.png)
Ecomvault's Privacy Policy
1. Introduction
EcomVault ("EcomVault", "we", "us", or "our") is committed to protecting your privacy and ensuring the security of your data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our product management and optimization platform for Shopify stores ("Service").
We strictly comply with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), Shopify Partner Program Agreement, and Google Cloud Platform's OAuth verification requirements. We are committed to maintaining the highest standards of data protection and privacy.
Our Core Privacy Commitment: We NEVER sell, share, or distribute your personal or business data to third parties for their marketing purposes. All data processing is solely for providing and improving our Service to you.
2. Information We Collect
2.1 Personal Information
We collect minimal personal information necessary to provide our Service:
- Account Information: Name, email address, company name
- Payment Information: Processed securely through Stripe (we do NOT store credit card details)
- Communication Data: Support tickets and feedback for service improvement
2.2 Shopify Store Information
When you connect your Shopify store through OAuth, we collect:
- Product Data: Product titles, descriptions, images, prices, inventory (for management purposes only)
- Store Configuration: Store name, domain (for identification purposes)
- Category Data: Product categories, collections, tags (for organization)
Important: We access ONLY the minimum Shopify data necessary for product management. We do NOT access customer data, order history, or payment information from your Shopify store.
2.3 Third-Party Integration Credentials
When you connect advertising platforms, we securely store:
- Google Ads: Encrypted OAuth tokens (for fetching campaign metrics only)
- Facebook Ads: Encrypted access tokens (for read-only ad performance data)
- Pinterest Ads: Encrypted authentication tokens (for campaign analytics only)
Security Note: All third-party credentials are encrypted using AES-256-GCM encryption before storage. We use these credentials ONLY to fetch analytics data for display in your dashboard. We NEVER modify your ad campaigns or access sensitive account information.
2.4 Analytics Data
We fetch and temporarily display (but do NOT permanently store):
- Campaign performance metrics (impressions, clicks, CTR)
- Aggregated spend data for reporting
- Campaign names and IDs for identification
This data is cached for maximum 20 minutes to improve performance and is automatically purged thereafter.
2.5 Automatically Collected Information
We collect minimal technical information for security and service operation:
- Security Data: IP address for fraud prevention and rate limiting
- Session Data: Authentication tokens (stored securely, expire automatically)
- Usage Analytics: Anonymous feature usage for service improvement
3. How We Use Your Information
We use your information EXCLUSIVELY for providing and improving our product management service:
3.1 Core Service Functions
- Enable product catalog management and optimization
- Synchronize product data with your Shopify storeGenerate AI-powered product descriptions and titles
- Display advertising metrics from connected platforms
- Process subscription payments securely
3.2 Service Communications
- Send critical service notifications (security alerts, system updates)
- Respond to your support requests
- Notify about changes to our terms or privacy policy
- Marketing communications ONLY with explicit opt-in consent
3.3 Security and Compliance
- Prevent fraud and unauthorized access
- Comply with legal obligations (GDPR, CCPA)
- Enforce our Terms of Service
- Protect against security threats
We explicitly DO NOT:
- Sell or rent your data to third parties
- Use your data for advertising targeting
- Share your business data with competitors
- Access your data for purposes unrelated to our Service
- Make automated decisions that significantly affect you
4. Legal Basis for Processing (GDPR)
We process your personal data based on the following legal grounds:
- Contract Performance: To provide the Service you've requested
- Legitimate Interests: To improve our Service and protect our business
- Legal Compliance: To comply with applicable laws and regulations
- Consent: For marketing communications and certain data processing
5. Data Sharing and Disclosure
We maintain strict control over your data and limit sharing to essential service operations:
5.1 Essential Service Providers
We work ONLY with carefully vetted providers who sign data processing agreements:
- Shopify: OAuth authentication and product synchronization (data remains within Shopify ecosystem)
- Google Cloud Platform: ISO 27001 certified infrastructure (data encrypted at rest and in transit)
- Stripe: PCI-DSS compliant payment processing (we never see your card details)
- OpenAI: Content generation (no personal data shared, only product information)Important: All service providers are bound by strict confidentiality agreements and can only process data according to our instructions. They cannot use your data for their own purposes.
