Privacy Policy

Last updated: 2 October 2025

1. Introduction & Scope

This Privacy Policy explains how Car Tech Studio Ltd (“Gravitate,” “we,” “our,” “us”) collects, uses, shares, and protects information in connection with our Shopify app and web properties (collectively, the “Service”).

By using the Service, you agree to the practices described in this Policy. If you do not agree, please do not use the Service.

1.1 Audience & Application

This Policy applies to merchants and users of the Service in the United States, United Kingdom, Canada, Australia, Europe, and other jurisdictions as applicable. The Service is designed for business users and is not directed to children under 18.

2. Information We Collect

We collect only the minimum information necessary to provide and improve the Service.

2.1 Account & Authentication

  • Merchant account information (email address, user ID) via Supabase Auth
  • Shopify shop domain, access token, granted scopes, and shop profile information when you connect your store

2.2 Store Data from Shopify

The following data is collected as permitted by the Shopify access scopes you grant:

  • Product and collection data (titles, descriptions, handles, images, SEO fields)
  • Online store pages metadata
  • Product feeds and listings
  • Limited analytics and reports
  • Themes metadata where required for Service features

Orders access scope (read_orders): While this scope is requested for app operations, we do not process, store, or use buyer/customer personally identifiable information (PII) in our AI models, analytics, or systems.

2.3 Google Search Console (Optional)

When you connect Google Search Console:

  • Verified sites associated with your property
  • Aggregated page-level metrics (clicks, impressions, CTR, position)
  • OAuth tokens (stored securely as secrets, not in plain database tables)

We do not ingest Google account profile data beyond what is required for OAuth authentication.

2.4 Analytics & Telemetry

  • PostHog Cloud: Event analytics, session replay, and heatmaps to improve user experience
  • Technical telemetry (request metadata, performance metrics) necessary to operate the Service

2.5 Cookies & Local Storage

  • First-party cookies for UI preferences (sidebar state, consent preferences)
  • Local and session storage for transient UI state (OAuth state parameters)

We do not store sensitive data in browser storage.

3. Information We Do Not Collect

  • Buyer/customer PII: We do not process, store, or transmit customer personal information. Although read_orders is an installed scope, we do not ingest or use buyer PII.
  • Special categories of data: We do not collect sensitive personal data (health, race, religion, etc.).

4. How We Use Information

We use collected information to:

  • Provide and operate the Service, including SEO analysis, generating optimization suggestions, applying approved changes, and displaying performance metrics
  • Improve user experience and reliability through analytics, session replay, and heatmaps (with sensitive input masking)
  • Communicate Service updates, security notifications, and support responses
  • Maintain security, prevent fraud, and ensure platform integrity

5. Sharing & Service Providers

We use carefully selected service providers who act as data processors on our behalf. We do not sell personal data.

5.1 Service Providers

  • Supabase: Hosting, database, Edge Functions, Vault (secrets management) — Privacy Policy
  • Shopify: Admin APIs, webhooks, billing — Privacy Requirements
  • Google: Search Console OAuth and metrics
  • PostHog: Analytics, session replay, heatmaps — Privacy Policy
  • n8n Cloud EU: Workflow automation — Legal
  • OpenRouter: LLM routing (restricted to OpenAI, Anthropic, Google Gemini, Perplexity only) — Privacy & Logging

5.2 AI Processing Restrictions

We restrict OpenRouter routing exclusively to the providers listed above. We do not use China-based model providers. We do not opt in to prompt logging.

6. Cookies & Tracking Technologies

We use a cookie and consent banner to comply with regional privacy requirements.

  • First-party cookies: Used for UI preferences and analytics
  • Management: You can manage cookie preferences through the consent banner or your browser settings
  • Impact: Some Service functionality may be limited if cookies are disabled

7. Data Retention

We retain data only as long as necessary to provide the Service or as required by law.

7.1 Store Data

Store data is retained while your app connection remains active. Upon uninstall, we delete store-scoped data as described in Section 11 (Compliance & Deletion).

7.2 Provider-Specific Retention

  • PostHog Cloud: Session replay retained per PostHog policy (1–3 months depending on plan) — Docs
  • Supabase backups: Daily backups with plan-based retention (Pro ~7 days, Team ~14 days, Enterprise up to ~30 days) — Docs
  • Supabase logs: Plan-based retention; exportable via log drains — Docs
  • n8n Cloud EU: Audit and history logs retained per n8n legal requirements (at least 12 months) — Legal
  • Google Analytics 4 (if enabled): 2 or 14 months depending on property settings — Docs
  • OpenRouter: Prompt logging is opt-in; we do not opt in. Categorization (if used) is anonymous with zero retention — Docs

Where specific periods are not listed, we use provider defaults or the minimum time needed for the stated purpose. Minimal records may be retained to comply with legal obligations or resolve disputes.

