Privacy Policy

1. Introduction and Scope

This Privacy Policy describes how LunitonAI ("we," "us," "our," or "Company") collects, uses, discloses, and protects personal information when you use our software-as-a-service platform and Shopify application (collectively, the "Service"). This Policy applies to all users of our Service, including merchants who install our Shopify application and their authorized users.

By installing our Shopify application, accessing our web-based platform, or using any part of our Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with this Policy, you must immediately discontinue use of our Service.

This Privacy Policy should be read in conjunction with our Terms of Service, which govern your use of our Service.

2. Information We Collect

2.1 Information Collected Automatically via Shopify Integration

When you install our Shopify application and authorize the requested permissions, we automatically collect:

Shop Information:

• Shop domain (e.g., yourstore.myshopify.com)
• Shop owner name and email address
• Business name and address
• Shop timezone and currency settings
• Shop installation timestamp
• Shopify plan type

Product and Inventory Data (if applicable to our Service):

• Product names, descriptions, and SKUs
• Product pricing and inventory levels
• Product images and variants
• Collection and category information

Order Data (if applicable to our Service):

• Order numbers and timestamps
• Customer information associated with orders
• Line item details
• Fulfillment and shipping information
• Payment status (but never payment card details)

Customer Data (if you grant customer read permissions):

• Customer names and email addresses
• Customer phone numbers
• Shipping and billing addresses
• Purchase history
• Customer tags and notes

2.2 Information You Provide Directly

Account Information:

• Name and email address for account creation
• Company or business name
• Phone number (optional)
• Communication preferences
• Profile information and preferences

Payment Information:

• Billing name and address
• Payment method information (processed and stored by Stripe, not by us)
• Transaction history
• Subscription plan selections

Support and Communication Data:

• Support ticket contents and correspondence
• Feedback, survey responses, and feature requests
• Communication preferences
• Chat transcripts or phone call recordings (with notice)

2.3 Technical and Usage Information

Device and Browser Information:

• IP address
• Browser type and version
• Operating system
• Device identifiers
• Screen resolution and device type

Usage Analytics:

• Pages visited and features used
• Time spent on features
• Click patterns and navigation paths
• Feature adoption and usage frequency
• Error logs and diagnostic information
• Performance metrics

Cookies and Similar Technologies:

• Session cookies for authentication
• Functional cookies for user preferences
• Analytics cookies (with consent where required)
• Security cookies for fraud prevention

We use both first-party and third-party cookies. For detailed information about our cookie usage, please see Section 10.

2.4 Information from Third-Party Sources

Shopify Platform:

• Information received through Shopify webhooks
• Session tokens and authentication data
• App installation and uninstallation events

Payment Processor (Stripe):

• Payment confirmation and subscription status
• Billing event notifications
• Payment method updates

Analytics Providers:

• Aggregated usage statistics
• Performance monitoring data
• Error tracking information

3. How We Use Your Information

We use the collected information for the following legitimate business purposes:

3.1 Service Delivery and Core Functionality

• Providing, operating, and maintaining our Service
• Processing your transactions and managing subscriptions
• Authenticating users and managing sessions
• Syncing data between your Shopify store and our platform
• Executing features you request and operations you initiate
• Displaying relevant data in both embedded and web-based interfaces
• Managing your account and user preferences

3.2 Service Improvement and Development

• Analyzing usage patterns to improve user experience
• Identifying and fixing bugs and technical issues
• Developing new features and functionality
• Conducting research and data analysis
• A/B testing new features and interfaces
• Optimizing application performance

3.3 Communication and Support

• Responding to your support requests and inquiries
• Sending service-related notifications and updates
• Providing technical assistance and troubleshooting
• Notifying you of changes to our Service or policies
• Requesting feedback on your experience
• Conducting user research and surveys (with your consent)

3.4 Marketing and Promotional Activities

With your explicit consent where required by law:

• Sending promotional emails about new features
• Sharing product updates and best practices
• Offering special promotions and discounts
• Providing educational content and resources
• Inviting you to webinars and events

You may opt out of marketing communications at any time using the unsubscribe link in our emails or by contacting us directly.

