Privacy Policy

iAmAI — SEO Autopilot for Shopify
Effective date: May 8, 2026 · Last updated: June 2026

iAmAI ("we", "us", "our") provides an automated SEO and content optimization service for Shopify merchants. This Privacy Policy explains what information we collect from you and from your Shopify store, how we use that information, with whom we share it, and the rights you have over it. By installing the iAmAI app or using our service, you agree to the practices described below.

1. Information We Collect

1.1 Information from your Shopify store

When you install the iAmAI app, you grant us access to a limited set of data from your Shopify Admin API. The specific scopes we request are listed in the app installation screen — we do not request more access than is necessary to deliver the service. The data we read and process includes:

Shop information: shop domain, display name, contact email, shop ID, currency, timezone, primary locale, plan name.
Products: title, handle, description (HTML body), product type, vendor, tags, status, current SEO title/description, featured image alt text, image URLs.
Storefront content (publicly accessible): pages we crawl from your public storefront sitemap to understand site structure for internal-link suggestions.
Optional behavioral signals (Pulse Pixel): if you enable our optional storefront pixel, we collect anonymized page-view counts, click events, and conversion signals — no personal identifiers, no cookies set by us.
Search Console signals (optional): if you connect Google Search Console, we read query, click, impression and CTR data for your store's pages.

1.2 Information from your account interactions

Email address (from your Shopify shop record, used to provision your iAmAI account).
Account preferences (e.g., auto-apply mode, notification settings).
Approval / rejection actions you take in the iAmAI dashboard.

1.3 Automatic and technical information

Standard server logs (IP address, user-agent, request path, timestamp) retained for security and abuse-prevention purposes for up to 30 days.
Error telemetry (stack traces, request metadata) collected via Sentry — does not include personal data or shop content.

1.4 What we do not collect

We do not collect data about your customers (orders, addresses, payment information).
We do not request scopes that grant access to customer PII unless explicitly required by a feature you opt into.
We do not sell or rent any data to third parties, ever.

2. How We Use Your Information

Generate SEO suggestions: Product titles, descriptions, meta tags, image alt text, FAQ blocks, and internal-link suggestions are generated by our AI pipeline using your product data and public storefront content.
Apply approved changes to your store: When you (or our automation, if you've enabled auto-apply) approve a suggestion, we write the change back to your Shopify store via the Admin API.
Provide the dashboard and operate the service: Display performance metrics, surface pending suggestions, send service notifications.
Improve the service: Aggregate, anonymized usage statistics inform our roadmap. Individual store data is never used to train AI models — see Section 4.
Comply with legal obligations: Tax records, audit logs, abuse investigations.

3. Legal Basis for Processing (GDPR)

If you or your customers are located in the European Economic Area, the United Kingdom, or any jurisdiction with comparable data-protection laws, we rely on the following legal bases:

Contract: Processing necessary to deliver the iAmAI service you've contracted for.
Legitimate interests: Service security, fraud prevention, product analytics — balanced against your interests.
Consent: Optional features like the Pulse Pixel storefront pixel — you can disable at any time.
Legal obligation: Tax, accounting, response to lawful requests.

iAmAI complies with GDPR and equivalent data-protection regimes. You may exercise your rights at any time — see Section 6.

4. Sub-Processors and AI Providers

We use the following sub-processors to deliver the service. Each is contractually bound to confidentiality and data-protection obligations. We do not permit any sub-processor to use your data to train AI models (we use API endpoints with the "no training" data setting where the provider supports it):

