**Last Updated: February 9, 2026**
Shoptimal (“Company,” “we,” “us,” or “our”) respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform and services.
Please read this Privacy Policy carefully. By using Shoptimal, you consent to the practices described in this policy.
—
## 1. Information We Collect
### 1.1 Information You Provide Directly
**Account Information:**
– Name
– Email address
– Password (stored in hashed form)
– Company/store name
– Billing address
**Payment Information:**
– Payment method details (processed and stored by Stripe)
– Billing history
– Subscription plan information
**Communications:**
– Support requests and correspondence
– Feedback and survey responses
– Email preferences
### 1.2 Information from Connected Platforms
When you connect your Shopify store (or other ecommerce platforms), we access:
**Store Information:**
– Store name and domain
– Store settings and configuration
**Product Data:**
– Product names, descriptions, and images
– Pricing and inventory information
– Product categories and tags
**Order Data:**
– Order numbers and dates
– Order totals and line items
– Fulfillment status
– Customer email addresses (for automation purposes)
**Customer Data:**
– Customer names and email addresses
– Purchase history
– Customer addresses (for order context)
### 1.3 Information Collected Automatically
**Usage Data:**
– Features accessed and actions taken
– AI content generation requests and outputs
– Automation configurations and executions
– Timestamps and frequency of use
**Technical Data:**
– IP address
– Browser type and version
– Device type and operating system
– Referring URLs
– Session duration and pages visited
**Cookies and Similar Technologies:**
– Session cookies for authentication
– Preference cookies for settings
– Analytics cookies for service improvement
### 1.4 Information from Third Parties
**Payment Processor (Stripe):**
– Transaction status and history
– Payment method validation
**AI Providers (OpenAI, Google):**
– We send prompts and context to generate content
– We receive generated content responses
**Email Service (SendGrid):**
– Email delivery status
– Open and click tracking (if enabled)
– Bounce and unsubscribe data
—
## 2. How We Use Your Information
We use the information we collect for the following purposes:
### 2.1 Providing the Service
– Creating and managing your account
– Processing payments and subscriptions
– Connecting to and syncing with your ecommerce platforms
– Generating AI content based on your requests
– Executing email automations
– Displaying analytics and insights
### 2.2 Improving the Service
– Analyzing usage patterns to improve features
– Identifying and fixing bugs
– Developing new features and functionality
– Training and improving AI models (with anonymized data only)
### 2.3 Communications
– Sending transactional emails (receipts, password resets)
– Providing customer support
– Sending service announcements and updates
– Marketing communications (with your consent)
### 2.4 Security and Compliance
– Detecting and preventing fraud
– Enforcing our Terms of Service
– Complying with legal obligations
– Protecting our rights and the rights of others
### 2.5 Personalization
– Customizing your experience
– Providing relevant recommendations
– Calculating health scores and insights
– Managing your rewards and achievements
—
## 3. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA), UK, or Switzerland, we process your personal data based on the following legal grounds:
| Purpose | Legal Basis |
|———|————-|
| Providing the Service | Performance of contract |
| Processing payments | Performance of contract |
| Account security | Legitimate interest |
| Service improvements | Legitimate interest |
| Marketing communications | Consent |
| Legal compliance | Legal obligation |
| Fraud prevention | Legitimate interest |
—
## 4. How We Share Your Information
We do not sell your personal information. We share your information only as described below:
### 4.1 Service Providers (Subprocessors)
We share information with third-party service providers who perform services on our behalf:
| Provider | Purpose | Data Shared |
|———-|———|————-|
| **Stripe** | Payment processing | Payment info, billing address |
| **OpenAI** | AI content generation | Prompts, product data, context |
| **Google Cloud** | AI services, hosting | Prompts, product data |
| **SendGrid** | Email delivery | Recipient emails, email content |
| **Shopify** | Store integration | OAuth tokens, store data |
These providers are contractually obligated to protect your information and use it only for the services they provide to us.
### 4.2 With Your Consent
We may share your information with third parties when you give us explicit consent to do so.
### 4.3 Legal Requirements
We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., court orders, government agencies).
### 4.4 Business Transfers
In the event of a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred to the acquiring entity.
### 4.5 Protection of Rights
We may disclose information to enforce our Terms of Service, protect our rights, privacy, safety, or property, and to protect against legal liability.
—
## 5. Your End Customers’ Data
### 5.1 Your Role as Data Controller
When you use Shoptimal to process your End Customers’ personal data, you are the data controller. You determine why and how that data is processed.
### 5.2 Our Role as Data Processor
We act as a data processor on your behalf. We process End Customer data only according to your instructions and as necessary to provide the Service.
### 5.3 Your Responsibilities
As the data controller, you are responsible for:
– Providing appropriate privacy notices to your End Customers
– Obtaining necessary consents for data processing
– Ensuring lawful basis for processing
– Responding to data subject requests (access, deletion, etc.)
– Ensuring your use of the Service complies with applicable privacy laws
### 5.4 Data Processing Addendum
If you process personal data of EU residents, our Data Processing Addendum (available upon request) applies and is incorporated into these Terms.
