Privacy Policy

This policy applies to:

• Customers — businesses and individuals who hold an account on the Service or whose stores we are engaged to manage.
• End users of customer stores — visitors and shoppers on stores we operate for our customers, whose data may be incidentally processed (e.g., aggregated analytics).
• Website visitors — visitors to getstoreintelligence.com and our public marketing surfaces.

It does not cover third-party services we integrate with (Google, Shopify, Neto, OpenAI, Anthropic, Microsoft Azure, and others). Each of those services has its own privacy policy and your data is also subject to those policies when it sits with them.

2.1 Account and identity data

• Name, email address, phone number, and business name when you create an account.
• Authentication identifiers (hashed passwords, OAuth tokens, session identifiers).
• Role and permission level within a customer organisation.
• Billing details (handled by our payment processor — we do not store full card numbers).

2.2 Customer store data

When you connect a Shopify or Neto store, we ingest and store a working copy of:

• Product catalog data (titles, descriptions, images, attributes, categories, pricing, inventory).
• Content data (pages, blog posts, collection descriptions, metadata).
• Order data (line items, fulfilment status, totals — for trend analysis; we do not store full customer payment instruments or personally identifying buyer details beyond what is required to compute aggregate metrics).
• Configuration data (taxonomies, shipping rules, store settings relevant to content governance).

2.3 Google user data

When you authorise the Service to access Google APIs on your behalf, we access and store:

• Google Search Console: property metadata, search performance data (queries, clicks, impressions, CTR, position), index coverage data, and sitemap status for properties you grant access to. Scope: https://www.googleapis.com/auth/webmasters.readonly.
• Google Analytics: property metadata, aggregated session, user, conversion, and ecommerce event data for properties you grant access to. Scope: https://www.googleapis.com/auth/analytics.readonly.
• OAuth refresh tokens — encrypted at rest, used solely to renew API access on your behalf.

We do not access your Gmail, Drive, Calendar, Contacts, or any other Google service beyond what is explicitly listed above. We do not modify any Google data — Search Console and Analytics access is strictly read-only.

2.4 Operational and audit data

• AI task execution logs (which task ran, against which entity, with which prompt and which model, and what was produced).
• Governance proposals (AI-generated drafts awaiting human approval) and their approval/rejection decisions.
• Publish ledger entries recording every change applied to a connected store.
• Cost ledger entries (per-task AI spend in dollars).

2.5 Usage and technical data

• Server-side request logs (IP address, user agent, endpoint, response code, timestamps) retained for security and operational monitoring.
• Error and performance telemetry from the application.

We do not deploy third-party advertising trackers, fingerprinting scripts, or behavioural analytics pixels on the public website. Logged-in product usage is captured server-side for product improvement and incident diagnosis.

We use the data we collect to:

• Provide, operate, and improve the Service — running AI audits, research, drafting, and validation tasks against your store data.
• Authenticate users and enforce access controls.
• Generate proposals for your review through the governance pipeline. No AI-generated change is applied to your live store without explicit human approval recorded in our system.
• Detect drift between approved content and live store state, and surface reconciliation actions.
• Bill you for usage (where applicable) and provide invoices.
• Diagnose errors and respond to support requests.
• Send transactional and operational emails (account verification, security alerts, billing notices, scheduled reports you have subscribed to).
• Comply with legal obligations and respond to lawful requests.

We do not use customer store data, Google user data, or operational data to train or fine-tune general-purpose AI models, our own or any third party’s. Sample data may be used in aggregated, fully de-identified form for internal product analytics and capacity planning.

Get Store Intelligence’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

• We only use Google user data to provide or improve user-facing features that are prominent in the requesting application’s user experience. Google Search Console and Google Analytics data is surfaced inside the Store Intelligence platform to power keyword opportunity analysis, content performance dashboards, audit prioritisation, and traffic-aware proposal ranking.
• We do not transfer Google user data to third parties except (a) as necessary to provide or improve user-facing features, (b) to comply with applicable law, or (c) as part of a merger, acquisition, or sale of assets with notice to affected users.
• We do not use Google user data for serving advertisements, including retargeting, personalised, or interest-based advertising.
• We do not allow humans to read Google user data unless we have your affirmative agreement for specific messages, doing so is necessary for security purposes (such as investigating abuse), to comply with applicable law, or for our internal operations and even then only when the data have been aggregated and anonymised.
• We do not use Google user data to develop, improve, or train generalised or non-personalised AI and/or machine learning models. AI tasks operate strictly within your tenant scope.

Where GDPR or UK GDPR applies, we rely on the following legal bases:

• Performance of a contract — to deliver the Service you have signed up for.
• Legitimate interests — operating, securing, and improving the Service; preventing fraud and abuse.
• Consent — for any processing that requires it, including OAuth-authorised access to your Google account data.
• Legal obligation — to meet tax, accounting, and other statutory requirements.

