Privacy Policy

Effective: May 14, 2026 · Previously updated: April 2026

This Privacy Policy describes how Nyvion LLC (doing business as “GMC Medic,” “we,” “us,” or “our”) collects, uses, stores, and discloses information when you use the GMC Medic platform at getgmcmedic.com and our related services (collectively, the “Service”).

We've written this policy in plain language because most privacy policies are unreadable, and we don't think that's right. If anything below is unclear, email us at support@getgmcmedic.com and we'll explain it.

GMC Medic is operated by:

Nyvion LLC (doing business as GMC Medic)
Registered in the State of Missouri, United States
Mailing address: 2150 Renault Dr, Saint Louis, MO 63146
Contact: support@getgmcmedic.com

For the purposes of the EU General Data Protection Regulation (“GDPR”) and the UK General Data Protection Regulation (“UK GDPR”), Nyvion LLC is the data controller with respect to the personal data of individuals who create a GMC Medic account.

When you, as a merchant, use GMC Medic to scan your own customers' data, Nyvion LLC acts as a data processor on your behalf. The terms governing that relationship are set out in our Data Processing Agreement.

A note on accountability. This policy, and the product behind it, are maintained by Nyvion LLC. If something here is unclear, contradicts what you see in the product, or feels wrong, email support@getgmcmedic.com. We read every message and respond personally — no support queue, no chatbot in the middle.

GMC Medic is a compliance tool for Shopify merchants. It scans your store and Google Merchant Center account for the specific signals that cause GMC suspensions, generates plain-language findings, and drafts appeal letters you can review and send yourself.

The full origin story — why we built this and what makes it different — is on our About page. This section is the operational summary.

When you connect your Shopify store and Google Merchant Center (“GMC”) account to GMC Medic, the Service does the following:

• •Reads your Shopify product catalog through the Shopify Admin API.
• •Reads your GMC account status, account issues, and product-level issues through the Google Merchant Center Reporting API.
• •Crawls your storefront’s public pages (homepage, policy pages, about page, contact page) to evaluate compliance.
• •Looks up your domain’s WHOIS record and SSL certificate details to verify business identity signals.
• •Sends extracts of your store’s text content to Anthropic’s AI models (Claude Sonnet and Claude Haiku) for compliance analysis against published Google Merchant Center policies.
• •Stores the resulting findings and your historical scan data in our Supabase database so you can review them. Scan history is retained for up to 12 months.

We use this data only to operate the Service on your behalf. We do not sell it. We do not share it for advertising. We do not use it to train AI models.

Two trust commitments we make explicitly:

• •We never auto-submit appeals to Google. Every appeal letter requires your review and your action to send.
• •We never auto-apply fixes to your Shopify store. Every recommended change requires your explicit per-fix approval before any write to your store.

Here is everything GMC Medic collects, by source. There is no hidden category. If something below is missing or unclear, email us — we'll answer the question and update the policy if we need to.

3.1 Data You Provide to Us

• •Account information. Your email address, which serves as your account identifier.
• •Business profile information. When you complete onboarding, you may provide your business name, business address, business phone number, business email, and similar identifying information so we can evaluate identity-related compliance signals.
• •Billing information. When you subscribe, Stripe collects and stores your payment card information directly. We never see or store your full card number. We receive only the last four digits, card brand, expiration, and a Stripe customer ID.
• •Support communications. When you email us, we retain the content of your message and any attachments.

3.2 Data We Collect from Connected Platforms (with Your Authorization)

• •Shopify data. Through the Shopify Admin API, we read product titles, descriptions, prices, variants, inventory levels, images, barcodes, and shop metadata. We use only read-only Shopify OAuth scopes, presented to you at install time and limited to what compliance scanning requires: read_products, read_product_listings, read_inventory, read_publications, and read_content. We do not request write access to your store.
• •Google Merchant Center data. Through the Google Content API for Shopping, we read your account status, account-level issues, product feed status, and product-level issues. We use the OAuth scope https://www.googleapis.com/auth/content. Our use of Google user data adheres to the Google API Services User Data Policy, including the Limited Use requirements (see Section 8 below).