8. Data Subject Rights

Depending on your location, you may have rights to:

  • Access your personal data
  • Correct inaccurate data
  • Delete your data
  • Restrict or object to processing
  • Port your data to another service
  • Withdraw consent where applicable

8.1 Submitting Requests

To exercise your rights, email hello@usegravitate.com using the email address associated with your account and include your Shopify shop domain to help us verify your identity.

We will respond to verified requests within 30 days as required by applicable law.

9. Security Measures

We implement industry-standard security measures to protect your data:

  • Transport security: TLS encryption for all data in transit
  • Encryption at rest: Via Supabase-managed infrastructure
  • Authentication: OAuth for Shopify and Google integrations
  • Secrets management: Supabase Vault for encrypted storage of access tokens
  • Integrity verification: HMAC verification for Shopify OAuth callbacks and webhooks
  • Access controls: Least-privilege access with restricted and logged system access
  • Session replay privacy: PostHog masking of sensitive inputs enabled by default
  • Incident response: Breach notification without undue delay (within 72 hours where legally required)

10. International Data Transfers

10.1 Primary Data Residency

Primary data is hosted in the European Union via Supabase (eu-central-1 region).

10.2 Cross-Border Transfers

Some processing involves transfers outside your country through our service providers (Shopify, Google, PostHog, OpenRouter). Where applicable, we rely on:

  • Standard Contractual Clauses (SCCs)
  • Data Privacy Framework (DPF)
  • Other lawful transfer mechanisms provided by our processors

11. Compliance & Deletion

11.1 Shopify GDPR Webhooks

We subscribe to and honor Shopify’s mandatory compliance webhooks:

  • customers/data_request: We acknowledge and assist merchants with access requests (we do not store customer PII)
  • customers/redact: We delete customer data if any is stored (currently not applicable as we do not store buyer PII)
  • shop/redact: We delete all shop-scoped data immediately upon uninstall

11.2 Uninstall & Deletion Process

When you uninstall the app, we delete:

  • Shopify credentials and access tokens
  • Connected Google Search Console sites and OAuth tokens
  • Stored metrics and cached store data
  • All AI-generated suggestions and blog post records

Minimal operational records may persist in backups or logs for their standard retention periods (see Section 7.2) and will be purged upon expiry.

Where applicable under GDPR and UK GDPR, we process personal data based on:

  • Performance of contract: To provide the Service you requested
  • Legitimate interests: Product analytics, security, fraud prevention, and Service improvements (with safeguards and opt-outs where required)
  • Consent: For cookies and optional features where applicable in your region

13. Children’s Privacy

The Service is intended for business users and is not directed to individuals under 18 years of age. We do not knowingly collect data from minors. If you believe a minor has provided data to us, contact us immediately to delete it.

14. Billing

All merchant charges are processed through the Shopify Billing API. We do not process or store credit card information.

15. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, legal requirements, or Service features.

15.1 Notification of Changes

If we make material changes, we will:

  • Update the “Last updated” date at the top of this Policy
  • Notify active users via email (to the address associated with your account) and/or through the Service

15.2 Continued Use

Continued use of the Service after the effective date of changes constitutes acceptance of the updated Policy. If you do not agree to the changes, you must stop using the Service and uninstall the app.

16. Jurisdiction-Specific Disclosures

If required by your local laws, additional region-specific notices may apply. Contact us with questions regarding jurisdiction-specific requirements.

17. Contact Information

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us:

Car Tech Studio Ltd
71-75 Shelton Street, Covent Garden
London, WC2H 9JQ, United Kingdom
Email: hello@usegravitate.com

Summary (TL;DR)

  • What we collect: Merchant account data, Shopify store content (products, collections, pages), optional Google Search Console metrics, and analytics data
  • Customer data: We do not process buyer/customer PII. While we request read_orders scope, we do not use it to process or retain buyer data
  • Service providers: Supabase (EU hosting), Shopify, Google, PostHog (analytics), n8n Cloud EU, and OpenRouter (routing to OpenAI, Anthropic, Google Gemini, Perplexity only)
  • AI processing: No China-based providers; no prompt logging; no buyer PII sent to AI models
  • Data deletion: Store-scoped data deleted immediately on uninstall; Shopify compliance webhooks honored (customers/data_request, customers/redact, shop/redact)
  • Security: TLS encryption in transit, encryption at rest, HMAC verification, OAuth authentication, secrets in Supabase Vault, sensitive input masking, breach notification within 72 hours
  • Retention: Provider defaults apply (PostHog replay ~1–3 months; Supabase backups ~7–30 days; logs plan-based; GA4 2/14 months if enabled)
  • Your rights: Access, correct, delete, restrict, object, or port data; contact hello@usegravitate.com (30-day response)
  • Location: Primary hosting in EU (Supabase eu-central-1); cross-border transfers via SCC/DPF mechanisms
  • Cookies: Consent banner live; first-party cookies for preferences and analytics
  • Age: Service for business users; minimum age 18
  • Billing: Shopify Billing API only; no card processing

By using Gravitate, you agree to this Privacy Policy and our Terms & Conditions.

↑ Back to top