Privacy Policy

Last updated: March 23, 2026

1. Introduction

Magpiexyz Ltd ("we", "us", "our") operates GhostOps ("the Service"), an AI-powered operations platform for Shopify store owners. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. We are committed to protecting your privacy and handling your data in a transparent manner.

2. Data Controller

Magpiexyz Ltd is the data controller for the personal data processed through the Service. For questions about this policy or your data, contact us at privacy@ghostops.app.

3. Information We Collect

3.1 Account Information

  • Email address (required for account creation)
  • Hashed password (stored by Supabase Auth, never in plaintext)
  • Subscription plan and billing status

3.2 Store Data (via Shopify OAuth)

  • Store name and domain
  • Product catalog (titles, descriptions, images, pricing)
  • Customer support messages and ticket content
  • Order information for email campaign targeting

3.3 Connected Platform Data

  • OAuth access tokens for Shopify, X (Twitter), Facebook, and Instagram (encrypted at rest)
  • Platform usernames and account identifiers

3.4 AI-Generated Content

  • Support ticket classifications and draft responses
  • Generated product descriptions, meta titles, and keywords
  • Social media post content and generated images
  • Email campaign subject lines, preview text, and body content

3.5 Usage Data

  • Pages visited and features used (via PostHog analytics)
  • Agent activity logs (ticket triaged, post generated, etc.)
  • IP address and browser information for rate limiting and security

3.6 Payment Data

Payment processing is handled entirely by Stripe. We do not store credit card numbers, CVVs, or full payment details on our servers. We only store your Stripe customer ID and subscription ID for billing management.

4. How We Use Your Information

  • Provide the Service: Process your store data through AI models to generate support responses, product descriptions, social media posts, and email campaigns.
  • Personalization: Apply your brand voice settings to all AI-generated outputs.
  • Account management: Authenticate your identity, manage your subscription, and enforce usage limits.
  • Platform integrations: Publish content to your connected social media accounts and Shopify store on your behalf.
  • Security: Rate limiting, abuse prevention, and fraud detection.
  • Product improvement: Aggregated, anonymized usage analytics to improve features and performance.
  • Communication: Send transactional emails (account confirmation, password reset) and service-related notifications.

5. Legal Basis for Processing (GDPR)

Under the General Data Protection Regulation (GDPR), we process your data on the following legal bases:

  • Contract performance (Article 6(1)(b)): Processing necessary to provide the Service you subscribed to.
  • Consent (Article 6(1)(a)): For analytics tracking (via cookie consent) and marketing communications.
  • Legitimate interest (Article 6(1)(f)): Security measures, fraud prevention, and service improvement.
  • Legal obligation (Article 6(1)(c)): Compliance with tax, financial, and regulatory requirements.

6. AI Data Processing

Your store data (customer messages, product descriptions, order context) is sent to third-party AI providers for content generation:

  • MiniMax (text generation): Receives prompts containing your store data to generate text content. Data is processed per MiniMax's data processing terms and is not used to train their models.
  • OpenAI (image generation): Receives image prompts for Instagram post images via DALL-E 3. Subject to OpenAI's API data usage policy.

We do not use your data to train, fine-tune, or improve third-party AI models. All AI processing is performed via API calls with data transmitted over encrypted connections (TLS 1.2+).

7. Data Sharing and Third Parties

We share your data only with the following categories of third parties, solely for the purposes described:

  • Supabase: Database hosting, authentication, and row-level security.
  • Vercel: Application hosting and serverless function execution.
  • Stripe: Payment processing and subscription management.
  • MiniMax / OpenAI: AI content generation (as described in Section 6).
  • Resend: Transactional and campaign email delivery.
  • PostHog: Product analytics (with user consent).
  • Platform APIs: Shopify, X, Facebook, Instagram (only data you authorize for publishing).

We do not sell your personal data to any third party.

8. Data Retention

  • Account data: Retained for the duration of your account. Deleted within 30 days of account deletion.
  • AI-generated content: Retained for the duration of your account. Deleted with account deletion.
  • OAuth tokens: Deleted when you disconnect a platform or delete your account.
  • Analytics data: Retained for 12 months, then automatically purged.
  • Billing records: Retained for 7 years as required by financial regulations.

9. Data Security

  • All data is encrypted in transit using TLS 1.2+.
  • Database is encrypted at rest (Supabase/PostgreSQL).
  • OAuth tokens are encrypted before storage using AES-256-GCM.
  • Row-level security (RLS) ensures users can only access their own data.
  • Passwords are hashed using bcrypt via Supabase Auth.
  • Rate limiting protects against abuse on all API endpoints.
  • Content Security Policy headers protect against XSS attacks.

10. Your Rights Under GDPR

If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights:

  • Access (Article 15): Request a copy of the personal data we hold about you.
  • Rectification (Article 16): Request correction of inaccurate or incomplete data.
  • Erasure (Article 17): Request deletion of your personal data ("right to be forgotten").
  • Restriction (Article 18): Request restriction of processing in certain circumstances.
  • Data Portability (Article 20): Request your data in a machine-readable format.
  • Objection (Article 21): Object to processing based on legitimate interests.
  • Withdraw Consent: Withdraw consent for analytics tracking at any time.

To exercise any of these rights, contact us at privacy@ghostops.app. We will respond within 30 days.

11. Your Rights Under CCPA

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with:

  • Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected.
  • Right to Delete: Request deletion of your personal information.
  • Right to Opt-Out: Opt out of the "sale" of personal information. We do not sell personal information.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise your CCPA rights, contact us at privacy@ghostops.app.

12. Cookies and Tracking

We use the following categories of cookies and tracking technologies:

  • Essential cookies: Authentication session cookies required for the Service to function. These cannot be disabled.
  • Analytics cookies: PostHog analytics to understand how you use the Service. These are only set with your explicit consent via our cookie banner.

We do not use advertising cookies or cross-site tracking pixels.

13. International Data Transfers

Your data may be processed in countries outside your country of residence, including the United States, where our infrastructure providers operate. When we transfer data outside the EEA/UK, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) with our service providers.

14. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a child under 18, we will take steps to delete that information promptly.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. We encourage you to review this policy periodically. Your continued use of the Service after changes are posted constitutes acceptance.

16. Contact and Complaints

For questions about this Privacy Policy or to exercise your data rights:

If you are in the EEA/UK and are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority (e.g., the ICO in the United Kingdom).

Terms of ServicePrivacy PolicyHome