Growcado Inc. App Privacy Policy

1. What is Growcado?

Growcado is a personalisation platform that helps businesses deliver tailored experiences to their website visitors. This policy covers our Shopify app and any other integrations or implementations of Growcado technology. It has two main parts: a personalisation engine that shows configured content based on real-time customer and behavioural data, and an AI agent layer that generates personalised copy for visitors in real time.

2. Scope and roles

A) Merchant data

When a Merchant installs or connects Growcado (including via the Shopify App Store), we process data about their store to provide App functionality. Growcado acts as a data processor on the Merchant's behalf.

B) Store visitors and customers

When a Merchant enables Growcado personalisation, Growcado may process limited Store Visitor and Customer information to render personalised content. In most cases the Merchant is the controller and Growcado acts as a processor for Customer data. Store Visitors with questions about a specific store's data practices should contact that Merchant directly.

3. What information do we collect?

A) Store account information (Shopify)

When a Merchant installs the App, Shopify provides us with:

• Store identifiers: your *.myshopify.com domain, store name, locale, and currency
• Authentication credentials: OAuth session tokens and API access needed to run the App
• Merchant account details where Shopify provides them, such as your user ID and email address
• For non-Shopify implementations, equivalent store and authentication information is collected directly as part of the onboarding process.

B) Storefront personalisation data (Store Visitors and Customers)

Depending on Merchant configuration, we process limited real-time context to render personalised content. This data is used in-memory at the moment of rendering and is not stored as a permanent visitor profile. Depending on which personalisation rules a Merchant configures, this may include:

• Page and context information: page path, page type, locale, template context, shop name, and shop domain
• Customer identifiers: a numeric customer ID for logged-in customers (a number, not a name or email address)
• Customer attributes: order count, total spent, customer tags, accepts marketing status
• Purchase history attributes: purchased product IDs, product titles, vendors, total items purchased (only if Merchant enables purchase history personalisation)
• Cart attributes: items in cart, cart total, currency, cart product titles, vendors, and quantities
• Product and collection attributes: product ID, title, type, vendor, price, tags, collections, variants, and inventory as referenced by Merchant-configured content
• Localisation attributes: country, currency, language, market, and continent
• UTM parameters: source, medium, campaign, and term as present in the visitor's URL

C) Operational reliability events

To confirm that Growcado personalisation content is rendering correctly and to diagnose errors, we record a small number of component-level operational events related to how visitors interact with Growcado-rendered content. These events are linked to an anonymous visitor ID only and are used solely for confirming App functionality and diagnosing rendering issues. We do not use these events for analytics reporting or to build visitor profiles.

D) Logs and diagnostics

To operate, secure, and improve the App, we process operational logs including timestamps, request metadata, store domain, and error details.

4. How do we use information

We use information to:

• Provide, maintain, and operate the App including authentication, configuration, and content management
• Deliver personalisation and AI features configured by the Merchant
• Confirm that Growcado content is rendering correctly and diagnose errors
• Maintain security, prevent abuse and fraud, and investigate incidents
• Comply with legal obligations and enforce agreements
• Support Merchant requests including data export, deletion, and technical support

We do not use Merchant or visitor data to train third-party AI models, build advertising audiences, or sell insights to any other party.

5. Legal bases for processing

Where GDPR, UK GDPR, or similar laws apply, we rely on one or more of the following legal bases:

• Contract: to provide the App and services requested by the Merchant
• Legitimate interests: to secure, monitor, troubleshoot, and improve service reliability and performance
• Legal obligation: to meet legal, compliance, and regulatory obligations
• Consent: where required by applicable law

Where Growcado acts as processor or service provider, we process Customer data on documented Merchant instructions and under applicable data processing terms.

6. How do we share information

We do not sell personal information. We do not share data for cross-site behavioural advertising. We only share data in these situations:

• Shopify: for authentication, API operations, and standard app-lifecycle flows where applicable
• Infrastructure and service providers: hosting, database, logging, and support providers, all under strict confidentiality and data protection obligations
• Legal requirements: to comply with applicable law, lawful court orders, or to protect the rights and safety of Growcado Inc., Merchants, or others
• Business transfers: in the event of a merger, acquisition, financing, or asset sale, subject to appropriate protections

We will notify you if this list changes in a way that affects your data.

7. Cookies and local storage

Growcado does not use third-party advertising cookies or share any data with ad networks.

Operational reliability events use an anonymous visitor ID to link component-level events within a single session. This is first-party only. Data flows only to Growcado and is not shared with advertising or analytics platforms.

8. Data retention

We retain data only as long as necessary for the purposes described in this Policy.

• Store account and configuration: retained while you use the App; deleted within 90 days of uninstalling
• Personalisation parameters: generated per request, used in-memory for rendering, and not persisted as a durable visitor profile record
• Operational reliability events: retained for a limited rolling window needed for diagnostics and reliability monitoring, then deleted or aggregated
• App error logs: deleted on a rolling 12-month basis

If you ask us to delete your data sooner, we will do so within 30 days.

9. Security

We protect data using encrypted connections (HTTPS), access controls, and ongoing security monitoring. Data is backed up regularly. Backups are encrypted and stored in the EU. If there is ever a breach that affects your data, we will notify you within 72 hours. No method of transmission or storage is fully secure, but we take this seriously.

10. Where your data is stored

Growcado Inc. is based in the United States, but all data is stored and processed on servers located in the European Union. Your store data and any visitor data we hold does not leave the EU. If you need written confirmation of this for your own records, contact us at the address below.

11. International data transfers

Where required by law, we implement appropriate transfer safeguards for any cross-border transfers, including contractual transfer mechanisms such as Standard Contractual Clauses.

12. Your rights

You can ask us at any time to:

• See what data we hold about you or your store
• Correct anything that is inaccurate
• Delete your data
• Receive a copy of your data in a readable format

Email info@growcado.ai and we will respond within one calendar month. No charge.

UK and EU residents: you have additional rights under UK GDPR and EU GDPR, including the right to object to certain processing and the right to complain to your supervisory authority. In the UK: Information Commissioner's Office at ico.org.uk.

13. U.S. state privacy disclosures (including California)

Where applicable U.S. state privacy laws apply:

• We may process categories such as identifiers, commercial and account information, and limited inferences tied to Merchant-configured personalisation
• We use these categories for business purposes described in this Policy: service delivery, security, operations, and compliance
• We do not sell personal information for money
• We do not share personal information for third-party cross-context behavioural advertising
• Residents may have rights to know, access, delete, correct, and limit certain processing depending on applicable state law. Requests can be submitted using the contact details in Section 12

14. Merchant responsibilities

Installing Growcado does not transfer your compliance obligations to us. As the store owner, you remain responsible for:

• Providing your store visitors with a privacy notice that discloses your use of personalisation tools, including Growcado
• Obtaining valid cookie consent from UK and EU visitors before any non-essential tracking fires
• Using Growcado within the limits of the law and not entering sensitive personal data into Growcado templates or configuration settings
• Ensuring any additional analytics or advertising tools in your storefront are disclosed in your own privacy policy

If you are unsure about any of this, contact us and we will help.

15. Children's privacy

The App is not directed to children and we do not knowingly collect personal information from children through the App.

16. Changes to this policy

We may update this Policy from time to time. If we make meaningful changes, we will notify you via the App or by email before the change takes effect. The date at the top of this page will show when it was last updated.

17. Contact us

For privacy questions or to exercise your rights:

Email: info@growcado.ai