Privacy Policy

1. Introduction

Alethia ("Alethia," "we," "us," or "our") is a Canadian software-as-a-service (SaaS) platform that helps Shopify Plus brands optimize their product pages for visibility in AI-powered search engines such as ChatGPT, Perplexity, and similar services.

This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our website and platform (collectively, the "Service"). It also describes your rights regarding your personal data and how you can exercise them.

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

2. Information We Collect

We collect the following categories of information:

2.1 Account Information

When you create an account, we collect your email address, full name, and company name. This information is required to provide you with access to the Service.

2.2 Store and Brand Configuration Data

When you connect your Shopify store, we collect your Shopify store URL, store name, target market, supported languages, and brand voice configuration (including tone, audience, formality level, key phrases, phrases to avoid, and brand values). This data is necessary to customize our analysis and content generation to your brand.

2.3 Product Data

We sync product information from your Shopify store via the Shopify Admin API, or through optional URL-based import. This includes product titles, descriptions, prices, product types, vendor information, and product images. This data is used to run AI visibility analysis and generate optimized content.

2.4 Shopify OAuth Credentials

When you authorize Alethia to access your Shopify store, we receive and store an OAuth access token. This token is encrypted at rest and is used solely to read product data from and write optimized content back to your Shopify store on your behalf.

2.5 Analysis and Performance Data

We generate and store AI visibility scores, share-of-voice metrics, competitor insights, and raw responses from large language model (LLM) queries. We also track daily and monthly analysis counts and associated LLM API costs for billing and usage monitoring purposes.

2.6 AI-Generated Content

We create and store AI-optimized product titles, descriptions, FAQs, and meta descriptions for each product in each of your configured languages. This content is generated through our Service and stored in your account until you choose to delete it.

2.7 Information We Do Not Collect

We do not use Google Analytics or any third-party analytics platforms. We do not use advertising cookies or tracking pixels. We do not use social media tracking technologies. We do not collect payment card information directly (payments are processed by third-party payment processors).

3. How We Use Your Information

We use the information we collect for the following purposes:

• Providing the Service: To authenticate your account, sync your product data, run AI visibility analyses, and generate optimized content.
• AI Analysis and Content Generation: Your product data (titles, descriptions, prices, types, vendor information) is sent to third-party LLM providers to assess AI search visibility and generate optimized content. See Section 4 for details.
• Shopify Integration: To read product data from and write optimized content back to your Shopify store using the access token you authorized.
• Usage Monitoring: To track your analysis usage against plan limits and manage LLM API costs.
• Service Improvement: To understand how the Service is used and to improve its features and performance.
• Communication: To send you service-related notifications, such as analysis completion alerts or account updates.
• Legal Compliance: To comply with applicable laws, regulations, and legal processes.

3.1 Legal Bases for Processing (GDPR)

If you are located in the European Economic Area (EEA) or the United Kingdom, we process your personal data on the following legal bases under Articles 6 and 9 of the GDPR:

• Performance of a Contract (Article 6(1)(b)): Processing necessary to provide you with the Service you have subscribed to, including account management, product data syncing, AI analysis, and content generation.
• Legitimate Interests (Article 6(1)(f)): Processing necessary for our legitimate interests, such as improving the Service, ensuring security, and preventing fraud, where those interests are not overridden by your rights.
• Consent (Article 6(1)(a)): Where we rely on your consent, you may withdraw it at any time by contacting us.
• Legal Obligation (Article 6(1)(c)): Processing necessary to comply with legal obligations to which we are subject.

4. AI and LLM Data Processing

4.1 What Data Is Sent to AI Models

To perform AI visibility analysis and generate optimized content, we send the following product data to third-party large language models (LLMs): product titles, descriptions, prices, product types, and vendor information. We also send your brand voice configuration (tone, audience, formality, key phrases) to ensure generated content aligns with your brand.

4.2 How AI Processing Works

For each analysis, the Service sends approximately 25 prompts to LLM models (currently GPT-4o-mini via OpenRouter) to test how visible your products are in AI-powered search results. The AI models process these prompts and return responses that we use to calculate visibility scores, share-of-voice metrics, and competitor insights. We also use AI models to generate optimized content (titles, descriptions, FAQs, meta descriptions) in your configured languages.

