Privacy Policy

Last updated: April 7, 2026

1. Who we are

WatchPlug AI ("WatchPlug", "we") is a SaaS platform that uses Artificial Intelligence to optimize Shopify stores through analysis of sales, traffic, and advertising data. This policy describes how we collect, use, store, and protect personal data of our users and their stores' end customers.

2. Data we collect

We collect the following types of data:

  • Account data: name, email, password (encrypted via bcrypt), store name.
  • Payment data: processed by Shopify (Shopify App Billing). We do not store card data on our servers.
  • Your Shopify store data: via OAuth, we access products, collections, orders, inventory, and sales metrics to generate optimization recommendations.
  • Google Analytics 4 data: via OAuth, we access pageviews, conversion rate, and bounce rate for products.
  • Meta Ads data: via OAuth, we access campaign metrics (ROAS, CPA, spend, impressions).
  • Usage data: access logs, IP, user agent, and dashboard actions.

3. Purpose of processing

We use your data to:

  • Provide the optimization service (collection reordering, price suggestion, ABC classification).
  • Generate AI analysis and recommendations (AWS Bedrock).
  • Process charges and manage subscriptions via Shopify App Billing.
  • Send notifications about analyses, recommendations, and product updates.
  • Comply with legal and tax obligations.
  • Improve and protect the service (security, fraud prevention).

4. Legal basis

We process your data based on: (i) contract performance, (ii) compliance with legal obligations, (iii) free and informed consent for OAuth integrations, and (iv) legitimate interest for service security and improvement. These align with GDPR Art. 6 and CCPA/CPRA requirements where applicable.

5. Third-party sharing

We share strictly necessary data with the following processors:

  • Amazon Web Services (AWS): full infrastructure in us-east-1 region (USA).
  • AWS Bedrock: AI models to generate recommendations.
  • Shopify: payment processing and subscription management (Shopify App Billing).
  • Anthropic: AI analysis provider (aggregated store metrics included in analysis).
  • Shopify, Google, and Meta: receive authenticated OAuth requests when the user connects integrations.

We do not sell, rent, or share your data with third parties for marketing purposes.

6. International transfer

Your data is stored in the United States (AWS us-east-1). Transfers are governed by contractual safeguards from certified processors and standard data protection clauses.

7. Data retention

We retain your data while your account is active. After cancellation, data is deleted within 30 days, except when legally required to retain (e.g., invoices for 5 years). You may request immediate deletion at any time.

8. Your rights

You have the right to:

  • Confirmation of whether we process your data.
  • Access to your data.
  • Correction of incomplete or outdated data.
  • Anonymization, blocking, or deletion of unnecessary data.
  • Data portability.
  • Withdrawal of consent.
  • Information about data sharing.

To exercise your rights, contact us at contact@watchplug.com.

9. Security

We adopt technical and organizational measures to protect your data: encryption in transit (TLS 1.2+) and at rest, JWT authentication in httpOnly cookies, passwords encrypted with bcrypt, secrets managed via AWS Secrets Manager, IAM role-based access control, CloudWatch audit logs, rate limiting, and protection against common attacks (CSRF, SSRF, XSS, injection).

10. Cookies

We use essential cookies for authentication (JWT token in httpOnly, Secure, SameSite=Lax cookie). For more details, see our Cookie Policy.

11. Changes to this policy

This policy may be updated periodically. Relevant changes will be notified by email and through the dashboard. The current version is always the one published on this page.

12. Contact & DPO

For questions, requests, or to exercise your rights, contact our Data Protection Officer:

Email: contact@watchplug.com