3.3 Data We Collect Automatically

• •Authentication cookies. When you log in, our authentication provider (Supabase) sets cookies on your browser to keep you signed in. See our Cookie Policy for details.
• •Server logs. Our hosting provider (Vercel) logs requests for security and debugging purposes. Logs include IP address, user agent, request path, and response code. We do not use these logs for analytics or profiling.

3.4 Data We Collect About Your Storefront's Public Pages

To evaluate compliance, we crawl your storefront's publicly available pages (homepage, policy pages, contact, about, etc.) using Firecrawl. We extract text content and store excerpts. We do not capture or persist anything that requires authentication on your storefront. This is the same data any visitor to your site could see.

If you are in the European Economic Area, the United Kingdom, or Switzerland, we process your personal data on the following legal bases:

The full list of what we do with your data:

• •Run the compliance scans you’ve authorized.
• •Display findings and recommended fixes to you.
• •Generate appeal letters for your review.
• •Send you transactional emails (scan completion, account changes, billing).
• •Process your payments.
• •Respond to your support requests.
• •Improve the Service through aggregated, de-identified analysis of how features are used and which compliance issues are most common across our user base.
• •Comply with legal obligations.

And what we don't: we do not sell your data, share it for advertising, or use it to train AI models (Anthropic processes API requests on a no-training basis under our commercial agreement). We do not allow humans to read your Google or Shopify data unless you explicitly request support that requires it, or it's required for security purposes.

If you ever see GMC Medic doing something not on this list, that's a bug — email us and we'll fix it.

Seven companies. Each is named below, with what they do for us and which data they touch. There is no “we may share with affiliates” loophole, no unnamed “business partners,” no advertising network. If this list ever changes, you'll know 30 days before the change takes effect (see Sub-processors).

We may also share your data:

• •If required by law, court order, or lawful request from a public authority.
• •To protect our rights, property, or safety, or that of our users or the public.
• •In connection with a merger, acquisition, financing, or sale of our business — in which case any successor will be bound by this Privacy Policy or notify you of changes.

GMC Medic is operated from the United States. Our sub-processors are primarily located in the United States. If you are in the European Economic Area, the United Kingdom, or Switzerland, your data will be transferred to, stored, and processed in the United States.

We rely on Standard Contractual Clauses (“SCCs”) approved by the European Commission for transfers of personal data from the EEA/UK/Switzerland to the United States, and we have entered into SCCs (or their UK / Swiss equivalents) with each sub-processor that processes EEA/UK/Swiss personal data.

For transfers to Anthropic, PBC and Stripe, Inc., we additionally rely on their certification under the EU-US Data Privacy Framework where applicable.

GMC Medic's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• •We only use Google Merchant Center data to provide and improve user-facing features of GMC Medic that are prominent in the application's user interface and experience.
• •We do not use Google user data to serve advertisements.
• •We do not allow humans to read your Google user data, with the following limited exceptions:
  • ◦When we have your explicit, affirmative consent for specific data — for example, when you share a screenshot or scan ID in a support request.
  • ◦When necessary for security purposes, such as investigating abuse.
  • ◦When required to comply with applicable law.
  • ◦When the data is aggregated and used for internal operations, in accordance with the User Data Policy.
• •We do not sell Google user data to third parties — including for the purposes of advertising or any other purpose.
• •We do not transfer Google user data to third parties except as necessary to provide or improve the Service, comply with applicable law, or as part of a merger, acquisition, or sale of assets.

Our use of Shopify data is governed by the Shopify Partner Program Agreement and applicable Shopify policies. We use Shopify data only to operate the compliance scanning Service you have authorized.

You may revoke our access to your Shopify store at any time by uninstalling the GMC Medic app from your Shopify admin. Upon uninstall, our access tokens are immediately revoked, and your stored product data is deleted within 30 days.

Specific retention windows per category. Most data goes within 30 days of account closure; some categories we have to keep longer for tax or compliance reasons.

