Version 3.0
Effective: 7 June 2026
Last Updated: 8 May 2026
This service is exclusively available to business entities. Individual consumers cannot use this service.
This Privacy Policy explains how Automated Commerce B.V. ("Automated Commerce", "we", "us", or "our") collects, uses, and protects personal data in connection with our product management and optimization platform for Shopify stores (the "Service").
This Service is provided exclusively to business entities ("Customers"). It is not directed at or available to individual consumers. By creating an account, the person registering confirms that they are doing so on behalf of a business and have the authority to bind that business to this Privacy Policy and the accompanying Terms of Service.
In this Privacy Policy, "personal data" has the meaning given to it in Article 4(1) of Regulation (EU) 2016/679 (the "GDPR"). "Customer Content" means the product, inventory, order-metric, and channel-performance data that flows from a Customer's Shopify store and connected platforms into the Service. The vast majority of Customer Content is not personal data; we explain below where personal data does or may arise.
If anything in this Privacy Policy is unclear, please contact us — our details are at the end of this document.
Automated Commerce B.V. is a private limited company (besloten vennootschap met beperkte aansprakelijkheid) organised under the laws of the Netherlands.
Registered office: Herengracht 451, 1017 BS Amsterdam, the Netherlands.
Chamber of Commerce (KvK) number: 98684213.
VAT (BTW) number: NL004708975B53.
Privacy Contact: business@automatedcommerce.ai.
We are the controller of the personal data described in this Privacy Policy. We are not required under Article 37 GDPR to appoint a statutory Data Protection Officer; our Privacy Contact is responsible for handling privacy queries and rights requests.
Our supervisory authority is the Autoriteit Persoonsgegevens (Dutch Data Protection Authority, autoriteitpersoonsgegevens.nl).
We have organised the data we collect by source. For each category, we set out below — in Section 4 — the purpose of processing, the legal basis, the recipients, and the retention period.
When an authorised representative of a Customer creates an account or interacts with our sales or support teams, we collect:
When a Customer connects its Shopify store, advertising platforms, or marketplace channels, we receive Customer Content:
Customer Content is, in the great majority of cases, not personal data within the meaning of the GDPR. Where personal data is incidentally embedded in Customer Content (for example, a designer's name in a product title), we process it solely to deliver the Service to the Customer.
Shopify scopes we request and what we do with them: Our Shopify application requests the OAuth scopes read_customers, read_orders, read_all_orders, and read_customer_events in addition to product, inventory, and configuration scopes. These customer/order scopes are used solely to: (i) normalise orders for the Customer's analytics (matching orders to new vs. returning customers, channel attribution, AOV reporting); and (ii) enable our import flow to map orders coming from connected sales channels back into the Customer's catalogue. We act as a Data Processor on the Customer's behalf for any shopper personal data accessed through these scopes; we do not use shopper personal data for any first-party purpose, and we do not retain shopper personal data beyond what is required to deliver the analytics and import features described.
When a visitor uses our website (automatedcommerce.ai), we collect cookie- and tracking-pixel-related data as set out in our Cookie Policy. Strictly necessary cookies are set without consent; analytics and marketing cookies require consent through our cookie banner.
We generate aggregated and de-identified data from Customer Content and Service usage data. Once aggregation is sufficient that the data cannot reasonably be re-associated with a specific Customer, store, or product, the data is no longer personal data and we use it for benchmarking, model improvement, and product development as described in Section 4.
We process personal data only where we have a lawful basis under Article 6 GDPR. The following table sets out, for each processing purpose, the categories of data involved, the lawful basis we rely on, the categories of recipients, and how long we retain the data.
| Purpose | Categories of data | Legal basis (Art. 6) | Recipients | Retention |
|---|---|---|---|---|
| Provide the Service: account creation and authentication | Account and contact data, authentication identifiers | Performance of contract — Art. 6(1)(b) | Hosting (Cloudflare; Neon on AWS Frankfurt; Vercel); identity infrastructure providers | Lifetime of account + 12 months |
| Provide the Service: product management, optimisation, channel sync | Customer Content, account data, service usage data | Performance of contract — Art. 6(1)(b) | Shopify; connected ad/marketplace platforms; AI providers (FAL AI, OpenRouter, others — see Section 5) | Lifetime of account + 90 days |
| Generate AI outputs (titles, descriptions, copy, images) | Product content (titles, descriptions, image URLs) | Performance of contract — Art. 6(1)(b) | FAL AI, OpenRouter, and other AI sub-processors | Outputs retained as long as Customer keeps them |
| Process subscription payments and issue invoices | Account and contact data, billing data | Performance of contract — Art. 6(1)(b); legal obligation — Art. 6(1)(c) (Dutch tax record-keeping) | Mollie; Moneybird; tax authorities on lawful request | 7 years (Dutch BW Art. 2:10 / Algemene wet inzake rijksbelastingen) |
| Provide support, handle complaints, communicate service updates | Account and contact data, communications data | Performance of contract — Art. 6(1)(b); legitimate interest — Art. 6(1)(f) | Helpdesk and email infrastructure providers | 3 years from last interaction |
| Maintain security and prevent abuse | Service usage data, log data, account data | Legitimate interest — Art. 6(1)(f) | Security infrastructure providers; CSIRT teams where required | 12 months for log data; longer for active investigations |
| Improve the Service and our AI models (in aggregated/de-identified form only) | Aggregated and de-identified data only | Legitimate interest — Art. 6(1)(f); not personal data once aggregated | Internal — not shared in personal-data form | Indefinite (data is not personal once aggregated) |
| Direct marketing of our own services to existing Customers | Account and contact data | Legitimate interest — Art. 6(1)(f); soft opt-in under Telecommunicatiewet Art. 11.7 | Email service provider; CRM provider | Until objection / opt-out + 12 months for suppression |
| Direct marketing to new prospects | Business contact data of prospects | Consent — Art. 6(1)(a) | Email service provider; CRM provider | Until withdrawal of consent + 12 months for suppression |
| Comply with legal obligations and respond to lawful requests | Whatever is in scope of the obligation/request | Legal obligation — Art. 6(1)(c) | Authorities; legal advisers | As required by law |
Where we rely on legitimate interest (Art. 6(1)(f) GDPR), we have conducted a balancing test and concluded that our interest does not override the rights and freedoms of the data subject. You have the right to object to that processing — see Section 9.