—
## 6. Data Security
We implement appropriate technical and organizational measures to protect your information:
### 6.1 Technical Measures
– Encryption of data in transit (TLS/HTTPS)
– Encryption of sensitive data at rest
– Secure password hashing (bcrypt)
– Access token encryption for third-party integrations
– Regular security updates and patches
### 6.2 Organizational Measures
– Access controls limiting data access to authorized personnel
– Security training for employees
– Incident response procedures
– Regular security assessments
### 6.3 No Guarantee
While we strive to protect your information, no method of transmission or storage is 100% secure. We cannot guarantee absolute security of your data.
—
## 7. Data Retention
We retain your information for as long as necessary to provide the Service and fulfill the purposes described in this policy:
| Data Type | Retention Period |
|———–|——————|
| Account information | Duration of account + 90 days |
| Store and product data | Duration of connection + 90 days |
| Order data | Duration of account + 90 days |
| AI generation history | 90 days |
| Email tracking data | 12 months |
| Usage analytics | 24 months (anonymized) |
| Billing records | 7 years (legal requirement) |
| Support communications | 3 years |
After the retention period, data is either deleted or anonymized.
—
## 8. Your Privacy Rights
### 8.1 Rights for All Users
**Access:** You can access your account information through your account settings.
**Update:** You can update your account information at any time.
**Delete:** You can request deletion of your account by contacting us.
**Data Export:** You can request a copy of your data in a portable format.
### 8.2 Additional Rights for EEA/UK Residents (GDPR)
If you are in the EEA or UK, you have additional rights:
– **Right to Access:** Request a copy of your personal data
– **Right to Rectification:** Request correction of inaccurate data
– **Right to Erasure:** Request deletion of your data (“right to be forgotten”)
– **Right to Restrict Processing:** Request limitation of processing
– **Right to Data Portability:** Receive your data in a structured, machine-readable format
– **Right to Object:** Object to processing based on legitimate interests
– **Right to Withdraw Consent:** Withdraw consent for processing based on consent
– **Right to Lodge a Complaint:** File a complaint with your supervisory authority
### 8.3 Additional Rights for California Residents (CCPA)
If you are a California resident, you have the right to:
– **Know:** Request disclosure of personal information we collect, use, and share
– **Delete:** Request deletion of your personal information
– **Opt-Out:** We do not sell personal information, so this right does not apply
– **Non-Discrimination:** We will not discriminate against you for exercising your rights
### 8.4 Exercising Your Rights
To exercise any of these rights, please contact us at:
– Email: hello@shoptimal.io
– Subject line: “Privacy Rights Request”
We will respond to your request within 30 days (or as required by applicable law). We may need to verify your identity before processing your request.
—
## 9. Cookies and Tracking Technologies
### 9.1 Types of Cookies We Use
**Essential Cookies:**
– Session authentication
– CSRF protection
– User preferences
– These cannot be disabled
**Analytics Cookies:**
– Usage patterns and feature engagement
– Error tracking
– Performance monitoring
**Functional Cookies:**
– Remember your settings
– Personalization preferences
### 9.2 Managing Cookies
You can manage cookies through your browser settings. Note that disabling certain cookies may affect the functionality of the Service.
### 9.3 Do Not Track
We do not currently respond to “Do Not Track” browser signals, as there is no consistent industry standard for compliance.
—
## 10. International Data Transfers
### 10.1 Location of Processing
Our servers and service providers are primarily located in the United States. If you are located outside the US, your information will be transferred to and processed in the US.
### 10.2 Safeguards for EU Data
For personal data transferred from the EEA, UK, or Switzerland, we rely on:
– Standard Contractual Clauses approved by the European Commission
– Adequacy decisions where applicable
– Other lawful transfer mechanisms
—
## 11. Children’s Privacy
The Service is not intended for children under 18 years of age. We do not knowingly collect personal information from children under 18. If we learn that we have collected personal information from a child under 18, we will promptly delete that information.
—
## 12. Third-Party Links
The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read the privacy policies of any third-party sites you visit.
—
## 13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
– Posting the updated policy on our website
– Sending an email to your registered email address
– Displaying a notice within the Service
Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.
—
## 14. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
**Shoptimal**
Email: hello@shoptimal.io
Support: support@shoptimal.io
For EU residents, you may also contact our Data Protection Officer at hello@shoptimal.io.
—
## 15. Subprocessor List
The following is a list of subprocessors we use to provide the Service:
| Subprocessor | Purpose | Location |
|————–|———|———-|
| Stripe, Inc. | Payment processing | United States |
| OpenAI, L.L.C. | AI content generation | United States |
| Google LLC | AI services, cloud hosting | United States |
| Twilio SendGrid | Email delivery | United States |
| Shopify Inc. | Ecommerce integration | Canada/United States |
This list may be updated from time to time. Material changes to subprocessors will be communicated in accordance with our Data Processing Addendum.
—
**By using Shoptimal, you acknowledge that you have read and understood this Privacy Policy.**