5.2 Third-Party Platform Connections
When YOU explicitly connect advertising platforms:
- We use OAuth tokens ONLY to fetch analytics data you request
- We do NOT share your Shopify data with these platforms
- Connections can be revoked at any time from your dashboard
- All credentials are encrypted and isolated per account
5.3 Legal Obligations
We may disclose data ONLY when legally required:
- Valid court orders or legal processes
- Protection against imminent harmInvestigation of suspected fraud or security breaches
- We will notify you of any legal requests unless prohibited by law.
5.4 What We NEVER Do
- Sell your data to data brokers or advertisers
- Share your product data with competitors
- Allow third parties to use your data for marketing
- Transfer data outside our documented service providers
6. Data Security
We implement industry-leading security measures to protect your data:
6.1 Technical Security Measures
- Encryption at Rest: AES-256-GCM encryption for all stored credentials and sensitive data
- Encryption in Transit: TLS 1.3 for all data transmission
- OAuth 2.0: Industry-standard authentication for Shopify and advertising platforms
- Token Security: Encrypted storage, automatic expiration, secure refresh mechanisms
- Infrastructure: Google Cloud Platform with ISO 27001, SOC 2, and PCI DSS compliance
- Access Control: Multi-factor authentication, role-based permissions, audit logging
6.2 Operational Security
- Code Reviews: All code undergoes security review before deployment
- Vulnerability Scanning: Automated security testing and dependency updates
- Incident Response: 24-hour breach notification commitment
- Data Isolation: Complete separation between customer accounts
- Regular Audits: Quarterly security assessments
6.3 Specific Platform Security
- Shopify: OAuth tokens with minimal required scopes, automatic token refresh
- Google Ads: OAuth 2.0 with read-only scopes, compliant with Google's security requirements
- Facebook/Pinterest: Encrypted token storage, regular token rotation
7. Data Retention and Deletion
We follow strict data minimization and retention policies:
7.1 Retention Periods
- Active Account Data: Retained while account is active
- Product Data: Synced with Shopify, deleted upon disconnection
- OAuth Tokens: Automatically refreshed or deleted when expired
- Analytics Cache: 20 minutes maximum (auto-purged)
- Closed Accounts: Deleted within 30 days of closure
- Payment Records: 7 years (legal requirement for tax compliance)
- Security Logs: 90 days for incident investigation
7.2 Data Deletion
You can request immediate deletion of your data at any time:
- Account deletion removes all personal and product data
- OAuth tokens are immediately revoked
- Backup data is purged within 30 days
- We maintain a deletion log for compliance verification
7.3 Automatic Deletion
- Inactive accounts: Notified after 12 months, deleted after 18 months
- Disconnected integrations: Tokens deleted immediately
- Failed payment accounts: Data retained for 90 days then deleted
8. Your Rights (GDPR)Under GDPR, you have the following rights regarding your personal data:
-Access: Request a copy of your personal dataRectification: Correct inaccurate or incomplete data
- Erasure: Request deletion of your data ("right to be forgotten")
- Portability: Receive your data in a structured, machine-readable format
- Restriction: Limit processing of your data
- Objection: Object to certain processing activities
- Automated Decision-Making: Not be subject to solely automated decisions
- Consent Withdrawal: Withdraw consent at any time
To exercise these rights, contact us at Support@ecomvault.ai. We will respond within 30 days.
