Privacy Policy

AdaptiveShop ("we," "us," or "our") operates an e-commerce platform that enables independent merchants to create online storefronts and sell products. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Platform.

This Privacy Policy is designed to comply with the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), and the European Union's General Data Protection Regulation (GDPR).

By using AdaptiveShop, you consent to the data practices described in this policy.

1. Information We Collect

1.1 Information You Provide Directly

For Merchants (Sellers)

• Email address (for account creation and login)
• Business name and support email (required before accepting payments)
• Shipping address (for ship-from location)
• Phone number (optional, for shipping labels)
• Payment information via Stripe Connect (Stripe Connect Account ID)
• Product data (names, descriptions, images, pricing, inventory)
• Shipping and returns policies
• Shop customization (logo, branding, colors)
• Notification preferences
• Team member email addresses (for invitations to manage your shop)

For Customers (Buyers)

• Name, email address, and phone number (provided at checkout)
• Shipping address (required for order fulfillment)
• Payment card information (collected and processed by Stripe; we only store card brand and last 4 digits)
• Order details (products purchased, quantities, variants)

1.2 Information Collected Automatically

• IP Address: Collected for analytics, fraud detection, and security purposes
• Browser and Device Information: User agent, device type, operating system, browser type
• UTM Parameters: Marketing campaign tracking (utm_source, utm_medium, utm_campaign, utm_term, utm_content)
• Referrer Information: URL of the site that referred you to AdaptiveShop
• Page Visit Data: Pages viewed, time spent, navigation patterns
• Session Cookies: Authentication session cookies (secure, HTTP-only) managed by Supabase Auth

1.3 Information from Third Parties

• Stripe: Payment processing status, payment method details (card brand, last 4 digits), transaction success/failure events
• ShipEngine: Shipping rates, tracking information, label generation data
• Print-on-Demand Providers (Printful, Printify, Gelato, etc.): Order fulfillment status, tracking numbers

2. How We Use Your Information

We use the information we collect for the following purposes:

2.1 Service Delivery

• Create and manage merchant accounts
• Process orders and payments
• Facilitate order fulfillment and shipping
• Send transactional emails (order confirmations, shipping notifications)
• Provide customer support
• Enable shop customization and branding

2.2 Marketing and Cart Recovery Communications

• Marketing Opt-In: During checkout, you may opt in to receive marketing emails from the merchant. This consent is collected via a checkbox on the Stripe Checkout page.
• Email Capture Section: Some merchants may display an email capture form on their shop page (typically in the footer). By entering your email and clicking subscribe, you consent to receiving marketing communications from that merchant. Your email address is stored with a timestamp of your consent.
• Abandoned Cart Recovery (Pro Merchants): If you start checkout but don't complete your purchase, Pro tier merchants may send you a reminder email after 4 hours. This only occurs if you:
  • Entered your email address during checkout
  • Opted in to receive promotional communications
• Unsubscribe: Cart recovery emails include an unsubscribe link. Clicking it will prevent future cart recovery emails from that specific merchant. Order confirmations and shipping notifications are transactional and cannot be unsubscribed.
• Merchant Access to Marketing Subscribers: Merchants can view and export email addresses of customers who opted in to marketing communications. This allows merchants to send campaigns using external email marketing tools (Mailchimp, Klaviyo, etc.).

2.3 Analytics and Improvements

• Analyze platform usage and performance
• Understand marketing campaign effectiveness (via UTM tracking)
• Improve product features and user experience
• Generate merchant analytics (sales, traffic, conversions)

2.4 Security and Fraud Prevention

• Detect and prevent fraud, spam, and abuse
• Verify webhook events from third parties
• Maintain platform security and integrity

2.5 Legal Compliance

• Comply with legal obligations and regulatory requirements
• Respond to lawful requests from authorities
• Enforce our Terms of Service
• Resolve disputes and protect legal rights

3. How We Share Your Information

We do not sell your personal information. We share your information only in the following circumstances:

3.1 With Merchants (For Customer Orders)

When you purchase from a merchant's shop, we share your order information with that merchant, including:

• Name, email, phone number
• Shipping address
• Product details, quantities, variants (SKU, color, size)
• Payment amount, card brand (not full card number), last 4 digits
• Order status and fulfillment tracking

Merchants cannot see: other customers' orders, other merchants' data, or your browsing behavior outside their shop.