You may withdraw consent (including revoking OAuth access) at any time without affecting prior lawful processing. See section 9.

We do not sell personal information. We share data only with:

• Sub-processors we use to operate the Service:
  • Microsoft Azure — hosting, databases, blob storage, queues (data residency: Australia East primarily).
  • Vercel — public marketing website hosting.
  • Anthropic PBC — large language model inference for interactive AI features. Anthropic does not retain inputs or outputs for training under our commercial terms.
  • OpenAI, LLC — large language model and image generation inference for batch AI tasks. OpenAI does not retain inputs or outputs for training under our API terms.
  • Google LLC — for Search Console and Analytics data we read on your behalf (the data already sits with Google; this is access, not transfer).
  • Stripe / payment processor — for billing.
  • SendGrid / transactional email provider — for service emails.
• Legal and regulatory authorities — where required by valid legal process.
• Successors in interest — if we are acquired, merged, or our assets transferred, with notice to you and the same protections under this policy.

Each sub-processor is bound by contract to use data only to deliver services to us, to maintain confidentiality, and to apply appropriate security controls.

Primary data storage is in Microsoft Azure Australia East. Tenant-scoped data (your store data) is held in tenant-specific PostgreSQL databases logically and access-isolated from other tenants. System data shared across tenants is held in a separate database with the same access controls.

Backups are encrypted and retained on a rolling 30-day window for disaster recovery purposes. Blob storage (images, generated artifacts) is encrypted at rest using Azure-managed keys. Connections between components are encrypted in transit using TLS 1.2 or higher.

OAuth tokens and integration credentials are encrypted at the column level before being written to disk.

Some processing necessarily occurs in other regions — large language model inference (Anthropic, OpenAI) may be processed in the United States. We rely on Standard Contractual Clauses or equivalent transfer mechanisms where required.

• Customer store data — retained for the lifetime of your account and for 90 days after termination unless you request earlier deletion.
• Google user data (Search Console, Analytics) — cached aggregates are retained for the lifetime of your account; raw API responses are retained only as long as needed to produce the cached aggregates and are deleted on a rolling basis (typically within 30 days).
• OAuth tokens — retained while the integration is active; revoked and deleted within 7 days of disconnection.
• Operational logs — retained for 12 months for security and incident response.
• Billing records — retained for 7 years to meet Australian tax law requirements.
• Audit/governance ledger entries — retained for the lifetime of your account; these are immutable by design and form the record of what was changed and by whom.

You have the following rights with respect to your personal information:

• Access — request a copy of the data we hold about you.
• Correction — ask us to correct inaccurate or incomplete data.
• Deletion — ask us to delete your personal data (subject to limited exceptions for legal record-keeping).
• Portability — request your data in a machine-readable format.
• Restriction or objection — ask us to limit how we use your data.
• Withdrawal of consent — including revoking Google OAuth access at any time via your Google Account permissions page or from within the Store Intelligence app under Settings → Integrations. Revoking access immediately stops further Google API reads and we delete the associated tokens.
• Complaint — lodge a complaint with the Office of the Australian Information Commissioner (oaic.gov.au) or your local data protection authority.

To exercise any of these rights, contact us at info@gapwise.consulting. We will respond within 30 days.

We apply the security controls expected of a SaaS operator handling commercial ecommerce data:

• Encryption in transit (TLS 1.2+) and at rest (AES-256 via Azure-managed keys).
• Logical tenant isolation in the database layer.
• Role-based access control for the platform; least privilege for staff access.
• Hardware-key multi-factor authentication for administrative access.
• Audit logging of administrative actions.
• Regular dependency and infrastructure security review.
• An incident response process with a commitment to notify affected customers without undue delay (and in any case within 72 hours where required by law).

No system is perfectly secure. If you believe you have found a security issue, please report it to info@gapwise.consulting and we will work with you on responsible disclosure.

The Service is intended for use by businesses and is not directed at children under 18. We do not knowingly collect personal information from children. If you believe we have, contact us and we will delete it.

The public website (getstoreintelligence.com) sets only strictly necessary cookies (e.g., for form anti-abuse protection). It does not deploy advertising or analytics cookies.

The authenticated product application (app.getstoreintelligence.com) uses session cookies for authentication and a small set of preference cookies for UI state. All product cookies are first-party.

We may update this policy from time to time. When we do, we will update the “Last updated” date at the top. For material changes that affect how we handle personal information, we will notify affected users by email at least 14 days before the change takes effect.

If you have questions about this policy or how we handle your data, contact us:

• Email: info@gapwise.consulting
• Entity: Gapwise Consulting Pty Ltd, trading as Get Store Intelligence
• Registered in: Western Australia, Australia