AgentBlock — Privacy Policy

Last updated: June 2026

AgentBlock ("the App") helps Shopify merchants detect and, at the merchant's choice, block orders placed on their behalf by automated AI buying agents (for example Amazon's "Buy for Me" agent, which checks out using addresses such as …@buyforme.amazon). This policy explains what data the App accesses, why, and how it is handled.

1. Information we access

With the merchant's authorization, and only to provide the features above, the App accesses:

Buyer email at checkout — during checkout validation, the App reads the buyer's email address to compare it against known automated-buyer patterns. This happens transiently at the moment of checkout.
Order data — via the orders/create webhook, the App receives the order ID, order name, line item values, currency, and the customer email, so it can identify and (in Enforce mode) cancel orders placed by buying agents.
Store configuration — the store domain, the merchant's chosen mode and cancellation settings, and the detection rules / allow-list the merchant has configured.

2. How we use the data

To match a buyer's email against automated-buyer domains and patterns (such as buyforme.amazon) and the merchant's own custom rules and allow-list.
In Monitor mode: to log which orders were placed by a detected buying agent, so the merchant can review them. No order is changed.
In Enforce mode: to cancel a matched order using the merchant's configured cancellation reason, restock, and refund settings.
To show the merchant aggregate statistics (orders detected/blocked and inventory value protected).

We do not sell personal data, use it for advertising, or share it for any purpose unrelated to the features above.

3. Transient use & masked storage

The buyer email evaluated during checkout validation is used transiently to make the match decision and is not retained from that step. When an order is detected, the App stores the customer email only as needed to operate (for example to reconcile a cancellation), and it is always displayed in masked form in the merchant dashboard (for example a***@buyforme.amazon). The full address is never shown in the UI.

4. Data storage, retention & security

Data is stored on our hosting provider (Railway) in a PostgreSQL database. Customer email addresses attached to detection records are treated as Protected Customer Data: they are normalized on storage and automatically purged after 90 days. Other configuration and aggregate records are retained while the App is installed. Database connections are encrypted in transit (PostgreSQL with sslmode=require). When the App is uninstalled, related records are deleted in response to Shopify's mandatory data-erasure webhooks, and on verified request (see contact below).

5. Subprocessors

Shopify — source of checkout, order, and customer data; billing.
Railway — application hosting and managed PostgreSQL database.

6. Automated decision-making & merchant controls

AgentBlock makes an automated decision about whether an order appears to have been placed by an AI buying agent, based on matching the buyer email against configured patterns. The merchant remains fully in control of the outcome:

The default mode is Monitor, which only logs detections and never cancels an order.
Cancellation only occurs if the merchant explicitly switches to Enforce mode.
Merchants control the detection rules, the cancellation reason, and whether matched orders are restocked and refunded.
Merchants can maintain an allow-list so specific emails or domains are never matched.

7. Your rights (GDPR / CCPA)

Merchants and their customers may request access to, or deletion of, personal data the App holds. The App honors Shopify's customers/data_request, customers/redact, and shop/redact webhooks. You may also contact us directly to exercise these rights.

8. Contact

For privacy questions or data requests, contact: binarybard10101@gmail.com