3.2 With Team Members (Pro Feature)

Pro merchants can invite up to 2 team members to help manage their shop. When a team member is added:

• Shop owners see: Team member email addresses, invitation status, join date, and activity within the shop management dashboard
• Team members see: The merchant's products, orders, customer information (names, emails, shipping addresses), shop analytics, and customization settings
• Team members cannot see: Billing information, subscription details, Stripe connection settings, or API keys

Team member email addresses are used solely to send invitation emails and manage access to the merchant's dashboard. When a team member is removed, they immediately lose access to the merchant's data and receive a notification email.

3.3 With Service Providers

Stripe (Payment Processing)

• Customer name, email, phone, shipping address
• Payment card information (processed directly by Stripe; AdaptiveShop never stores full card numbers)
• Order amount and line item details
• Stripe handles PCI-DSS compliance for payment card data

Resend (Email Delivery)

• Customer email addresses (recipients)
• Merchant support email (reply-to address)
• Order details included in transactional emails (order confirmations, shipping notifications)

ShipEngine (Shipping & Logistics)

• Merchant's ship-from address
• Customer's shipping address
• Package dimensions and weight
• Order details for rate quotes and label generation

Print-on-Demand Providers (Printful, Printify, Gelato, Prodigi, FourthWall)

• Customer shipping address (for product fulfillment)
• Product design/image URLs
• Order metadata (order ID, quantity, variant selections)

Supabase (Database & Authentication)

• All data stored on AdaptiveShop is hosted on Supabase's infrastructure
• Supabase provides database encryption at rest and secure authentication services

Google Merchant Center (Optional - Pro Merchants)

• Product titles, descriptions, prices, and images (for Google Shopping listings)
• Product availability status (in stock/out of stock)
• Variant attributes (color, size)
• Links to product pages on your shop
• No customer personal information is shared through the product feed
• This feature is optional, controlled by Pro merchants, and only shares product catalog data

Google (Gemini AI)

• Product names, descriptions, and attributes (for AI-generated descriptions, titles, and insights)
• Aggregated analytics metrics such as revenue totals, order counts, and traffic sources (for generating merchant business insights)
• Marketing context from UTM parameters (for adaptive content personalization)
• No customer personal information (names, emails, addresses, payment details) is sent to AI services
• Google's AI services are used solely for content generation and analytics; data is processed per Google's API terms and is not used for model training

3.4 For Legal Reasons

We may disclose your information if required to do so by law or in response to:

• Valid legal process (subpoenas, court orders)
• Requests from government authorities
• Protection of our rights, property, or safety
• Investigation of fraud or security issues

3.5 Business Transfers

If AdaptiveShop is acquired, merged, or undergoes a business restructuring, your information may be transferred to the acquiring entity as part of the transaction.

3.6 Promotional Use (Merchants Only)

As described in our Terms of Service and Merchant Agreement, merchants grant AdaptiveShop a license to use their publicly displayed content for promotional purposes. This may include:

• Screenshots or representations of merchant storefronts and product pages
• Product images, descriptions, and listings
• Shop names, logos, and branding elements

This promotional use applies only to:

• Content that merchants have made publicly visible on their storefronts
• Business information (shop name, branding), not personal information

This promotional use does NOT include:

• Personal account information (email addresses, phone numbers)
• Customer personal data
• Financial or payment information
• Private dashboard or settings content

Merchants may opt out of future promotional use by contacting support@adaptiveshop.ai. See our Terms of Service for complete details.