When you close your account, we initiate deletion of your personal data within 30 days, except where we are legally required to retain certain records (for example, billing records for tax purposes).

11.1 Rights Available to Everyone

No matter where you live, you have the right to:

• •Access the personal data we hold about you.
• •Correct inaccurate or incomplete data.
• •Delete your account and associated data.
• •Export your data in a portable format.
• •Object to specific uses of your data.
• •Revoke OAuth access to your Google or Shopify account at any time through those platforms' connected-apps settings.

To exercise any of these rights, email support@getgmcmedic.com. We will respond within 30 days.

11.2 Additional Rights for EU/UK/Swiss Residents (GDPR / UK GDPR)

If you are in the EEA, the UK, or Switzerland, you also have the right to:

• •Restrict processing of your personal data in certain circumstances.
• •Lodge a complaint with your local data protection supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu. The UK supervisory authority is the Information Commissioner's Office (ICO).
• •Withdraw consent at any time where we rely on consent as a legal basis.

We aim to resolve concerns directly. If you contact us first, we will work in good faith to address your complaint before you need to involve a regulator.

11.3 Additional Rights for California Residents (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (“CCPA”) as amended by the California Privacy Rights Act (“CPRA”):

• •Right to know what categories of personal information we collect and how we use it.
• •Right to delete personal information we hold about you.
• •Right to correct inaccurate personal information.
• •Right to opt out of the sale or sharing of your personal information. We do not sell or share your personal information for cross-context behavioral advertising, so there is nothing for you to opt out of, but you may submit a request anyway and we will confirm in writing.
• •Right to limit the use of sensitive personal information. We do not use sensitive personal information for any purpose other than what is necessary to provide the Service.
• •Right to non-discrimination for exercising any of these rights.

To submit a request, email support@getgmcmedic.com with “California Privacy Request” in the subject. We may need to verify your identity before fulfilling certain requests.

We do not have actual knowledge of selling personal information of minors under 16 years of age.

11.4 Rights for Residents of Other US States

If you are a resident of Virginia, Colorado, Connecticut, Utah, or another US state with a comprehensive privacy law, you may have similar rights to access, correct, delete, and port your data. Email us at support@getgmcmedic.com to exercise these rights.

We've made specific technical commitments and stake our credibility on them:

• •Encryption in transit. All connections to GMC Medic use TLS 1.2 or higher.
• •Encryption at rest. Our database (Supabase) encrypts data at rest using AES-256.
• •Access controls. We use row-level security (RLS) to ensure that account data is only accessible to the account that owns it.
• •Authentication. Account access requires email-based authentication. Third-party connections use OAuth 2.0.
• •Least privilege. API tokens are scoped to the minimum permissions needed.
• •Secrets management. API keys and credentials are stored as encrypted environment variables, never in source code.
• •Backups. Our database is backed up daily by our infrastructure provider.

No system is perfectly secure — anyone who claims otherwise is selling something. If we become aware of a personal data breach affecting your information, we will notify you and the relevant supervisory authority in accordance with applicable law — within 72 hours of becoming aware of the breach where GDPR applies.

Full details at getgmcmedic.com/security.

We use a minimal number of strictly necessary cookies — primarily, the authentication cookies set by Supabase when you log in. We do not currently use analytics, advertising, or third-party tracking cookies.

For full details, see our Cookie Policy.

GMC Medic is a B2B tool for merchants and is not directed at children. We do not knowingly collect personal information from anyone under 16. If you believe we have collected information from a child, contact us at support@getgmcmedic.com and we will delete it promptly.

We update this Privacy Policy when our practices change. The “Effective” date at the top reflects when the current version took effect. For material changes — adding a new sub-processor, changing how we use data, anything that affects your privacy — we email you at least 30 days before the change takes effect, so you have time to review and, if you disagree, close your account.

Privacy questions, data requests, or complaints:

Email: support@getgmcmedic.com
Mailing address: Nyvion LLC, 2150 Renault Dr, Saint Louis, MO 63146

For GDPR-related inquiries, you may also write to “Attn: Privacy” at the address above.