3.5 Security and Fraud Prevention

• Detecting and preventing fraud, abuse, and security incidents
• Monitoring for unauthorized access or suspicious activity
• Protecting against malicious, deceptive, or illegal activity
• Enforcing our Terms of Service and other policies
• Investigating and resolving disputes
• Complying with legal obligations and law enforcement requests

3.6 Legal and Compliance

• Fulfilling our legal obligations under applicable laws
• Responding to legal process (subpoenas, court orders, etc.)
• Protecting our legal rights and interests
• Defending against legal claims
• Complying with industry regulations and standards

3.7 Business Operations

• Processing payments and managing billing
• Maintaining business records and accounting
• Conducting internal audits and quality assurance
• Managing vendor and partner relationships
• Facilitating business transfers or acquisitions

4. Legal Basis for Processing (GDPR Compliance)

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data based on the following legal grounds:

• Contractual Necessity: Processing necessary to perform our contract with you (Service delivery, account management, payment processing).
• Legitimate Interests: Processing necessary for our legitimate business interests, including service improvement, fraud prevention, security, and internal operations, provided these interests are not overridden by your rights.
• Legal Obligation: Processing necessary to comply with applicable laws, regulations, legal processes, or governmental requests.
• Consent: Processing based on your explicit consent, which you may withdraw at any time (marketing communications, optional features, certain cookies).

5. Information Sharing and Disclosure

We do not sell, rent, or trade your personal information to third parties for their marketing purposes. We share information only as described below:

5.1 Service Providers and Subprocessors

We engage trusted third-party service providers who process data on our behalf under strict confidentiality obligations:

Infrastructure and Hosting:

• Cloudflare (Website hosting and domain protection)
• Microsoft Azure (SaaS infrastructure)

Payment Processing:

• Stripe (payment processing and subscription management)
• We never store your full payment card details

Analytics and Monitoring:

• Google Analytics (anonymized where possible)
• Application performance monitoring tools
• Error tracking and diagnostic services

Communication Services:

• Email service providers (for transactional and marketing emails)
• Customer support platforms
• SMS providers (if applicable)

Security Services:

• Authentication and identity verification
• Fraud detection and prevention
• Security monitoring and threat detection

All service providers are contractually obligated to:

• Process data only as instructed by us
• Implement appropriate security measures
• Not use data for their own purposes
• Comply with applicable data protection laws

5.2 Shopify Platform

As a Shopify application, we share certain information with Shopify:

• App usage metrics and analytics
• App installation and authentication events
• Technical performance data
• Compliance with Shopify's App Store requirements

Shopify's use of this information is governed by their own Privacy Policy.

5.3 Legal Requirements and Protection of Rights

We may disclose your information when required by law or when we believe disclosure is necessary to:

• Comply with legal obligations, court orders, or government requests
• Enforce our Terms of Service or other agreements
• Protect our rights, property, or safety
• Protect the rights, property, or safety of our users or the public
• Detect, prevent, or investigate fraud, security breaches, or illegal activity
• Defend against legal claims or investigations

5.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred to the successor entity. We will notify you via email and/or prominent notice on our Service before your information is transferred and becomes subject to a different privacy policy.

5.5 Aggregated and Anonymized Data

We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you:

• Industry benchmarks and statistics
• Usage trends and insights
• Research and analysis
• Marketing materials and case studies

5.6 With Your Consent

We may share your information with third parties when you provide explicit consent, such as:

• Integration with third-party applications you authorize
• Sharing data with your designated team members
• Participating in co-marketing initiatives
• Third-party services you choose to connect

6. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

6.1 Retention Periods

Active Account Data:

• Retained for the duration of your active subscription
• Plus reasonable period for archival and backup purposes

Transaction and Billing Records:

• Retained for minimum 7 years for accounting and tax compliance
• Payment processor (Stripe) has separate retention policies

Support and Communication Records:

• Retained for 3 years after last interaction for quality assurance

Technical Logs and Analytics:

• Retained for 12-24 months for operational purposes
• Aggregated analytics may be retained indefinitely

Marketing Data:

• Retained until you unsubscribe or request deletion
• Suppression lists maintained indefinitely to honor opt-out requests

6.2 Data Deletion Upon Account Closure

When you uninstall our Shopify application or terminate your subscription:

• We immediately cease accessing your Shopify store data
• Your account data is marked for deletion within 30 days
• Backups containing your data are deleted within 90 days
• We retain only information required for legal or compliance purposes

You may request immediate deletion of your data by contacting us at lunitonai@gmail.com.

6.3 Shopify Data Retention Requirements

In compliance with Shopify's requirements, we:

• Delete or anonymize customer data within 48 hours of receiving a customer data request webhook
• Delete all shop data within 48 hours of app uninstallation or receiving a shop redaction webhook
• Maintain audit logs of GDPR webhook processing for compliance verification

7. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal information:

7.1 Access and Portability

Right to Access: You may request a copy of the personal information we hold about you.

