Privacy Policy

1. Introduction

Uniqsale ("we," "our," or "us") is committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our marketing site (uniqsale.ai), use our web application (app.uniqsale.ai), or interact with storefronts on which our SDK is deployed.

Uniqsale operates in two distinct roles under the EU General Data Protection Regulation (GDPR) and the UK GDPR:

• As a data controller, we determine the purposes and means of processing for: (i) account data of our merchant users (registration, authentication, billing, support); and (ii) analytics data collected on our marketing site at uniqsale.ai.
• As a data processor, we process storefront telemetry on behalf of our merchant customers. The merchant is the controller of that data and determines the purposes for which it is collected. Our processing is governed by the Data Processing Agreement (DPA) entered into with each merchant.

This Privacy Policy describes our practices in our capacity as a controller. For storefront end-users, the merchant operating the storefront is the primary point of contact for data subject requests; we will assist that merchant in fulfilling such requests as required by Article 28 GDPR.

2. Who We Are

The data controller responsible for the personal data processed under this Privacy Policy is:

• Legal entity: [LEGAL_ENTITY_NAME]
• Company / registration number: [COMPANY_REGISTRATION_NUMBER]
• Registered address: [REGISTERED_ADDRESS]
• Postal address for privacy correspondence: [POSTAL_ADDRESS_FOR_PRIVACY]
• Email: privacy@uniqsale.ai
• General support: support@uniqsale.ai

3. Information We Collect

We may collect information about you in a variety of ways, including:

• Store data: Product information, page structure, and metadata from your connected Shopify store to power personalization.
• Telemetry data: Anonymized user interaction events (image views, clicks, scroll depth) recorded by our SDK on your storefront.
• Account data: Your name, email address, and authentication credentials when you register for our platform.
• Usage data: Information about how you interact with the Uniqsale dashboard, including features used and actions taken.

4. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Uniqsale platform and services.
• Generate AI-powered insights and experience recommendations tailored to your store.
• Analyze aggregate telemetry data to measure experience performance and conversion outcomes.
• Communicate with you about product updates, support, and account information.
• Improve and develop new features based on usage patterns and feedback.
• Comply with applicable legal and regulatory obligations.

5. Legal Bases for Processing

Where the GDPR or UK GDPR applies, we rely on the following legal bases under Article 6(1) for each category of processing we carry out as a controller:

• Account data and provision of the platform — Article 6(1)(b), performance of a contract. We process your name, email address, authentication credentials (via Clerk), workspace configuration, and usage of the dashboard in order to provide the Uniqsale service to you and your organization under our Terms of Service.
• Billing, invoicing, and tax records — Article 6(1)(c), compliance with a legal obligation.
• Marketing-site analytics (Google Analytics 4) — Article 6(1)(a), consent. We do not load any analytics tags or set any non-essential storage until you grant consent through our cookie banner. You may withdraw consent at any time via the Cookie preferences link in the footer.
• Product communications, support, and security alerts — Article 6(1)(b) where directly necessary to deliver the service, and Article 6(1)(f), legitimate interests, for service-related notices to administrators of an active account.
• Service improvement, debugging, and aggregate usage analysis of the dashboard — Article 6(1)(f), legitimate interests in maintaining, securing, and improving the platform. You may object to this processing at any time on grounds relating to your particular situation.
• Fraud prevention, abuse detection, and protecting our legal rights — Article 6(1)(f), legitimate interests in operating a secure service and, where applicable, Article 6(1)(c).

For storefront telemetry collected by our SDK, we act as a processor on behalf of the merchant operating the storefront. The merchant determines and documents the legal basis for that processing (typically consent under the ePrivacy Directive and Article 6(1)(a) or legitimate interests under Article 6(1)(f) of the GDPR) and is responsible for obtaining any required consent before our SDK is loaded.