4. Data Security

We implement industry-standard security measures to protect your personal information:

• Encryption in Transit: All data transmitted between your browser and our servers is encrypted using HTTPS/TLS
• Encryption at Rest: Data stored in our database is encrypted at rest via Supabase
• Row Level Security (RLS): Database access is restricted so merchants can only access their own data
• Secure Authentication: Passwordless magic link login via Supabase Auth
• PCI-DSS Compliance: Payment card data is processed and stored by Stripe, not by AdaptiveShop
• Webhook Verification: All third-party webhooks are cryptographically verified before processing
• Environment Variable Protection: API keys and secrets are stored securely and never exposed to clients

Important: No method of transmission over the internet is 100% secure. While we strive to protect your personal information, we cannot guarantee absolute security.

5. Your Privacy Rights

5.1 Rights Under GDPR (European Users)

If you are located in the European Economic Area (EEA), you have the following rights:

• Right to Access: Request a copy of the personal data we hold about you
• Right to Rectification: Request correction of inaccurate or incomplete data
• Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data (subject to legal retention requirements)
• Right to Data Portability: Request your data in a machine-readable format
• Right to Restrict Processing: Request that we limit how we use your data
• Right to Object: Object to certain types of data processing
• Right to Withdraw Consent: Withdraw consent for data processing at any time
• Right to Lodge a Complaint: File a complaint with your local data protection authority

5.2 Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have the following rights:

• Right to Know: Request disclosure of what personal information we collect, use, and share
• Right to Delete: Request deletion of your personal information (subject to exceptions)
• Right to Opt-Out of Sale: We do NOT sell your personal information, so no opt-out is necessary
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
• Right to Correct: Request correction of inaccurate personal information
• Right to Limit Use of Sensitive Personal Information: Request limits on use of sensitive data (if applicable)

5.3 Account Deletion (30-Day Grace Period)

Merchants can delete their accounts at any time. Upon requesting account deletion:

• Your account enters a 30-day grace period
• You will receive an email notification confirming the deletion request
• During the grace period, your account is paused but data is preserved
• You can reactivate your account at any time during the 30 days by logging in
• After 30 days, your account and all associated data (orders, products, analytics) are permanently deleted

5.4 How to Exercise Your Rights

To exercise any of the rights listed above, contact us at:

Email: support@adaptiveshop.ai

We will respond to your request within 30 days (GDPR) or 45 days (CCPA). We may require identity verification before fulfilling your request.

6. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required by law.

Specific Retention Periods

• Account Data (Merchants): Retained until account deletion (then 30-day grace period)
• Order Data (Customers): Retained indefinitely for tax, accounting, and legal compliance purposes, unless deletion is requested
• Email Logs: Retained for 1 year for compliance and debugging
• Analytics Data (Page Visits, UTM, IP): Retained for 1 year, then anonymized or deleted
• Shipping Rate Quotes: Automatically deleted after 24 hours
• Session Cookies: Expire when you log out or session ends

Automatic Inactive Account Cleanup

To manage platform resources and comply with data minimization principles, we automatically remove inactive accounts:

• Incomplete Setup Accounts: Accounts that do not complete setup (connect Stripe and add products) within 60 days of creation are scheduled for deletion. Warning email sent at day 45, permanent deletion at day 90.
• Lapsed Subscription Accounts: Accounts with inactive subscriptions for more than 12 months are scheduled for deletion. Warning email sent at month 11, permanent deletion at month 13.

You may reactivate your account at any time before permanent deletion by completing setup (for incomplete accounts) or resubscribing (for lapsed accounts). Grandfathered accounts are exempt from automatic cleanup.

After the retention period expires, we will securely delete or anonymize your personal information.

7. International Data Transfers

AdaptiveShop is based in the United States. If you are located outside the U.S., your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

Third-Party Service Locations

• Supabase (Database): Data stored in U.S.-based data centers
• Stripe: Operates globally with data centers in the U.S. and Europe
• Resend: Email service provider (check their data processing locations)
• ShipEngine: U.S.-based shipping API provider

For GDPR compliance, we rely on Standard Contractual Clauses (SCCs) and other approved transfer mechanisms when transferring data from the EEA to countries without adequacy decisions.