Right to Data Portability: You may request your data in a structured, commonly used, machine-readable format for transfer to another service.

To exercise these rights, contact us at lunitonai@gmail.com. We will respond within 30 days (or as required by applicable law).

7.2 Correction and Updating

Right to Rectification: You may correct inaccurate or incomplete information.

You can update most information directly through:

• Your account settings in our web-based platform
• Your Shopify admin panel (for shop information)
• Contacting our support team for assistance

7.3 Deletion and Erasure

Right to Deletion/Erasure: You may request deletion of your personal information, subject to certain exceptions.

We will honor deletion requests except where we must retain information to:

• Complete transactions or provide requested services
• Comply with legal obligations
• Detect and prevent fraud or security incidents
• Exercise or defend legal claims

To request deletion:

1. Uninstall our application from your Shopify store
2. Email lunitonai@gmail.com with your deletion request
3. We will confirm deletion within 48 hours and complete within 30 days

7.4 Restriction and Objection

Right to Restrict Processing: You may request limitation of how we process your data in certain circumstances.

Right to Object: You may object to processing based on legitimate interests or for direct marketing purposes.

You can object to marketing communications by:

• Using the unsubscribe link in our emails
• Updating preferences in your account settings
• Contacting us at lunitonai@gmail.com

7.5 Withdraw Consent

Where we process data based on consent, you may withdraw consent at any time. This will not affect the lawfulness of processing before withdrawal.

7.6 Lodging Complaints

You have the right to lodge a complaint with a supervisory authority:

• For EEA/UK Users: Contact your local data protection authority
• For California Users: Contact the California Attorney General
• For Canadian Users: Contact the Office of the Privacy Commissioner of Canada

We encourage you to contact us first at lunitonai@gmail.com so we can address your concerns directly.

7.7 Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you without human intervention.

8. Data Security

We implement comprehensive technical, administrative, and physical security measures to protect your information against unauthorized access, alteration, disclosure, or destruction.

8.1 Technical Safeguards

Encryption:

• Data in transit encrypted using TLS 1.3 or higher
• Data at rest encrypted using AES-256 encryption
• Database encryption with secure key management
• Access tokens and sensitive credentials encrypted

Access Controls:

• Multi-factor authentication for administrative access
• Role-based access control (RBAC) for team members
• Principle of least privilege enforcement
• Regular access reviews and audits

Network Security:

• Firewall protection and intrusion detection systems
• DDoS protection and rate limiting
• Regular vulnerability scanning
• Penetration testing by third-party security firms

Application Security:

• Secure coding practices and code reviews
• Input validation and sanitization
• Protection against common vulnerabilities (OWASP Top 10)
• Regular security updates and patches

8.2 Administrative Safeguards

Personnel:

• Background checks for employees with data access
• Confidentiality agreements and security training
• Regular security awareness training
• Clear incident response procedures

Policies and Procedures:

• Documented security policies and standards
• Change management and deployment procedures
• Vendor security assessment processes
• Regular policy reviews and updates

Monitoring and Auditing:

• Continuous security monitoring and logging
• Regular security audits and assessments
• Compliance audits (SOC 2, ISO 27001, or similar)
• Incident detection and response capabilities

8.3 Physical Safeguards

Data Center Security:

• Tier III or higher certified data centers
• 24/7 physical security and surveillance
• Biometric access controls
• Environmental controls and redundancy

8.4 Incident Response

Data Breach Protocol:

• Documented incident response plan
• Dedicated security incident response team
• Notification procedures compliant with applicable laws
• Post-incident analysis and remediation

Notification Timeline:

• We will notify affected users within 72 hours of discovering a breach involving personal data
• Notification will include nature of breach, data affected, and remediation steps
• We will notify relevant authorities as required by law

8.5 Third-Party Security

All service providers and subprocessors must:

• Demonstrate adequate security measures
• Undergo security assessments
• Sign data processing agreements
• Comply with our security standards

8.6 User Responsibilities

You are responsible for:

• Maintaining confidentiality of your account credentials
• Using strong, unique passwords
• Enabling two-factor authentication when available
• Promptly reporting suspected security incidents
• Securing your own devices and networks

No system is 100% secure. While we implement industry-standard security measures, we cannot guarantee absolute security. You use our Service at your own risk.

9. International Data Transfers

Our Service is operated from Bulgaria (European Union). However, our service providers (such as Cloudflare and Microsoft Azure) are multinational organizations. Therefore, your information may be transferred to, stored, and processed in the United States and other countries where our service providers operate.

