Data practices
This page summarizes how data flows through GetThePrice today so engineers, security reviewers, and customers can compare the product behavior with our Privacy Policy. It is not a substitute for legal advice.
1. Identity and workspaces
Sign-in is handled by Clerk. We receive a stable Clerk user id and provision a row in our PostgreSQL database. Workspaces belong to an owner user; additional members may be invited with roles (owner/admin/member) enforced on the server for sensitive actions such as Shopify connection and catalog sync.
2. Shopify connection
When you install or reconnect an app, Shopify OAuth returns an access token. We encrypt that token at rest and store your normalized shop domain. Catalog sync reads products and variants from the Shopify Admin API and upserts them into our database. Optional webhooks (products/update) update local product rows when Shopify sends a signed payload (X-Shopify-Hmac-Sha256). Price pushes to Shopify occur when you approve suggestions or use publish flows we expose, subject to server-side guardrails when a local product row exists.
3. Competitor URLs and scraping
You supply competitor product URLs per tracked item. Our servers fetch those public pages to extract price and availability signals for your workspace. We do not scrape URLs you have not added to your workspace. Those signals are used only to power features visible to your workspace (for example analytics and price suggestions); we do not sell competitor page content to third parties.
4. Stripe and subscriptions
Checkout and the billing portal are provided by Stripe. We verify Stripe webhook signatures and update subscription status and Stripe ids on your user record so the dashboard paywall reflects your account state.
5. Webhooks and automated jobs
- Clerk webhooks (e.g. user created) are verified with Svix signatures before we upsert user records.
- Scheduled crons (catalog maintenance, scrapes, job processors, etc.) are invoked only with a configured
CRON_SECRETbearer token in production.
6. Logging and errors
API routes emit structured JSON logs that can include a request id, workspace id, and job id for support correlation. When Sentry is configured, unhandled errors and selected events may be sent to Sentry according to your deployment environment and DSN settings.
7. Cookies and local storage
Clerk session cookies are used for authentication. Short-lived httpOnly cookies may be set during Shopify OAuth state validation. We do not use third-party advertising cookies on the authenticated dashboard for the behaviors described above.