By using AdaptiveShop, you consent to the transfer of your information to the United States and other jurisdictions as described.

8. Cookies and Tracking Technologies

AdaptiveShop uses minimal cookies and does NOT use third-party advertising or tracking cookies.

8.1 Cookies We Use

• Authentication Cookies: Secure, HTTP-only session cookies managed by Supabase Auth (essential for login functionality)
• Local Storage: Minimal use for temporary data (e.g., pending terms acceptance during login)

8.2 What We Do NOT Use (By Default)

• Third-party analytics cookies (Mixpanel, etc.) - see 8.3 for optional Google Analytics
• Advertising cookies or pixels
• Cross-site tracking cookies
• Social media tracking pixels

8.3 Optional Google Analytics 4 (Pro Merchants Only)

Pro tier merchants may optionally connect their own Google Analytics 4 (GA4) property to their shop pages. When a merchant enables GA4:

• Google's analytics scripts are loaded on that merchant's shop and product pages
• Google may set analytics cookies (e.g., _ga, _gid) on visitors to those pages
• Data is collected and processed by Google according to Google's Privacy Policy
• The merchant (not AdaptiveShop) controls and has access to this analytics data

This tracking is optional and only applies to shop pages of merchants who have explicitly enabled it. AdaptiveShop's core platform pages (dashboard, settings, etc.) do not use Google Analytics.

8.4 Tracking Without Cookies

We collect analytics data server-side without cookies:

• UTM parameters from URLs (marketing campaign tracking)
• Referrer information (which site referred you)
• IP addresses (for geographic analytics and fraud detection)
• User agent strings (browser and device information)

9. Children's Privacy

AdaptiveShop is not intended for use by individuals under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children.

If we become aware that we have collected personal information from a child without parental consent, we will take steps to delete that information promptly. If you believe we have collected information from a child, please contact us at support@adaptiveshop.ai.

10. California "Shine the Light" Law

California Civil Code Section 1798.83 permits California residents to request information about our disclosure of personal information to third parties for direct marketing purposes.

AdaptiveShop does NOT share your personal information with third parties for their direct marketing purposes.

11. Do Not Track Signals

Some browsers support a "Do Not Track" (DNT) feature. AdaptiveShop does not currently respond to DNT signals because we do not use third-party tracking cookies or advertising networks. Our analytics data collection is minimal and server-side only.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service offerings.

When we make material changes:

• We will update the "Last Updated" date at the top of this policy
• We may notify you via email or a prominent notice on the Platform
• Continued use of AdaptiveShop after changes constitutes acceptance of the updated policy

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

AdaptiveShop
Email: support@adaptiveshop.ai
Website: https://www.adaptiveshop.ai

For GDPR-related inquiries or to exercise your rights as an EEA resident:
Email: support@adaptiveshop.ai
Subject Line: "GDPR Privacy Request"

For CCPA-related inquiries or to exercise your rights as a California resident:
Email: support@adaptiveshop.ai
Subject Line: "CCPA Privacy Request"

14. Summary of Key Points

• We do NOT sell your personal information
• We use minimal cookies (only authentication, no tracking)
• Payment data is handled by Stripe (PCI-DSS compliant; we never store full card numbers)
• You can delete your account with a 30-day grace period for reactivation
• Merchants only see their own customers' data (enforced by database security)
• We share data only with essential service providers (Stripe, Resend, ShipEngine, POD providers, Google Gemini AI)
• California and GDPR rights are fully supported (access, deletion, portability, correction)
• Data retention periods are clearly defined (1 year for analytics, indefinite for orders unless deletion requested)
• Merchant storefront content may be used for promotional purposes (public shop pages, product images, branding only; opt-out available)