Provider	Purpose	Data shared	Region
Vercel, Inc.	Application hosting and serverless functions	All app traffic (encrypted in transit)	USA / Global edge
Supabase, Inc.	PostgreSQL database, authentication, encrypted credential storage	Account data, encrypted Shopify access tokens, mutation history	EU (Frankfurt)
Cloudflare, Inc.	DNS, CDN, edge security	Request metadata; static asset proxying	Global edge
Google LLC (Gemini API)	AI generation of SEO suggestions	Product titles, descriptions, store context (no customer data)	USA / EU
Anthropic PBC (Claude API)	AI generation for AI-visibility audits	Brand and product names; no customer data	USA
OpenAI, L.L.C. (GPT-4o-mini)	AI generation for AI-visibility audits	Brand and product names; no customer data	USA
DataForSEO LLC	Search engine ranking and keyword data	Public store URLs; keyword strings	USA
Resend, Inc.	Transactional email (welcome, weekly reports, account notifications)	Recipient email, message content	USA
Sentry (Functional Software, Inc.)	Error monitoring	Stack traces, request metadata; no personal data, no shop content	USA / EU

If we add or change a sub-processor, we will update this list and notify active merchants by email at least 14 days before the change takes effect.

5. Data Retention

While your account is active: we retain your data as long as it is necessary to provide the service — typically the lifetime of your installation.
After you uninstall the app: we retain account data for up to 90 days, then permanently delete it. This window allows for billing reconciliation and accidental-uninstall recovery.
Upon a verified GDPR / Shopify shop/redact request: we permanently delete or anonymize your data within 30 days of receipt, unless retention is required by law (e.g., tax records).
Aggregated, anonymized statistics (with no link back to your store) may be retained indefinitely for product analytics.
Server logs: 30 days.
Encrypted Shopify access tokens: deleted immediately upon uninstall webhook receipt (we cannot call your store after uninstall).

6. Your Rights and Data Deletion

You and your customers have the following rights under GDPR (and equivalent regimes):

Right of access: request a copy of personal data we hold about you.
Right to rectification: correct inaccurate or incomplete data.
Right to erasure ("right to be forgotten"): request deletion of your data.
Right to restrict processing.
Right to data portability: receive your data in a structured, machine-readable format.
Right to object to processing based on legitimate interests.
Right to lodge a complaint with a supervisory authority.

6.1 Shopify GDPR webhooks

iAmAI implements the three mandatory Shopify privacy webhooks for compliant data handling:

customers/data_request — when a customer of yours requests their personal data, Shopify sends us this webhook. iAmAI does not collect customer-level personal data, so our response confirms that no such data exists in our systems.
customers/redact — when a customer requests deletion, we redact / delete any data linked to that customer (in practice, none).
shop/redact — 48 hours after a shop uninstalls our app, Shopify sends this webhook and we permanently delete that shop's data within 30 days.

6.2 Direct requests

To exercise any of the above rights directly, email us at [email protected] with the subject "Privacy Request — [your shop domain]". We respond within 30 days.

7. International Data Transfers

iAmAI is operated from Israel. Some sub-processors are located in the United States or other jurisdictions. Where required, we rely on Standard Contractual Clauses or equivalent safeguards approved by the European Commission to protect data in transit and at rest across borders. Israel itself is recognized by the European Commission as providing an adequate level of data protection.

8. Security

All data in transit is encrypted via TLS 1.2 or higher.
Shopify access tokens are encrypted at rest using AES-256-GCM with a per-deployment key.
Database access is restricted to authenticated service-role keys; no public anonymous access.
Production secrets are stored in encrypted environment-variable vaults (Vercel + Supabase).
We monitor for anomalous activity via Sentry and Vercel logs.

No system is perfectly secure. In the event of a data breach affecting personal data, we will notify affected merchants without undue delay and, where required by law, the relevant supervisory authority within 72 hours.

9. Children's Privacy

iAmAI is a B2B service for merchants. We do not knowingly collect personal data from anyone under the age of 16. If you believe we have collected such data inadvertently, please contact us immediately.

10. Cookies and Tracking

The iAmAI dashboard uses essential session cookies for authentication. We do not use third-party advertising or tracking cookies. The optional Pulse Pixel that you may install on your storefront uses anonymous identifiers (no cookies set by us; behavior analytics only).

11. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated to merchants by email at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

12. Contact Us

For privacy questions, data requests, or any concerns, contact us:

Email: [email protected]
Mail: iAmAI, Israel (full postal address available on request)