Privacy Policy

StoreOperators is the data controller for personal data processed through the Easy AI Store Ops service. Contact: privacy@storeoperators.com.

• Account data: email address, authentication events, sign-in IP and user agent (for security).
• Shopify integration: the store domain and a scoped Shopify access token, encrypted at rest with per-merchant keys. We store only what the app needs to plan and execute operations.
• Operational data: the prompts you send, the plans we generate, the operations you confirm, their results, and snapshots of the resources we modify (to support rollback).
• Billing: plan, subscription status, invoice IDs, last-four of card, billing country — provided by Stripe. We do not store full card numbers.
• Marketing: webinar-signup email + optional name / company / store. Only used for confirmation and reminder emails.
• Product analytics: minimal server-side event counts (operations per kind, plan confirmations) for reliability and pricing calibration. No third-party trackers on marketing pages.

• We do not train third-party large language models on your store data.
• We do not sell or rent your data.
• We do not ship third-party trackers or ad pixels on marketing or app pages.
• We do not write to your Shopify store without an explicit plan you confirmed.

• Supabase — primary application database + auth. Region: EU (Frankfurt).
• Stripe — payments, subscriptions, and top-up packs.
• Anthropic — the model that drafts plans. We send only the prompts and targeted catalogue context needed for the plan. No long-term model training on your data.
• Resend — transactional and webinar email delivery.
• Railway — application hosting.

We process account, integration, and operational data on the basis of contract performance — running the service you asked us to run. We process billing data on the basis of legal obligation (tax, accounting). We process webinar-signup data on the basis of consent; you can withdraw consent at any time by using the unsubscribe link on any email.

• Audit trail of operations and their snapshots: 365 days after account closure.
• Account email and sign-in events: while the account is active, plus 90 days.
• Billing records: 7 years, as required by tax law.
• Webinar signups: until unsubscribed, then anonymised for 180 days and deleted.

You can request access, rectification, deletion, export, or restriction of your personal data by writing to privacy@storeoperators.com. We respond within 30 days. You also have the right to lodge a complaint with your local data-protection authority.

Our primary data store is in the EU. Some sub-processors (Stripe, Anthropic, Resend, Railway) may transfer data outside the EEA under Standard Contractual Clauses. You can request a copy of the relevant safeguards by writing to privacy@storeoperators.com.

• Shopify access tokens encrypted at rest with per-merchant keys.
• Least-privilege database row-level security for every table that touches merchant data.
• All traffic terminated on HTTPS; no long-lived client-side secrets.
• Vulnerabilities can be reported to security@storeoperators.com — we aim to acknowledge within 2 business days.

If we make a material change to this policy we will announce it in-app and by email at least 14 days before it takes effect.