9. International Data Transfers
Your data may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place:
- Standard Contractual Clauses approved by the European Commission
- Adequacy decisions for data transfers
- Binding corporate rules where applicable
- Your explicit consent for specific transfers
10. Cookies and Tracking
We use minimal cookies necessary for service operation:
- Essential Cookies Only: Authentication and session management
- No Marketing Cookies: We do NOT use tracking or advertising cookies
- No Third-Party Cookies: We do NOT allow third-party tracking
- Session Storage: Temporary data cleared when browser closes
You can disable cookies in your browser, but this will prevent you from using our Service.
11. Third-Party Integrations
We integrate with the following services under strict privacy controls:
11.1 Required Integrations
- Shopify: Product data sync (you control what data is shared)
- Payment Processor: Stripe (PCI-DSS compliant, we never see card details)
11.2 Optional Integrations (User-Initiated)
- Google Ads: Read-only analytics access (requires your explicit authorization)
- Facebook Ads: Campaign metrics only (you select which ad account)
- Pinterest Ads: Performance data only (minimal scope access)
Integration Privacy Guarantees:
- You must explicitly authorize each integration
- We request only minimum necessary permissions
- All tokens are encrypted and isolated per account
- You can revoke access at any time from your dashboard
- We NEVER cross-share data between integrations
12. Children's Privacy
Our Service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn we have collected information from a child under 18, we will delete it promptly.
13. Marketing Communications
With your consent, we may send you marketing communications about:
- New features and updates
- Tips and best practices
- Special offers and promotions
- Industry news and insights
You can opt-out of marketing communications at any time through the unsubscribe link in emails or by contacting us.
14. California Privacy Rights (CCPA)If you are a California resident, you have additional rights under the California Consumer Privacy Act:
- Right to know what personal information is collected
- Right to know if personal information is sold or disclosed
- Right to opt-out of the sale of personal information
- Right to non-discrimination for exercising privacy rights
We do not sell personal information to third parties.
15. Changes to Privacy Policy
We may update this Privacy Policy periodically. We will notify you of material changes by:
- Posting the updated policy on our website
- Updating the "Last Updated" date
- Sending email notification for significant changes
Continued use of the Service after changes constitutes acceptance of the updated policy.
16. Contact Information
For questions, concerns, or requests regarding this Privacy Policy or your data: Ecomvault
Email: Support@ecomvault.ai
Website: www.ecomvault.ai
17. Google Ads API - Limited Use Disclosure
EcomVault's use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.
Our Commitments:
- We ONLY access Google Ads data when you explicitly authorize it
- We use read-only permissions to fetch campaign performance metrics
- We do NOT modify, create, or delete any campaigns or settings
- We do NOT share your Google Ads data with any third parties
- We do NOT use your data for advertising or marketing purposes
- We do NOT combine your Google Ads data with data from other users
- All access tokens are encrypted using AES-256-GCM
- You can revoke access at any time from your dashboard
Data We Access (Read-Only):
- Campaign names and IDsPerformance metrics (impressions, clicks, CTR, spend)
- Date ranges for reporting
Data We Do NOT Access:
- Customer lists or audience data
- Billing or payment information
- Account settings or configurations
- Keywords or targeting settings
18. Governing Law and Jurisdiction
This Privacy Policy and any disputes relating to it shall be governed by and construed in accordance with the laws of the Netherlands, without regard to its conflict of law provisions.
Any legal proceedings relating to this Privacy Policy shall be brought exclusively in the competent courts of Amsterdam, Netherlands, and you consent to the jurisdiction of such courts.
As a company registered in the Netherlands, we fully comply with Dutch and European Union data protection laws, including the General Data Protection Regulation (GDPR) (EU) 2016/679.
19. Supervisory Authority
Under Dutch and EU law, you have the right to lodge a complaint with a supervisory authority. The competent authority in the Netherlands is:
Autoriteit Persoonsgegevens (Dutch Data Protection Authority)
Address: Postbus 93374, 2509 AJ Den Haag, Netherlands
Website: autoriteitpersoonsgegevens.nl
Phone: 0900-2001201 (within Netherlands)
International: +31 70 888 8500
EU residents may also contact their local data protection authority.
