Automated Commerce

Privacy Policy

Version 3.0
Effective: 7 June 2026
Last Updated: 8 May 2026
This service is exclusively available to business entities. Individual consumers cannot use this service.

1. Introduction

This Privacy Policy explains how Automated Commerce B.V. ("Automated Commerce", "we", "us", or "our") collects, uses, and protects personal data in connection with our product management and optimization platform for Shopify stores (the "Service").

This Service is provided exclusively to business entities ("Customers"). It is not directed at or available to individual consumers. By creating an account, the person registering confirms that they are doing so on behalf of a business and have the authority to bind that business to this Privacy Policy and the accompanying Terms of Service.

In this Privacy Policy, "personal data" has the meaning given to it in Article 4(1) of Regulation (EU) 2016/679 (the "GDPR"). "Customer Content" means the product, inventory, order-metric, and channel-performance data that flows from a Customer's Shopify store and connected platforms into the Service. The vast majority of Customer Content is not personal data; we explain below where personal data does or may arise.

If anything in this Privacy Policy is unclear, please contact us — our details are at the end of this document.

2. Who we are

Automated Commerce B.V. is a private limited company (besloten vennootschap met beperkte aansprakelijkheid) organised under the laws of the Netherlands.

Registered office: Herengracht 451, 1017 BS Amsterdam, the Netherlands.

Chamber of Commerce (KvK) number: 98684213.

VAT (BTW) number: NL004708975B53.

Privacy Contact: business@automatedcommerce.ai.

We are the controller of the personal data described in this Privacy Policy. We are not required under Article 37 GDPR to appoint a statutory Data Protection Officer; our Privacy Contact is responsible for handling privacy queries and rights requests.

Our supervisory authority is the Autoriteit Persoonsgegevens (Dutch Data Protection Authority, autoriteitpersoonsgegevens.nl).

3. The data we collect

We have organised the data we collect by source. For each category, we set out below — in Section 4 — the purpose of processing, the legal basis, the recipients, and the retention period.

3.1 Account and contact data

When an authorised representative of a Customer creates an account or interacts with our sales or support teams, we collect:

  • Name, business email address, business telephone number (where provided).
  • Job title, department (where provided).
  • Company name, registered address, Chamber of Commerce (KvK) or equivalent registration number, VAT number.
  • Authentication identifiers (hashed passwords, OAuth tokens, multi-factor secrets).
  • Authorisation and role data (which features the user can access).

3.2 Billing data

  • Subscription plan, billing cycle, invoice records, payment status.
  • Limited payment metadata returned by Mollie (transaction reference, last four digits of card, payment method type). We do not store full card numbers, CVV codes, or bank account credentials.

3.3 Customer Content

When a Customer connects its Shopify store, advertising platforms, or marketplace channels, we receive Customer Content:

  • Product catalogue: titles, descriptions, images, prices, SKUs, product categories, collections, tags, metafields.
  • Inventory data: stock levels, location-level inventory, low-stock indicators.
  • Order metrics: aggregated counts, average order value (AOV), revenue and refund totals, attribution to channels and campaigns.
  • Channel performance data: campaign-, ad-set-, and ad-level metrics from connected advertising and marketplace platforms (Google Ads, Meta, Pinterest, and similar).
  • Store configuration: store name, primary domain, currency, timezone.

Customer Content is, in the great majority of cases, not personal data within the meaning of the GDPR. Where personal data is incidentally embedded in Customer Content (for example, a designer's name in a product title), we process it solely to deliver the Service to the Customer.

Shopify scopes we request and what we do with them: Our Shopify application requests the OAuth scopes read_customers, read_orders, read_all_orders, and read_customer_events in addition to product, inventory, and configuration scopes. These customer/order scopes are used solely to: (i) normalise orders for the Customer's analytics (matching orders to new vs. returning customers, channel attribution, AOV reporting); and (ii) enable our import flow to map orders coming from connected sales channels back into the Customer's catalogue. We act as a Data Processor on the Customer's behalf for any shopper personal data accessed through these scopes; we do not use shopper personal data for any first-party purpose, and we do not retain shopper personal data beyond what is required to deliver the analytics and import features described.

3.4 Communications and support data

  • Support tickets, chat transcripts, email correspondence with our support and customer-success teams.
  • Feedback, survey responses, NPS responses.
  • Recordings of customer-success or onboarding calls (only with prior consent).

3.5 Service usage data

  • Log data — IP address, browser and device characteristics, pages visited within the Service, feature interactions, errors and stack traces.
  • Performance metrics — response times, success/failure rates, API usage.
  • Security-relevant signals — login attempts, suspicious activity flags, audit-trail entries.

3.6 Website and cookie data

When a visitor uses our website (automatedcommerce.ai), we collect cookie- and tracking-pixel-related data as set out in our Cookie Policy. Strictly necessary cookies are set without consent; analytics and marketing cookies require consent through our cookie banner.

3.7 Aggregated and de-identified data

We generate aggregated and de-identified data from Customer Content and Service usage data. Once aggregation is sufficient that the data cannot reasonably be re-associated with a specific Customer, store, or product, the data is no longer personal data and we use it for benchmarking, model improvement, and product development as described in Section 4.