6. Data Sharing and Disclosure

We do not sell, trade, or otherwise transfer your personal information to outside parties. We may share data with trusted third-party service providers who assist us in operating our platform, subject to confidentiality and data processing agreements. These include cloud infrastructure providers, authentication providers, and analytics providers — in particular, Google Ireland Limited / Google LLC, which provides Google Analytics 4 for our marketing site (see Section 10 and Google's Privacy Policy). We may also disclose information when required by law or to protect the rights and safety of our users.

7. International Data Transfers

Uniqsale is built on cloud infrastructure and uses sub-processors that may store or process personal data outside your country of residence, including in the United States. Where personal data is transferred from the European Economic Area (EEA), the United Kingdom, or Switzerland to a country that has not received an adequacy decision from the European Commission (or, for the UK, from the UK government), we implement appropriate safeguards under Chapter V of the GDPR.

The principal categories of recipients and the safeguards on which we rely are:

• Cloud hosting and infrastructure — [CLOUD_PROVIDER]. Personal data is hosted in [HOSTING_REGION] where feasible. Cross-border transfers are covered by the EU Standard Contractual Clauses (SCCs) and, where the recipient is certified, the EU-US Data Privacy Framework (EU-US DPF) and the UK Extension to the DPF.
• Authentication — Clerk, Inc. (United States). Transfers are covered by the EU Standard Contractual Clauses and the EU-US Data Privacy Framework.
• Marketing-site analytics — Google Ireland Limited (controller-to-processor relationship) with onward transfer to Google LLC (United States). Transfers are covered by the EU Standard Contractual Clauses and Google's certification under the EU-US Data Privacy Framework.
• Email and customer communications — [EMAIL_PROVIDER]. Transfers are covered by the EU Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework.
• AI processing — OpenAI Ireland Limited and OpenAI, L.L.C. (United States), used to generate experience recommendations from non-personal store metadata. Transfers are covered by the EU Standard Contractual Clauses.

A current list of sub-processors and the specific transfer mechanism applicable to each is maintained in our Data Processing Agreement and is available on request at privacy@uniqsale.ai.

8. Data Retention

We retain your personal information for as long as your account is active or as needed to provide services. Telemetry data collected from your storefront visitors is stored in anonymized or pseudonymized form and retained for up to 24 months to support experience analysis. You may request deletion of your account data at any time by contacting us.

9. Shopify Integration

Our service integrates with Shopify. When you connect your store, we access your Shopify data pursuant to the permissions you grant during the OAuth authorization flow. We process this data solely to provide the Uniqsale service and do not use it for independent purposes. Our use of Shopify APIs complies with Shopify's Partner Program Agreement and API Terms of Service.

10. Cookies, Local Storage, and Tracking

We treat tracking on our marketing website (uniqsale.ai) separately from tracking performed by the Uniqsale SDK on our customers' storefronts. The two contexts have different purposes, different legal bases, and different controls.

10.1 Marketing site (uniqsale.ai)

On our marketing site we use Google Analytics 4 (measurement ID G-SF2T15VEC4) to understand how visitors discover and interact with our pages. Google Analytics collects:

• Page views, referrer, and navigation paths.
• Approximate location (derived from IP, which Google truncates) and basic device, browser, and operating system information.
• Custom events we emit, including analyze_started, analyze_completed, analyze_failed, and cta_clicked.
• Cookies set by Google in your browser, including _ga and _ga_SF2T15VEC4, used to distinguish unique visitors and sessions.

Google Ireland Limited (and Google LLC for processing in the United States) acts as our processor for this analytics data. Data may be transferred outside the European Economic Area, including to the United States, under appropriate safeguards such as the EU Standard Contractual Clauses and the EU-US Data Privacy Framework. We retain Google Analytics event and user data for 14 months, in line with Google Analytics defaults; aggregated reports may be retained for longer. For more information, see Google's Privacy Policy.

Consent is opt-in. No analytics or tracking cookies are set, and the Google Analytics script (gtag.js) is not loaded, until you click Accept on our cookie banner. If you click Decline, we set Google's official opt-out flag (ga-disable-G-SF2T15VEC4 = true) so that no measurement occurs even if the script is later present on the page. Strictly necessary functionality (page rendering, your consent choice) does not require consent.