EcomVault ("EcomVault", "we", "us", or "our") is committed to protecting your privacy and ensuring the security of your data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our product management and optimization platform for Shopify stores ("Service").
We strictly comply with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), Shopify Partner Program Agreement, and Google Cloud Platform's OAuth verification requirements. We are committed to maintaining the highest standards of data protection and privacy.
Our Core Privacy Commitment: We NEVER sell, share, or distribute your personal or business data to third parties for their marketing purposes. All data processing is solely for providing and improving our Service to you.
2. Information We Collect
2.1 Personal Information
We collect minimal personal information necessary to provide our Service:
- Account Information: Name, email address, company name
- Payment Information: Processed securely through Stripe (we do NOT store credit card details)
- Communication Data: Support tickets and feedback for service improvement
2.2 Shopify Store Information
When you connect your Shopify store through OAuth, we collect:
- Product Data: Product titles, descriptions, images, prices, inventory (for management purposes only)
- Store Configuration: Store name, domain (for identification purposes)
- Category Data: Product categories, collections, tags (for organization)
Important: We access ONLY the minimum Shopify data necessary for product management. We do NOT access customer data, order history, or payment information from your Shopify store.
2.3 Third-Party Integration Credentials
When you connect advertising platforms, we securely store:
- Google Ads: Encrypted OAuth tokens (for fetching campaign metrics only)
- Facebook Ads: Encrypted access tokens (for read-only ad performance data)
- Pinterest Ads: Encrypted authentication tokens (for campaign analytics only)
Security Note: All third-party credentials are encrypted using AES-256-GCM encryption before storage. We use these credentials ONLY to fetch analytics data for display in your dashboard. We NEVER modify your ad campaigns or access sensitive account information.
2.4 Analytics Data
We fetch and temporarily display (but do NOT permanently store):
- Campaign performance metrics (impressions, clicks, CTR)
- Aggregated spend data for reporting
- Campaign names and IDs for identification
This data is cached for maximum 20 minutes to improve performance and is automatically purged thereafter.
2.5 Automatically Collected Information
We collect minimal technical information for security and service operation:
- Security Data: IP address for fraud prevention and rate limiting
- Session Data: Authentication tokens (stored securely, expire automatically)
- Usage Analytics: Anonymous feature usage for service improvement
3. How We Use Your Information
We use your information EXCLUSIVELY for providing and improving our product management service:
3.1 Core Service Functions
- Enable product catalog management and optimization
- Synchronize product data with your Shopify storeGenerate AI-powered product descriptions and titles
- Display advertising metrics from connected platforms
- Process subscription payments securely
3.2 Service Communications
- Send critical service notifications (security alerts, system updates)
- Respond to your support requests
- Notify about changes to our terms or privacy policy
- Marketing communications ONLY with explicit opt-in consent
3.3 Security and Compliance
- Prevent fraud and unauthorized access
- Comply with legal obligations (GDPR, CCPA)
- Enforce our Terms of Service
- Protect against security threats
We explicitly DO NOT:
- Sell or rent your data to third parties
- Use your data for advertising targeting
- Share your business data with competitors
- Access your data for purposes unrelated to our Service
- Make automated decisions that significantly affect you
4. Legal Basis for Processing (GDPR)
We process your personal data based on the following legal grounds:
- Contract Performance: To provide the Service you've requested
- Legitimate Interests: To improve our Service and protect our business
- Legal Compliance: To comply with applicable laws and regulations
- Consent: For marketing communications and certain data processing
5. Data Sharing and Disclosure
We maintain strict control over your data and limit sharing to essential service operations:
5.1 Essential Service Providers
We work ONLY with carefully vetted providers who sign data processing agreements:
- Shopify: OAuth authentication and product synchronization (data remains within Shopify ecosystem)
- Google Cloud Platform: ISO 27001 certified infrastructure (data encrypted at rest and in transit)
- Stripe: PCI-DSS compliant payment processing (we never see your card details)
- OpenAI: Content generation (no personal data shared, only product information)Important: All service providers are bound by strict confidentiality agreements and can only process data according to our instructions. They cannot use your data for their own purposes.