9.1 Transfers from the EEA/UK

For data transfers from the EEA or UK to countries without adequate data protection laws, we rely on:

Standard Contractual Clauses (SCCs): We use European Commission-approved Standard Contractual Clauses with appropriate supplementary measures.

Adequacy Decisions: We may transfer data to countries recognized by the European Commission as providing adequate protection.

Specific Safeguards: We implement additional technical and organizational measures to ensure data protection equivalent to EEA/UK standards.

9.2 Transfers from Other Jurisdictions

For users in other jurisdictions, we comply with applicable cross-border data transfer requirements and implement appropriate safeguards.

9.3 Data Processing Addendum

Business customers may request a Data Processing Addendum (DPA) that includes:

• Standard Contractual Clauses
• Details of processing activities
• Subprocessor lists
• Security measures
• Audit rights

Contact lunitonai@gmail.com to request a DPA.

10. Cookies and Tracking Technologies

We use cookies and similar technologies to provide, improve, and protect our Service.

10.1 Types of Cookies We Use

Strictly Necessary Cookies:

• Authentication and session management
• Security and fraud prevention
• Load balancing and performance
• These cannot be disabled as they are essential for Service operation

Functional Cookies:

• User preferences and settings
• Language selection
• Interface customization
• You can control these through your browser settings

Analytics Cookies:

• Usage statistics and trends
• Feature adoption metrics
• Performance monitoring
• You can opt out through our cookie consent banner

Marketing Cookies (with consent):

• Advertising effectiveness
• Retargeting campaigns
• Social media integration
• You can opt out through our cookie consent banner

10.2 Managing Cookie Preferences

Cookie Consent Banner: Upon first visit, you can accept or reject non-essential cookies.

Browser Controls: Most browsers allow you to:

• View and delete cookies
• Block third-party cookies
• Receive alerts when cookies are being set
• Block all cookies (may impair Service functionality)

Opt-Out Tools:

• Google Analytics Opt-out
• Network Advertising Initiative
• Digital Advertising Alliance

10.3 Do Not Track Signals

Currently, our Service does not respond to Do Not Track (DNT) browser signals, as there is no industry consensus on how to interpret DNT. We will update this policy if standards develop.

10.4 Third-Party Cookies

Third parties may set cookies through our Service:

• Analytics providers (Google Analytics)
• Advertising platforms
• Social media widgets
• Customer support chat tools

These third parties have their own privacy policies governing cookie use.

11. Children's Privacy

Our Service is not intended for individuals under the age of 18 (or the age of majority in your jurisdiction). We do not knowingly collect personal information from children.

If you are a parent or guardian and believe your child has provided us with personal information, contact us immediately at lunitonai@gmail.com. We will delete such information within 48 hours.

Age Verification: By using our Service, you represent that you are at least 18 years old or have reached the age of majority in your jurisdiction.

Shopify Merchants: Merchants using our Service are responsible for ensuring compliance with children's privacy laws (COPPA, GDPR provisions, etc.) when collecting customer data through their Shopify stores.

12. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

12.1 Your California Rights

• Right to Know: Request details about personal information we collect, use, disclose, and sell (we do not sell personal information).
• Right to Delete: Request deletion of your personal information, subject to certain exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell personal information or share it for cross-context behavioral advertising.
• Right to Limit Use of Sensitive Personal Information: We do not use or disclose sensitive personal information beyond what is necessary to provide our Service.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

12.2 Categories of Personal Information

In the past 12 months, we have collected the following categories:

• Identifiers (name, email, IP address)
• Commercial information (purchase history, subscription data)
• Internet activity (usage data, analytics)
• Professional information (business name, industry)
• Inferences (preferences, usage patterns)

12.3 Business and Commercial Purposes

We use personal information for the purposes described in Section 3 of this Privacy Policy.

12.4 Disclosures

We disclose personal information to service providers and other parties as described in Section 5. We do not sell personal information to third parties.

12.5 Exercising Your Rights

Submit Requests:

• Email: lunitonai@gmail.com

Verification Process: We will verify your identity by requesting:

• Your Shopify shop domain
• Email address associated with your account
• Recent transaction or subscription details

Authorized Agents: You may designate an authorized agent to make requests on your behalf. The agent must provide proof of authorization.

Response Timeline: We will respond to verified requests within 45 days (extendable by 45 days if necessary).

12.6 California Shine the Light Law

California residents may request information about disclosure of personal information to third parties for direct marketing purposes. As we do not share personal information for third-party direct marketing, we are exempt from this requirement.

13. Additional State Privacy Rights

13.1 Virginia (VCDPA)

Virginia residents have rights similar to California residents under the Virginia Consumer Data Protection Act.

