Privacy Policy

Account information: Name and email address when you register.

Shopify store data: Orders, products, and aggregated metrics accessed via Shopify's API with your explicit consent through OAuth. We use read-only scopes and never modify your store.

Usage data: Pages visited, features used, and session duration to improve the Service.

Contact information: Name, email, and message content if you use our contact form.

We do not collect payment card details — all billing is handled through Shopify's built-in subscription system.

We use your data exclusively to provide and improve the Service:

• Generate profit dashboards, reports, and analytics
• Produce AI-powered insights and recommendations
• Send weekly profit reports to your email
• Provide customer support
• Improve the Service based on usage patterns

When generating AI insights, we send aggregated, anonymized metrics to our AI provider. No personally identifiable customer data (names, emails, addresses) is ever included in AI requests.

We do not sell, rent, or share your personal data with third parties for marketing purposes. We share data only with:

• Shopify: Through their official API for store data access and billing
• AI providers: Aggregated metrics only (no PII) for generating insights
• Infrastructure providers: Hosting and database services bound by data processing agreements

We may disclose information if required by law or to protect our legal rights.

We retain your data only as long as necessary to provide the Service:

• Account data: Retained while your account is active. Deleted within 30 days of account closure.
• Store metrics: Retained for up to 365 days depending on your plan, then automatically pruned.
• Chat conversations: Retained for 90 days, then automatically deleted.

When you disconnect a Shopify store, we delete the associated access tokens and cached store data within 48 hours.

We use only essential cookies required for the Service to function:

• Session cookie: Maintains your login session (expires on browser close or after 120 minutes of inactivity)
• CSRF token: Protects against cross-site request forgery
• Chat widget cookie: Identifies anonymous chat sessions for support continuity

We do not use third-party tracking cookies, advertising pixels, or analytics trackers.

We implement industry-standard security measures to protect your data:

• Shopify access tokens encrypted with AES-256 at rest
• All data transmitted over TLS 1.3
• Webhook signatures cryptographically verified on every request
• Passwords hashed with bcrypt
• We are a verified Shopify Partner

You have the right to:

• Access: Request a copy of your personal data
• Rectification: Update or correct inaccurate data via your profile settings
• Deletion: Delete your account and all associated data from your settings page
• Disconnect: Revoke Shopify store access at any time
• Data portability: Export your reports and metrics

To exercise any of these rights, email us at noreply@profitpilot.app or use the self-service options in your account settings.

We comply with GDPR requirements for EU users. The legal basis for processing your data is:

• Contract performance: Processing necessary to provide the Service you subscribed to
• Legitimate interest: Service improvement and security
• Consent: For optional features like AI insights

We comply with Shopify's data handling requirements, including customer data request, data erasure, and shop redaction webhooks.