5.2 Third-Party Platform Connections
When YOU explicitly connect advertising platforms:
- We use OAuth tokens ONLY to fetch analytics data you request
- We do NOT share your Shopify data with these platforms
- Connections can be revoked at any time from your dashboard
- All credentials are encrypted and isolated per account
5.3 Legal Obligations
We may disclose data ONLY when legally required:
- Valid court orders or legal processes
- Protection against imminent harmInvestigation of suspected fraud or security breaches
- We will notify you of any legal requests unless prohibited by law.
5.4 What We NEVER Do
- Sell your data to data brokers or advertisers
- Share your product data with competitors
- Allow third parties to use your data for marketing
- Transfer data outside our documented service providers
6. Data Security
We implement industry-leading security measures to protect your data:
6.1 Technical Security Measures
- Encryption at Rest: AES-256-GCM encryption for all stored credentials and sensitive data
- Encryption in Transit: TLS 1.3 for all data transmission
- OAuth 2.0: Industry-standard authentication for Shopify and advertising platforms
- Token Security: Encrypted storage, automatic expiration, secure refresh mechanisms
- Infrastructure: Google Cloud Platform with ISO 27001, SOC 2, and PCI DSS compliance
- Access Control: Multi-factor authentication, role-based permissions, audit logging
6.2 Operational Security
- Code Reviews: All code undergoes security review before deployment
- Vulnerability Scanning: Automated security testing and dependency updates
- Incident Response: 24-hour breach notification commitment
- Data Isolation: Complete separation between customer accounts
- Regular Audits: Quarterly security assessments
6.3 Specific Platform Security
- Shopify: OAuth tokens with minimal required scopes, automatic token refresh
- Google Ads: OAuth 2.0 with read-only scopes, compliant with Google's security requirements
- Facebook/Pinterest: Encrypted token storage, regular token rotation
7. Data Retention and Deletion
We follow strict data minimization and retention policies:
7.1 Retention Periods
- Active Account Data: Retained while account is active
- Product Data: Synced with Shopify, deleted upon disconnection
- OAuth Tokens: Automatically refreshed or deleted when expired
- Analytics Cache: 20 minutes maximum (auto-purged)
- Closed Accounts: Deleted within 30 days of closure
- Payment Records: 7 years (legal requirement for tax compliance)
- Security Logs: 90 days for incident investigation
7.2 Data Deletion
You can request immediate deletion of your data at any time:
- Account deletion removes all personal and product data
- OAuth tokens are immediately revoked
- Backup data is purged within 30 days
- We maintain a deletion log for compliance verification
7.3 Automatic Deletion
- Inactive accounts: Notified after 12 months, deleted after 18 months
- Disconnected integrations: Tokens deleted immediately
- Failed payment accounts: Data retained for 90 days then deleted
8. Your Rights (GDPR)Under GDPR, you have the following rights regarding your personal data:
-Access: Request a copy of your personal dataRectification: Correct inaccurate or incomplete data
- Erasure: Request deletion of your data ("right to be forgotten")
- Portability: Receive your data in a structured, machine-readable format
- Restriction: Limit processing of your data
- Objection: Object to certain processing activities
- Automated Decision-Making: Not be subject to solely automated decisions
- Consent Withdrawal: Withdraw consent at any time
To exercise these rights, contact us at Support@ecomvault.ai. We will respond within 30 days.