4. Purposes of processing, legal bases, recipients, and retention

We process personal data only where we have a lawful basis under Article 6 GDPR. The following table sets out, for each processing purpose, the categories of data involved, the lawful basis we rely on, the categories of recipients, and how long we retain the data.

PurposeCategories of dataLegal basis (Art. 6)RecipientsRetention
Provide the Service: account creation and authenticationAccount and contact data, authentication identifiersPerformance of contract — Art. 6(1)(b)Hosting (Cloudflare; Neon on AWS Frankfurt; Vercel); identity infrastructure providersLifetime of account + 12 months
Provide the Service: product management, optimisation, channel syncCustomer Content, account data, service usage dataPerformance of contract — Art. 6(1)(b)Shopify; connected ad/marketplace platforms; AI providers (FAL AI, OpenRouter, others — see Section 5)Lifetime of account + 90 days
Generate AI outputs (titles, descriptions, copy, images)Product content (titles, descriptions, image URLs)Performance of contract — Art. 6(1)(b)FAL AI, OpenRouter, and other AI sub-processorsOutputs retained as long as Customer keeps them
Process subscription payments and issue invoicesAccount and contact data, billing dataPerformance of contract — Art. 6(1)(b); legal obligation — Art. 6(1)(c) (Dutch tax record-keeping)Mollie; Moneybird; tax authorities on lawful request7 years (Dutch BW Art. 2:10 / Algemene wet inzake rijksbelastingen)
Provide support, handle complaints, communicate service updatesAccount and contact data, communications dataPerformance of contract — Art. 6(1)(b); legitimate interest — Art. 6(1)(f)Helpdesk and email infrastructure providers3 years from last interaction
Maintain security and prevent abuseService usage data, log data, account dataLegitimate interest — Art. 6(1)(f)Security infrastructure providers; CSIRT teams where required12 months for log data; longer for active investigations
Improve the Service and our AI models (in aggregated/de-identified form only)Aggregated and de-identified data onlyLegitimate interest — Art. 6(1)(f); not personal data once aggregatedInternal — not shared in personal-data formIndefinite (data is not personal once aggregated)
Direct marketing of our own services to existing CustomersAccount and contact dataLegitimate interest — Art. 6(1)(f); soft opt-in under Telecommunicatiewet Art. 11.7Email service provider; CRM providerUntil objection / opt-out + 12 months for suppression
Direct marketing to new prospectsBusiness contact data of prospectsConsent — Art. 6(1)(a)Email service provider; CRM providerUntil withdrawal of consent + 12 months for suppression
Comply with legal obligations and respond to lawful requestsWhatever is in scope of the obligation/requestLegal obligation — Art. 6(1)(c)Authorities; legal advisersAs required by law

Where we rely on legitimate interest (Art. 6(1)(f) GDPR), we have conducted a balancing test and concluded that our interest does not override the rights and freedoms of the data subject. You have the right to object to that processing — see Section 9.

5. AI providers and automated processing

Certain features of the Service generate AI Outputs (such as suggested product titles, optimised descriptions, generated images). To deliver these features, we send specific data to third-party AI providers. We currently use the following providers:

  • FAL AI — image-related AI generation. Data sent: image URLs and prompts derived from product data.
  • OpenRouter — text-generation routing service that fronts a number of underlying language models. Data sent: product titles, descriptions, and prompt context.
  • Other public AI APIs from time to time, listed on our Sub-processor page.

Important — training on Customer Content. Some of these AI providers may, under their default terms, retain or use the data we send them — including Customer Content — for the improvement and training of their own models. We do not control the providers' default training settings, and we cannot warrant that any individual provider will not use Customer Content for training. Where a provider offers a no-training option, we use it where commercially reasonable to do so. Customers who wish to use the Service without their content being subject to provider training should contact our Privacy Contact to discuss the limited subset of features available without third-party AI.

We do not ourselves train any model on Customer Content. We do not use Customer Content as training data for any first-party model, and we do not retain Customer Content for that purpose.

AI Outputs are suggestions only. AI Outputs may contain inaccuracies, factual errors, or content that infringes third-party intellectual-property rights. The Customer is responsible for reviewing AI Outputs before publishing them. AI Outputs do not have legal effect and do not, in themselves, produce decisions about end customers.

Article 22 GDPR. The AI features in the Service produce suggestions and content for human review by the Customer. They do not make decisions that have legal effects, or similarly significant effects, on data subjects. Article 22 GDPR (right not to be subject to a decision based solely on automated processing) is therefore not engaged by these features. If we introduce a feature that does engage Article 22, we will update this Privacy Policy and provide the disclosures and rights required by that Article.

