← Back to BuiltByTom Performance Audit
BuiltByTom Performance Audit (the “App”). Last updated: February 2026.
The App is operated by BuiltByTom (or the entity you contract with for the audit service), based in the United Kingdom. For the purposes of UK GDPR and the Data Protection Act 2018, we are the data controller for personal data we process in connection with the App.
When you install and use the App, we process:
We do not collect or store your customers’ personal data (e.g. buyers). We only access theme structure and code as permitted by Shopify and the permissions you grant.
We process this data on the basis of contract (to provide the App and any paid audit subscription you agree to) and, where relevant, legitimate interests (to operate, secure and improve the App), in line with UK GDPR and the Data Protection Act 2018.
We keep shop and scan data for as long as your store has the App installed. When you uninstall the App or request deletion, we delete or redact your data as required by our data retention and privacy procedures (see below). Session data is retained only as needed for authentication and is cleared when you log out or when sessions expire.
We use industry-standard measures to protect your data: data in transit is encrypted (HTTPS), access is restricted to what is needed to run the App, and we rely on Shopify’s and our hosting providers’ security practices. We do not store payment card details; any paid subscription is handled by Shopify Billing or your separate agreement with us.
We may use service providers (e.g. hosting, database) that process data on our behalf. Where we use providers outside the UK, we ensure appropriate safeguards (e.g. UK adequacy decisions, standard contractual clauses) are in place as required by UK law. We do not sell your data.
You have the right to: access your data; have it corrected or completed; request erasure (in certain cases); restrict or object to processing; and, where applicable, data portability. You can also withdraw consent where we rely on it, and you have the right to complain to the UK Information Commissioner’s Office (ICO): ico.org.uk. To exercise your rights or ask about our processing, contact us (see below). We will respond within one month as required by UK law.
When you uninstall the App, we receive a webhook from Shopify and we delete or redact the data we hold for your shop (including scan history and session data). We also respond to Shopify’s mandatory GDPR webhooks (shop redact, customer data request, customer redact) so that your and your customers’ data is handled in line with Shopify’s and our legal obligations.
The App and its hosting may use strictly necessary cookies or similar tech (e.g. session identifiers) to keep you logged in and to operate the App. We do not use non-essential tracking or advertising cookies in the App.
We may update this policy from time to time. The “Last updated” date at the top will be revised when we do. Continued use of the App after changes means you accept the updated policy.
For privacy, data protection or this policy: contact@builtbytom.uk or builtbytom.uk/contact. You can also use these for data subject requests (access, correction, erasure, etc.).
This policy is intended to comply with UK GDPR and the Data Protection Act 2018. It does not replace professional legal advice; consider taking your own advice for your situation.