Certain features of the Service generate AI Outputs (such as suggested product titles, optimised descriptions, generated images). To deliver these features, we send specific data to third-party AI providers. We currently use the following providers:
Important — training on Customer Content. Some of these AI providers may, under their default terms, retain or use the data we send them — including Customer Content — for the improvement and training of their own models. We do not control the providers' default training settings, and we cannot warrant that any individual provider will not use Customer Content for training. Where a provider offers a no-training option, we use it where commercially reasonable to do so. Customers who wish to use the Service without their content being subject to provider training should contact our Privacy Contact to discuss the limited subset of features available without third-party AI.
We do not ourselves train any model on Customer Content. We do not use Customer Content as training data for any first-party model, and we do not retain Customer Content for that purpose.
AI Outputs are suggestions only. AI Outputs may contain inaccuracies, factual errors, or content that infringes third-party intellectual-property rights. The Customer is responsible for reviewing AI Outputs before publishing them. AI Outputs do not have legal effect and do not, in themselves, produce decisions about end customers.
Article 22 GDPR. The AI features in the Service produce suggestions and content for human review by the Customer. They do not make decisions that have legal effects, or similarly significant effects, on data subjects. Article 22 GDPR (right not to be subject to a decision based solely on automated processing) is therefore not engaged by these features. If we introduce a feature that does engage Article 22, we will update this Privacy Policy and provide the disclosures and rights required by that Article.
We share personal data only with:
We do not sell personal data, and we do not share personal data with third parties for their own marketing purposes.
We host production data primarily on Cloudflare (Workers, R2 object storage, queues), Neon (managed PostgreSQL on AWS, eu-central-1 Frankfurt), ClickHouse Cloud (analytics warehouse on AWS, eu-central-1 Frankfurt), and Vercel (frontend hosting). Persistent personal data is stored in EEA regions (Frankfurt). Cloudflare's edge network is globally distributed, so request handling may transit non-EEA regions in transit; we have a Cloudflare Data Processing Addendum and Standard Contractual Clauses in place for this.
Limited transfers may also occur in the following situations:
We apply technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to. These measures include:
If we become aware of a personal data breach affecting a Customer's personal data, we will notify the Customer without undue delay and in any event within 72 hours of becoming aware, providing the information required by Article 33(3) GDPR. We will also notify the Autoriteit Persoonsgegevens where required by Article 33.
Where we process your personal data, you have the following rights under the GDPR:
To exercise any of these rights, please contact us at business@automatedcommerce.ai. We will respond within one month, with the option to extend by two further months for complex requests in line with Article 12(3) GDPR. We may need to verify your identity before responding to your request, and we may charge a reasonable fee or refuse to act where a request is manifestly unfounded or excessive (Art. 12(5)).
Our website uses cookies and similar technologies. We use strictly necessary cookies without consent (these are required for the website to function) and analytics, functional, and marketing cookies only with your consent collected through our cookie banner. Full details — categories, purposes, providers, and retention — are in our separate Cookie Policy.
The Service is provided exclusively to business entities and is not directed at, or available to, children under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without verifiable parental consent, we will delete that data promptly.
We may update this Privacy Policy from time to time. The latest version is always available at automatedcommerce.ai/policies/privacy-policy. Material changes will be communicated to Customers by email and through an in-Service notice at least 30 days before they take effect, except where a shorter period is necessary to comply with law.
Questions, requests, or complaints relating to this Privacy Policy can be addressed to:
Privacy Contact: business@automatedcommerce.ai
Postal: Automated Commerce B.V., Herengracht 451, 1017 BS Amsterdam, the Netherlands.
Supervisory authority — Autoriteit Persoonsgegevens — Postbus 93374, 2509 AJ Den Haag, the Netherlands. autoriteitpersoonsgegevens.nl. You have the right to lodge a complaint with the Autoriteit Persoonsgegevens at any time.
By creating an account, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy on behalf of your business entity.
Version 3.0
Effective: 7 June 2026
Get the latest insights from the AI-industry and updates on new platform features