Your choice is stored locally in your browser under the localStorage key uniqsale.consent.v1, recording the status (granted or denied), a timestamp, and a version. We do not write any cookies before you grant consent. You can change or revoke your choice at any time using the Cookie preferences link in the footer of any page on our marketing site, which clears the stored record and re-prompts you on the next page load.

10.2 Storefront SDK (deployed on our customers' websites)

The Uniqsale SDK installed on our customers' storefronts uses localStorage to assign anonymous visitor identifiers for experience assignment and telemetry. No personally identifiable information is stored, and no cookies are set by the SDK itself. Where the storefront is operated by a merchant in the EEA or UK, the merchant is the data controller and is responsible for obtaining any consent required under the GDPR and the ePrivacy Directive before our SDK is loaded. You can configure your browser to block localStorage, though this may affect personalization functionality on the merchant's store.

10.3 Cookies and local storage we use

The table below lists each cookie or storage item set in connection with Uniqsale, the party that sets it, its purpose, and its lifetime.

11. Your Rights

Depending on your jurisdiction, and in particular under the GDPR (Articles 15–22) and the UK GDPR, you may have the following rights in relation to personal data we hold about you as a controller:

• Right of access (Art. 15) — to obtain confirmation of whether we process your personal data and to receive a copy of that data.
• Right to rectification (Art. 16) — to have inaccurate or incomplete data corrected.
• Right to erasure (Art. 17) — to have your personal data deleted where one of the grounds in Article 17 applies.
• Right to restriction of processing (Art. 18) — to limit how we use your data in defined circumstances.
• Right to data portability (Art. 20) — to receive your data in a structured, commonly used, machine-readable format and to transmit it to another controller.
• Right to object (Art. 21) — to object, on grounds relating to your particular situation, to processing based on legitimate interests, including profiling.
• Right to withdraw consent (Art. 7(3)) — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
• Rights related to automated decision-making (Art. 22) — see Section 13 below.

To exercise any of these rights, contact us at privacy@uniqsale.ai. We will respond within one month of receipt, and may extend that period by up to two further months for complex or numerous requests, as permitted under Article 12(3). We may need to verify your identity before fulfilling a request. Exercising these rights is free of charge except where requests are manifestly unfounded or excessive.

If your personal data is processed by Uniqsale only as a processor on behalf of a merchant (for example, storefront telemetry), please direct your request to that merchant. We will assist the merchant in responding as required under Article 28 GDPR.

Right to lodge a complaint with a supervisory authority (Art. 13(2)(d) and Art. 77). If you are located in the EEA, the UK, or Switzerland, you have the right to lodge a complaint with the data protection supervisory authority of your country of residence, place of work, or place of the alleged infringement. A list of EEA supervisory authorities is available from the European Data Protection Board at edpb.europa.eu. In the United Kingdom, the supervisory authority is the Information Commissioner's Office (ico.org.uk). We would, however, appreciate the opportunity to address your concerns before you contact a supervisory authority.

Residents of California (CCPA/CPRA), Colorado, Connecticut, Virginia, and other US states may have additional rights, including the right to know, the right to delete, the right to correct, the right to opt out of "sale" or "sharing" of personal information, and the right to limit the use of sensitive personal information. We do not sell personal information for monetary consideration. To exercise these rights, contact privacy@uniqsale.ai.

12. Children's Data

The Uniqsale platform is a business-to-business service intended for use by e-commerce merchants and their personnel. It is not directed to children, and we do not knowingly collect personal data from children under the age of 16 in the EEA or the UK, or under the age of 13 in the United States. If you believe that a child has provided us with personal data, please contact us at privacy@uniqsale.ai and we will take steps to delete that information promptly.

Storefront telemetry collected through our SDK is processed on the merchant's instructions. The merchant is responsible for ensuring that its storefront is not directed to children in a manner that would require parental consent under applicable law, and for configuring its consent mechanism accordingly.