4.3 Third-Party AI Provider

We use OpenRouter as our LLM gateway, which routes queries to models such as GPT-4o-mini (provided by OpenAI). OpenRouter acts as a data processor on our behalf. We have data processing agreements in place with our AI service providers that restrict them from using your data for purposes other than providing the service to us. Your product data sent to these models is not used to train their AI models.

4.4 Data Minimization

We apply data minimization principles to AI processing. We send only the product data necessary for the specific analysis or content generation task. We do not send your personal account information (such as your name or email address) to AI models. We do not send your Shopify OAuth tokens or other authentication credentials to AI models.

4.5 AI Output Storage

All AI-generated analysis results and optimized content are stored in our database (hosted on Supabase). You retain full control over this data and can delete it at any time through your account settings. Raw LLM responses are stored for the purpose of providing you with detailed analysis results.

5. Third-Party Service Providers

We use the following third-party service providers (sub-processors) to operate the Service. Each provider processes data only as necessary to fulfill its specific function:

We maintain data processing agreements with each of these providers that require them to process your data only according to our instructions and in compliance with applicable privacy laws.

6. Data Storage and Security

We take the security of your data seriously and implement appropriate technical and organizational measures to protect it:

• Encryption at Rest: Sensitive data, including Shopify OAuth tokens, is encrypted at rest in our database.
• Encryption in Transit: All data transmitted between your browser, our servers, and third-party services is encrypted using TLS (HTTPS).
• Authentication Security: User authentication is handled by Supabase Auth with industry-standard security practices, including secure password hashing and session management.
• Access Controls: Access to production systems and user data is restricted to authorized personnel only, following the principle of least privilege.
• Infrastructure Security: Our application is hosted on Vercel and our database on Supabase, both of which maintain SOC 2 compliance and implement comprehensive security controls.

While we implement robust security measures, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee the absolute security of your data, but we commit to promptly notifying affected users and relevant authorities in the event of a data breach, in accordance with applicable laws.

7. Cookies and Similar Technologies

We use a minimal set of cookies that are strictly necessary for the operation of the Service:

• Authentication Cookies: Session cookies issued by Supabase Auth (in the format sb-*-auth-token) to maintain your authenticated session. These are essential for the Service to function and cannot be disabled.
• Theme Preference Cookie: A cookie that stores your display preference (light or dark mode) to provide a consistent user experience across sessions.

We do not use any marketing, advertising, or analytics cookies. We do not use tracking pixels, web beacons, or similar tracking technologies. Because we use only strictly necessary cookies, we do not require cookie consent under most privacy regulations.

8. Data Retention

We retain your data according to the following principles:

• Account Data: Retained for the duration of your active account and for a reasonable period afterward to fulfill legal and business obligations (typically up to 30 days after account deletion).
• Product and Analysis Data: Retained for as long as your account is active. You may delete individual products and their associated analysis data at any time.
• AI-Generated Content: Retained until you delete it or close your account.
• Shopify OAuth Tokens: Retained only while your Shopify store connection is active. Tokens are revoked and deleted when you disconnect your store or delete your account.
• Usage Logs: Aggregated usage data (analysis counts, API costs) is retained for billing and operational purposes.

Upon account deletion, we will delete or anonymize your personal data within 30 days, except where retention is required by law or for legitimate business purposes (such as resolving disputes or enforcing our agreements).

9. International Data Transfers

Alethia is based in Canada. Our third-party service providers are primarily located in the United States and Canada. If you are accessing the Service from the European Economic Area (EEA), the United Kingdom, or other jurisdictions with data transfer restrictions, please be aware that your data may be transferred to, stored, and processed in Canada and the United States.

We ensure that international data transfers are conducted in compliance with applicable laws through the following mechanisms:

• Canada: The European Commission has recognized Canada (for private-sector organizations subject to PIPEDA) as providing an adequate level of data protection under GDPR Article 45.
• United States: For transfers to US-based sub-processors, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by additional safeguards where necessary, as well as the EU-US Data Privacy Framework where applicable.