9. International Data Transfers
Your data may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place:
- Standard Contractual Clauses approved by the European Commission
- Adequacy decisions for data transfers
- Binding corporate rules where applicable
- Your explicit consent for specific transfers
10. Cookies and Tracking
We use minimal cookies necessary for service operation:
- Essential Cookies Only: Authentication and session management
- No Marketing Cookies: We do NOT use tracking or advertising cookies
- No Third-Party Cookies: We do NOT allow third-party tracking
- Session Storage: Temporary data cleared when browser closes
You can disable cookies in your browser, but this will prevent you from using our Service.
11. Third-Party Integrations
We integrate with the following services under strict privacy controls:
11.1 Required Integrations
- Shopify: Product data sync (you control what data is shared)
- Payment Processor: Stripe (PCI-DSS compliant, we never see card details)
11.2 Optional Integrations (User-Initiated)
- Google Ads: Read-only analytics access (requires your explicit authorization)
- Facebook Ads: Campaign metrics only (you select which ad account)
- Pinterest Ads: Performance data only (minimal scope access)
Integration Privacy Guarantees:
- You must explicitly authorize each integration
- We request only minimum necessary permissions
- All tokens are encrypted and isolated per account
- You can revoke access at any time from your dashboard
- We NEVER cross-share data between integrations
12. Children's Privacy
Our Service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn we have collected information from a child under 18, we will delete it promptly.
13. Marketing Communications
With your consent, we may send you marketing communications about:
- New features and updates
- Tips and best practices
- Special offers and promotions
- Industry news and insights
You can opt-out of marketing communications at any time through the unsubscribe link in emails or by contacting us.
14. California Privacy Rights (CCPA)If you are a California resident, you have additional rights under the California Consumer Privacy Act:
- Right to know what personal information is collected
- Right to know if personal information is sold or disclosed
- Right to opt-out of the sale of personal information
- Right to non-discrimination for exercising privacy rights
We do not sell personal information to third parties.
15. Changes to Privacy Policy
We may update this Privacy Policy periodically. We will notify you of material changes by:
- Posting the updated policy on our website
- Updating the "Last Updated" date
- Sending email notification for significant changes
Continued use of the Service after changes constitutes acceptance of the updated policy.
16. Contact Information
For questions, concerns, or requests regarding this Privacy Policy or your data: Ecomvault
Email: Support@ecomvault.ai
Website: www.ecomvault.ai
17. Google Ads API - Limited Use Disclosure
EcomVault's use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.
Our Commitments:
- We ONLY access Google Ads data when you explicitly authorize it
- We use read-only permissions to fetch campaign performance metrics
- We do NOT modify, create, or delete any campaigns or settings
- We do NOT share your Google Ads data with any third parties
- We do NOT use your data for advertising or marketing purposes
- We do NOT combine your Google Ads data with data from other users
- All access tokens are encrypted using AES-256-GCM
- You can revoke access at any time from your dashboard
Data We Access (Read-Only):
- Campaign names and IDsPerformance metrics (impressions, clicks, CTR, spend)
- Date ranges for reporting
Data We Do NOT Access:
- Customer lists or audience data
- Billing or payment information
- Account settings or configurations
- Keywords or targeting settings
18. Governing Law and Jurisdiction
This Privacy Policy and any disputes relating to it shall be governed by and construed in accordance with the laws of the Netherlands, without regard to its conflict of law provisions.
Any legal proceedings relating to this Privacy Policy shall be brought exclusively in the competent courts of Amsterdam, Netherlands, and you consent to the jurisdiction of such courts.
As a company registered in the Netherlands, we fully comply with Dutch and European Union data protection laws, including the General Data Protection Regulation (GDPR) (EU) 2016/679.
19. Supervisory Authority
Under Dutch and EU law, you have the right to lodge a complaint with a supervisory authority. The competent authority in the Netherlands is:
Autoriteit Persoonsgegevens (Dutch Data Protection Authority)
Address: Postbus 93374, 2509 AJ Den Haag, Netherlands
Website: autoriteitpersoonsgegevens.nl
Phone: 0900-2001201 (within Netherlands)
International: +31 70 888 8500
EU residents may also contact their local data protection authority.