6. Recipients and sub-processors

We share personal data only with:

  • Sub-processors — third parties acting on our instructions to deliver the Service. A current list of our sub-processors, including the country in which each operates and the data they receive, is published at automatedcommerce.ai/policies/subprocessors. We notify Customers of new sub-processors with at least 30 days' advance notice.
  • Service connectors — Shopify, Google, Meta, Pinterest and similar platforms — where the Customer chooses to connect those platforms. Personal data sharing with these platforms occurs only to the extent strictly required for the integration; the platforms remain controllers of any data they collect on their own account.
  • Professional advisers — lawyers, accountants, auditors — bound by confidentiality.
  • Authorities — where we are legally required to disclose, or where we reasonably believe disclosure is necessary to prevent harm.
  • Successors — in the event of a sale, merger, restructuring, or insolvency, personal data may be transferred to a successor or potential successor under appropriate confidentiality protections.

We do not sell personal data, and we do not share personal data with third parties for their own marketing purposes.

7. International transfers

We host production data primarily on Cloudflare (Workers, R2 object storage, queues), Neon (managed PostgreSQL on AWS, eu-central-1 Frankfurt), ClickHouse Cloud (analytics warehouse on AWS, eu-central-1 Frankfurt), and Vercel (frontend hosting). Persistent personal data is stored in EEA regions (Frankfurt). Cloudflare's edge network is globally distributed, so request handling may transit non-EEA regions in transit; we have a Cloudflare Data Processing Addendum and Standard Contractual Clauses in place for this.

Limited transfers may also occur in the following situations:

  • Some of our AI sub-processors operate from outside the EEA. Where a transfer is required to deliver the AI feature in question, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by appropriate technical and organisational safeguards. We have completed a Transfer Impact Assessment for each such provider; the results are available on request.
  • Where a Customer chooses to use the Service to connect with platforms hosted outside the EEA (for example, advertising platforms with US infrastructure), the Customer's act of connection authorises the resulting transfer. We act as the technical pipe in those flows.

8. Security

We apply technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to. These measures include:

  • Encryption at rest using AES-256-GCM for stored credentials and sensitive data.
  • Encryption in transit using TLS 1.3 for all external data transmission.
  • OAuth 2.0 for authentication into Shopify and the connected advertising platforms.
  • Role-based access controls; least-privilege provisioning; multi-factor authentication for production access.
  • Audit logging of access to production systems and Customer Content.
  • Annual security review; vulnerability scanning and penetration testing on a defined cadence.
  • Hosting on Cloudflare, AWS-backed managed services (Neon, ClickHouse), and Vercel — all underlying infrastructure providers maintain ISO/IEC 27001 and SOC 2 certifications.

If we become aware of a personal data breach affecting a Customer's personal data, we will notify the Customer without undue delay and in any event within 72 hours of becoming aware, providing the information required by Article 33(3) GDPR. We will also notify the Autoriteit Persoonsgegevens where required by Article 33.

9. Your rights

Where we process your personal data, you have the following rights under the GDPR:

  • Right of access (Art. 15) — to obtain confirmation of whether we process your personal data and to receive a copy of that data.
  • Right to rectification (Art. 16) — to correct inaccurate or complete incomplete personal data.
  • Right to erasure (Art. 17) — to request deletion of your personal data, subject to lawful retention obligations.
  • Right to restriction of processing (Art. 18) — to require us to restrict processing in defined circumstances.
  • Right to data portability (Art. 20) — to receive your personal data in a structured, commonly used, machine-readable format.
  • Right to object (Art. 21) — to object to processing based on legitimate interest, including direct marketing.
  • Right to withdraw consent (Art. 7(3)) — where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.
  • Right to lodge a complaint with the Autoriteit Persoonsgegevens ( autoriteitpersoonsgegevens.nl) or another supervisory authority where you reside or work.

To exercise any of these rights, please contact us at business@automatedcommerce.ai. We will respond within one month, with the option to extend by two further months for complex requests in line with Article 12(3) GDPR. We may need to verify your identity before responding to your request, and we may charge a reasonable fee or refuse to act where a request is manifestly unfounded or excessive (Art. 12(5)).

10. Cookies and tracking technologies

Our website uses cookies and similar technologies. We use strictly necessary cookies without consent (these are required for the website to function) and analytics, functional, and marketing cookies only with your consent collected through our cookie banner. Full details — categories, purposes, providers, and retention — are in our separate Cookie Policy.

11. Children

The Service is provided exclusively to business entities and is not directed at, or available to, children under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without verifiable parental consent, we will delete that data promptly.

12. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The latest version is always available at automatedcommerce.ai/policies/privacy-policy. Material changes will be communicated to Customers by email and through an in-Service notice at least 30 days before they take effect, except where a shorter period is necessary to comply with law.

13. Contact

Questions, requests, or complaints relating to this Privacy Policy can be addressed to:

Privacy Contact: business@automatedcommerce.ai

Postal: Automated Commerce B.V., Herengracht 451, 1017 BS Amsterdam, the Netherlands.

Supervisory authority — Autoriteit Persoonsgegevens — Postbus 93374, 2509 AJ Den Haag, the Netherlands. autoriteitpersoonsgegevens.nl. You have the right to lodge a complaint with the Autoriteit Persoonsgegevens at any time.

By creating an account, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy on behalf of your business entity.

Version 3.0
Effective: 7 June 2026

Stay Ahead: Newsletter

Get the latest insights from the AI-industry and updates on new platform features