Privacy Policy

GhostOps (“we”, “us”, “our”) is an AI operations platform for Shopify store owners. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the service. We handle your data transparently and in line with GDPR and CCPA principles.

Account information

• Email address (required for account creation)
• Hashed password (stored by Supabase Auth — never in plaintext)
• Subscription plan and billing status

Store data via Shopify OAuth

• Store name and domain
• Product catalog — titles, descriptions, images, pricing
• Customer support messages and ticket content
• Order context used for email campaign targeting

Connected platform data

• OAuth access tokens for Shopify, Instagram, Facebook, and X (encrypted at rest)
• Platform usernames and account identifiers

AI-generated content

• Support ticket classifications and draft responses
• Generated product descriptions, meta titles, and keyword tags
• Social media post drafts
• Email campaign subject lines, preview text, and body content

Usage data

• Pages visited and features used (via PostHog analytics, consent-gated)
• Agent activity logs — tickets triaged, posts generated, emails sent
• IP address and browser information for rate limiting and security

Payment data

Payment processing is handled entirely by Stripe. We do not store credit card numbers, CVVs, or full payment details. We only store your Stripe customer ID and subscription ID for billing management.

• Provide the service — process your store data through AI models to generate support responses, product descriptions, social posts, and email campaigns.
• Personalization — apply your brand voice settings to every AI-generated output.
• Account management — authenticate you, manage your subscription, and enforce usage limits.
• Platform integrations — publish content to your connected Shopify store and social accounts on your behalf.
• Security — rate limiting, abuse prevention, and fraud detection.
• Product improvement — aggregated, anonymized usage analytics.
• Communication — transactional emails (account confirmation, password reset) and service-related notifications.

Under the GDPR, we process your data on the following legal bases:

• Contract performance (Art. 6(1)(b)) — processing necessary to provide the service you subscribed to.
• Consent (Art. 6(1)(a)) — for analytics tracking (via cookie consent) and marketing communications.
• Legitimate interest (Art. 6(1)(f)) — security measures, fraud prevention, and service improvement.
• Legal obligation (Art. 6(1)(c)) — compliance with tax, financial, and regulatory requirements.

Your store data (customer messages, product descriptions, order context) is sent to third-party AI providers over encrypted connections for content generation. Data is transmitted via API only and is not used to train, fine-tune, or improve third-party models.

All AI processing happens in response to your explicit actions inside the product. You can review, edit, or reject any AI output before it is published to Shopify or any connected platform.

We share your data only with the following categories of third parties, solely for the purposes described:

• Supabase — database hosting, authentication, row-level security.
• Vercel — application hosting and serverless function execution.
• Stripe — payment processing and subscription management.
• AI providers — text generation via API (no training on your data).
• Resend — transactional and campaign email delivery.
• PostHog — product analytics, with explicit user consent.
• Platform APIs — Shopify, Instagram, Facebook, and X, only for the data you authorize for publishing.

We do not sell your personal data to any third party.

• Account data — retained for the duration of your account, and deleted after you delete your account.
• AI-generated content — retained for the duration of your account, and deleted with account deletion.
• OAuth tokens — deleted when you disconnect a platform or delete your account.
• Billing records — retained only as required by applicable financial regulations.

• All data encrypted in transit using TLS 1.2+
• Database encrypted at rest (Supabase / PostgreSQL)
• OAuth tokens encrypted before storage using AES-256-GCM
• Row-level security (RLS) ensures users can only access their own data
• Passwords hashed using bcrypt via Supabase Auth
• Rate limiting on every API endpoint
• Content Security Policy headers to protect against XSS

If you are located in the EEA or United Kingdom, you have the following rights:

• Access (Art. 15) — request a copy of the personal data we hold about you.
• Rectification (Art. 16) — request correction of inaccurate or incomplete data.
• Erasure (Art. 17) — request deletion of your personal data.
• Restriction (Art. 18) — request restriction of processing in certain circumstances.
• Data portability (Art. 20) — request your data in a machine-readable format.
• Objection (Art. 21) — object to processing based on legitimate interests.
• Withdraw consent — withdraw consent for analytics tracking at any time.

To exercise any of these rights, reach out through your account settings inside GhostOps. We respond within 30 days.

If you are a California resident, the CCPA gives you:

• Right to know — request disclosure of categories and specific pieces of personal information collected.
• Right to delete — request deletion of your personal information.
• Right to opt out — opt out of the sale of personal information. We do not sell personal information.
• Right to non-discrimination — we will not discriminate against you for exercising your CCPA rights.

To exercise your CCPA rights, reach out through your account settings inside GhostOps.

We use the following categories of cookies:

• Essential cookies — authentication session cookies required for the service to function. These cannot be disabled.
• Analytics cookies — PostHog analytics, set only with your explicit consent via our cookie banner.

We do not use advertising cookies or cross-site tracking pixels.

Your data may be processed in countries outside your country of residence, including the United States, where our infrastructure providers operate. When we transfer data outside the EEA/UK, we put appropriate safeguards in place, including Standard Contractual Clauses (SCCs) with our service providers.

The service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a child under 18, we will take steps to delete that information promptly.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the “last updated” date. Your continued use of the service after changes are posted constitutes acceptance.

For questions about this policy or to exercise your data rights, reach out through your account settings inside GhostOps.

If you are in the EEA/UK and are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority (e.g. the ICO in the United Kingdom).