13.2 Colorado (CPA)

Colorado residents have rights under the Colorado Privacy Act including access, correction, deletion, and opt-out of targeted advertising.

13.3 Connecticut (CTDPA)

Connecticut residents have rights under the Connecticut Data Privacy Act including access, correction, deletion, and data portability.

13.4 Utah (UCPA)

Utah residents have rights under the Utah Consumer Privacy Act including access, deletion, and opt-out of targeted advertising.

13.5 Exercising State Privacy Rights

Residents of these states may exercise their rights using the same contact methods as California residents. We will respond within the timeframes required by applicable state law.

14. Nevada Privacy Rights

Nevada residents have the right to opt out of the sale of certain personal information. We do not sell personal information as defined by Nevada law. If this changes, we will update this Privacy Policy and provide an opt-out mechanism.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect:

• Changes in our privacy practices
• Legal or regulatory requirements
• Service enhancements or modifications
• Industry best practices

15.1 Notification of Changes

Material Changes: We will notify you of material changes by:

• Email to your registered email address
• Prominent notice in our Service
• Notice in your Shopify admin (for embedded app users)
• At least 30 days before changes take effect

Non-Material Changes: We will update the "Last Updated" date and may notify you through our Service.

15.2 Your Continued Use

Continued use of our Service after changes take effect constitutes acceptance of the updated Privacy Policy. If you disagree with changes, you must discontinue use and may request account deletion.

15.3 Version History

We maintain a version history of this Privacy Policy. Previous versions are available upon request at lunitonai@gmail.com.

16. Contact Information

For questions, concerns, or requests regarding this Privacy Policy or our privacy practices:

Email: lunitonai@gmail.com

Response Time: We aim to respond to all inquiries within 5 business days.

17. Shopify-Specific Provisions

17.1 Shopify Data Processing

As a Shopify App, we process merchant data in accordance with:

• Shopify's App Store Requirements
• Shopify's API Terms of Service
• Shopify's Data Protection Addendum

17.2 GDPR Webhooks Compliance

We comply with Shopify's mandatory GDPR webhooks:

customers/data_request: We provide requested customer data within 48 hours.

customers/redact: We delete or anonymize customer data within 48 hours.

shop/redact: We delete all shop data within 48 hours of app uninstallation.

17.3 Merchant Responsibilities

As a merchant using our app, you are responsible for:

• Obtaining necessary consents from your customers
• Providing adequate privacy notices to your customers
• Complying with applicable privacy laws for your customer data
• Responding to customer privacy requests for data you control

17.4 Merchant-Customer Relationship

You (the merchant) are the data controller for your customer data. We are a data processor acting on your instructions. Our processing is limited to providing the Service as described in our Terms of Service.

18. Third-Party Links and Services

Our Service may contain links to third-party websites, applications, or services not operated by us. We are not responsible for the privacy practices of these third parties.

We strongly encourage you to review the privacy policies of any third-party services you access. This Privacy Policy applies only to information collected through our Service.

Third-Party Integrations: If you connect third-party services to our platform, those services may access data you authorize. Review their privacy policies before connecting.

19. Accessibility

We are committed to making this Privacy Policy accessible to individuals with disabilities. If you have difficulty accessing this Privacy Policy, please contact us at lunitonai@gmail.com and we will provide the information in an alternative format.

20. Translations

This Privacy Policy is written in English. Translations may be provided for convenience, but the English version governs in case of conflicts or discrepancies.

Appendix A: Data Processing Details

Categories of Personal Data

1. Identity Data: Name, username, business name
2. Contact Data: Email address, phone number, billing address
3. Technical Data: IP address, browser type, device information
4. Usage Data: Service interaction, feature usage, analytics
5. Transaction Data: Subscription details, payment history
6. Shopify Data: Store information, products, orders, customers

Processing Activities

1. Service Provision: Account management, feature delivery
2. Analytics: Usage analysis, performance monitoring
3. Support: Customer service, troubleshooting
4. Billing: Payment processing, subscription management
5. Security: Fraud prevention, security monitoring
6. Marketing: Promotional communications (with consent)

Data Recipients

1. Service Providers: Hosting, analytics, payment processing
2. Shopify: App performance, compliance data
3. Legal Authorities: When required by law
4. Business Successors: In event of merger/acquisition

Retention Schedule

• Active Accounts: Duration of relationship + 30 days
• Closed Accounts: 90 days (backups), 7 years (financial)
• Marketing Data: Until unsubscribe + suppression list (indefinite)
• Logs: 12-24 months