13. Automated Decision-Making and AI Recommendations

Uniqsale operates an AI experience engine that generates personalization recommendations — for example, suggested merchandising changes or content variants — based on aggregated storefront telemetry and store metadata. These recommendations are surfaced to the merchant in our dashboard. The merchant decides, through human review, whether to deploy each recommendation to its storefront.

We do not use these AI recommendations to make decisions about individual end-users that produce legal effects concerning them or that similarly significantly affect them within the meaning of Article 22 of the GDPR. The recommendations affect what merchandising or content a visitor sees on a storefront; they are not used to decide eligibility for credit, employment, pricing tiers tied to identified individuals, or any comparable outcome.

Where a merchant configures additional processing on top of our service that does involve automated decision-making with legal or similarly significant effects, the merchant is the controller of that processing and is responsible for ensuring compliance with Article 22.

14. Security and Breach Notification

We implement technical and organizational measures designed to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage, in line with Article 32 of the GDPR. These measures include encryption in transit (TLS) and at rest, role-based access controls, audit logging, secrets management, network segmentation, regular dependency and vulnerability scanning, and least-privilege access for staff.

No method of transmission over the internet or method of electronic storage is fully secure, and we cannot guarantee absolute security. If we become aware of a personal data breach affecting your personal data, we will respond in accordance with Articles 33 and 34 of the GDPR:

• Where we act as a controller, we will notify the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the breach is likely to result in a high risk, we will also notify affected data subjects without undue delay.
• Where we act as a processor on behalf of a merchant, we will notify the merchant without undue delay after becoming aware of the breach, in line with Article 33(2) and our Data Processing Agreement, and will assist the merchant in meeting its own notification obligations.

To report a suspected security issue, contact security@uniqsale.ai.

15. Data Protection Officer and EU Representative

Data Protection Officer (Art. 37 GDPR). [DPO_STATUS_BLOCK — pick one and remove the other: Option A (DPO appointed): "We have appointed a Data Protection Officer who can be contacted at [DPO_NAME], [DPO_EMAIL], [DPO_POSTAL_ADDRESS]." / Option B (DPO not required): "We have assessed our processing activities against Article 37 of the GDPR and have determined that the appointment of a Data Protection Officer is not mandatory. You may contact our privacy team for any data protection matter at privacy@uniqsale.ai."]

Representative in the European Union (Art. 27 GDPR). [EU_REP_STATUS_BLOCK — pick one and remove the other: Option A (Representative appointed): "Where we are subject to Article 27 of the GDPR, we have appointed [EU_REPRESENTATIVE_NAME] as our representative in the European Union. You may contact our representative regarding any matter related to the processing of your personal data at: [EU_REPRESENTATIVE_ADDRESS], [EU_REPRESENTATIVE_EMAIL]." / Option B (Not required): "Based on our current processing activities, we have determined that the appointment of a representative in the European Union under Article 27 of the GDPR is not required. We will reassess this position if our activities change."]

Representative in the United Kingdom (Art. 27 UK GDPR). [UK_REP_STATUS_BLOCK — pick one and remove the other: Option A (Representative appointed): "We have appointed [UK_REPRESENTATIVE_NAME], [UK_REPRESENTATIVE_ADDRESS], [UK_REPRESENTATIVE_EMAIL] as our representative in the United Kingdom." / Option B (Not required): "Based on our current processing activities, we have determined that the appointment of a UK representative under Article 27 of the UK GDPR is not required."]

16. Contact Us

If you have questions about this Privacy Policy or our data practices, or if you wish to exercise any of your rights, please contact us at:

• Privacy: privacy@uniqsale.ai
• Security: security@uniqsale.ai
• General support: support@uniqsale.ai
• Postal: [LEGAL_ENTITY_NAME], [POSTAL_ADDRESS_FOR_PRIVACY]

We will respond to your inquiry within 30 days, or sooner where required by applicable law.