primary sync)
When you connect your store, HiveMorph copies your Shopify theme assets via
the Shopify Admin API using the permissions you grant at install:
| Data | Examples | Storage |
|---|---|---|
| Liquid templates | theme.liquid, product.liquid, sections, snippets | Encrypted database |
| Stylesheets & scripts | .css, .js, .scss files in theme | Encrypted database |
| Config files | settings_schema.json, config/settings_data.json | Encrypted database |
| Binary assets | Images, fonts referenced in theme | Encrypted database + metadata |
| File metadata | Path, content hash, last-modified date, public URL | Encrypted database |
We also build derived data from synced files:
- Search index for file explorer
- Component dependency graph
- Theme structure metadata
2.2 Store content (for audits)
For SEO, UX, accessibility, policy, and GDPR audits, we read:
| Data | Fields accessed | Stored? |
|---|---|---|
| Products | Title, handle, body HTML, tags, SEO fields, images | Audit results only (not full product DB) |
| Collections | Title, handle, body HTML, SEO fields | Audit results only |
| Pages & blogs | Title, handle, body HTML, SEO fields | Audit results only |
| Public storefront HTML | Crawled via HiveMorph-AuditBot user-agent | Parsed stats only; raw HTML not permanently stored |
2.3 Data you provide
- Account email and name
- Organization and team membership
- Bug descriptions, AI prompts, and support messages
- Billing plan selections
2.4 Data we generate
- Audit scores and findings
- AI patch proposals and revision history
- Version snapshots (taken before publish, for rollback)
- Credit usage and billing event logs
- Application logs for security and debugging
3. Why we sync theme files
| Feature | Why sync is required |
|---|---|
| File Explorer | Browse and search your theme structure |
| File Graph | Show dependencies between templates, snippets, and assets |
| AI Bug Fixer | Read surrounding code context to generate accurate patches |
| Audits | Analyze Liquid templates, meta tags, accessibility markup |
| Preview | Apply patches to a Shopify draft theme |
| Publish | Deploy approved changes to your store |
| Version Rollback | Snapshot theme state before changes so you can revert |
Without theme sync, these features cannot function.
4. Where your data is stored
| Layer | Technology | Location | Contents |
|---|---|---|---|
| Primary database | PostgreSQL | [e.g., AWS eu-west-1 / US-East] | Theme file content, indexes, audits, credentials (encrypted), billing |
| Object storage | S3-compatible (AWS S3 / Backblaze B2) | [Same region] | Version snapshots, export artifacts, preview screenshots |
| Cache / queues | Redis | Same region as API | Job queues, temporary cache (no persistent theme content) |
All data is encrypted:
- In transit: TLS 1.2+ on all connections
- At rest: Database encryption + AES-256-GCM for Shopify access tokens
5. How we protect your data
- Tenant isolation — Every record is scoped to your organization and store.
No cross-merchant data access is possible at the application layer. - Encrypted credentials — Shopify access tokens are encrypted before
database storage and decrypted only at request time. - Access controls — Production database access is restricted to authorized
personnel with audit logging. - No external sharing — Theme files are never published, sold, or
distributed outside the Service. - No cross-merchant reuse — Your theme data is never used to improve
the Service for other merchants or to train shared AI models.
6. AI processing
When you use AI features (bug fixer, compliance fixes, recommendations),
we send to our AI provider (OpenAI):
- Relevant theme file excerpts (scoped to the issue, not your entire theme
unless a large refactor requires it) - Your description of the bug or compliance issue
- Page/content context needed for the specific fix
We do not send:
- Customer personal data (we do not have access to it)
- Data from other merchants’ stores
- Full theme dumps unless you explicitly trigger a large-scope action
AI providers process data only to fulfill your request. We configure API
access so your data is not used to train AI models. See Subprocessors.
7. Sync behavior
| Event | Action |
|---|---|
| First connect | Full theme crawl — all assets downloaded and indexed |
| Manual re-sync | Full or incremental re-crawl on your request |
| After publish | Re-sync to reflect published state |
| Active theme change | Detected and flagged; re-sync recommended |
| Interrupted sync | Marked as stale; auto re-sync available |
Synced files are refreshed to stay current with your Shopify theme. We do
not modify your live theme without your explicit publish action.
8. Your controls
| Action | How |
|---|---|
| Review before publish | All AI changes go through draft theme preview |
| Rollback | Restore from version snapshot (within retention window) |
| Disconnect | Uninstall HiveMorph from Shopify Admin → OAuth revoked |
| Delete data | Automatic deletion after uninstall per Data Retention Policy |
| Export data | Email support@hivemorph.com with your store domain |
| Revoke permissions | Uninstall the app; we cannot access your store after token revocation |
9. Data sharing
We share data only with:
| Recipient | Purpose | Data shared |
|---|---|---|
| Shopify | Store API access, billing | Per OAuth scopes you approve |
| OpenAI | AI generation | Theme excerpts + prompts (per request) |
| Cloud infrastructure | Hosting and storage | All application data (encrypted) |
| Email provider | Support and transactional email | Email address, message content |
We do not sell personal data. See Subprocessors for the
full list.
10. International transfers
Data may be processed in UK and in cloud regions including
[US, EU, Asia], e.g., United States, European Union]. Where required by law,
we use Standard Contractual Clauses or equivalent safeguards.
11. Questions and requests
Data export or deletion: privacy@hivemorph.com
General support: support@hivemorph.com
Mailing address: HIVE MORPH, London Eve
Riverside Building, County Hall
Westminister Bridge Rd, London SE
7PB, UK
We respond to data requests within 30 days.