10. Your Rights Under GDPR (EEA/UK)

If you are located in the European Economic Area or the United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR) and the UK GDPR:

• Right of Access (Article 15): You have the right to request a copy of the personal data we hold about you.
• Right to Rectification (Article 16): You have the right to request that we correct inaccurate or incomplete personal data.
• Right to Erasure (Article 17): You have the right to request that we delete your personal data, subject to certain exceptions.
• Right to Restrict Processing (Article 18): You have the right to request that we limit the processing of your personal data in certain circumstances.
• Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format.
• Right to Object (Article 21): You have the right to object to processing based on legitimate interests, including profiling.
• Right to Withdraw Consent (Article 7(3)): Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
• Right to Lodge a Complaint (Article 77): You have the right to lodge a complaint with your local data protection supervisory authority.
• Rights Related to Automated Decision-Making (Article 22): Our AI-powered analysis and content generation tools assist you in optimizing your product content. These tools do not make automated decisions that produce legal effects or similarly significant effects on you. All AI-generated content is provided as suggestions that you review and choose to apply.

To exercise any of these rights, please contact us at the address provided in Section 15. We will respond to your request within 30 days, as required by law.

11. Your Rights Under CCPA/CPRA (California)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

11.1 Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA:

• Identifiers: Name, email address, company name.
• Commercial Information: Product data synced from your Shopify store, analysis history, generated content.
• Internet Activity: Authentication session data (strictly necessary cookies only).
• Professional Information: Company name, Shopify store details.
• Inferences: AI visibility scores and competitive insights derived from product analysis.

11.2 Your CCPA/CPRA Rights

• Right to Know: You have the right to request information about the categories and specific pieces of personal information we have collected, the sources of collection, the business purposes for collection, and the categories of third parties with whom we share it.
• Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions.
• Right to Correct: You have the right to request that we correct inaccurate personal information.
• Right to Opt-Out of Sale or Sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising purposes.
• Right to Limit Use of Sensitive Personal Information: We do not collect sensitive personal information as defined by the CCPA/CPRA beyond what is necessary to provide the Service.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

11.3 Do Not Sell or Share

Alethia does not sell personal information. We do not share personal information for cross-context behavioral advertising. Our third-party service providers process data solely on our behalf and under our instructions as service providers, not as third parties under the CCPA.

12. Your Rights Under PIPEDA (Canada)

As a Canadian company, Alethia is subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation. Under PIPEDA, you have the following rights:

• Right to Access: You have the right to request access to the personal information we hold about you (PIPEDA Principle 4.9).
• Right to Correction: You have the right to challenge the accuracy and completeness of your personal information and have it amended as appropriate (PIPEDA Principle 4.9.5).
• Right to Withdraw Consent: You may withdraw your consent to the collection, use, or disclosure of your personal information at any time, subject to legal or contractual restrictions and reasonable notice (PIPEDA Principle 4.3.8). Withdrawal of consent may affect our ability to provide the Service to you.
• Right to Complain: You have the right to file a complaint with the Office of the Privacy Commissioner of Canada (OPC) if you believe we have violated your privacy rights.

We adhere to the ten fair information principles outlined in PIPEDA, including accountability, identifying purposes, consent, limiting collection, limiting use and disclosure, accuracy, safeguards, openness, individual access, and challenging compliance.

If you are a resident of Quebec, additional rights may apply under Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25), including the right to data portability and the right to be informed of automated decision-making.

13. Children's Privacy

The Service is designed for business use by Shopify Plus merchants and is not directed at individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information promptly. If you believe that a child under 16 has provided us with personal information, please contact us at the address provided in Section 15.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will notify you by posting a prominent notice on the Service or by sending you an email notification at the address associated with your account.

We encourage you to review this Privacy Policy periodically. The "Last updated" date at the top of this page indicates when this policy was most recently revised. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated policy.

15. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your privacy rights, or have concerns about how we handle your data, please contact us: