GDPR Compliance

Last updated: December 23, 2025

Our Commitment to GDPR

GrowthPilot AI is committed to protecting the privacy and security of personal data in compliance with the General Data Protection Regulation (GDPR). This page outlines how we comply with GDPR requirements and your rights as a data subject.

🇪🇺 For EU/EEA Users: We process your data in accordance with GDPR. You have specific rights regarding your personal data that we respect and uphold.

1. Data Controller Information

GrowthPilot AI acts as the data controller for personal data collected through our Service. For inquiries regarding data protection:

2. Legal Basis for Processing

We process personal data under the following legal bases:

Processing Activity Legal Basis
Store health monitoring Contract performance
Alert notifications Contract performance
AI diagnosis processing Contract performance & Consent
Service improvement Legitimate interest
Marketing communications Consent
Legal obligations Legal requirement

3. Your GDPR Rights

Under GDPR, you have the following rights regarding your personal data:

📋 Right of Access

Request a copy of the personal data we hold about you.

✏️ Right to Rectification

Request correction of inaccurate or incomplete data.

🗑️ Right to Erasure

Request deletion of your personal data ("right to be forgotten").

🚫 Right to Restriction

Request restriction of processing in certain circumstances.

📦 Right to Portability

Receive your data in a structured, machine-readable format.

✋ Right to Object

Object to processing based on legitimate interest or marketing.

4. How to Exercise Your Rights

To exercise any of your GDPR rights:

  1. Email us at [email protected]
  2. Include your store domain and the specific right you wish to exercise
  3. Provide verification of your identity (we may request confirmation)
  4. Receive our response within 30 days

We may extend this period by up to 60 days for complex requests, with notification.

5. Data We Collect

We collect and process the following categories of personal data:

  • Account Data: Store name, domain, email address, contact information
  • Technical Data: Store response times, HTTP status codes, error logs
  • Preference Data: Alert settings, notification preferences, plan selections
  • Usage Data: Feature usage, login timestamps, dashboard interactions

Important: We do NOT access or store your store's customer personal data, payment information, order details, or any PII from your customers.

6. Data Retention

We retain personal data only as long as necessary:

  • Active accounts: Data retained while you use our Service
  • Post-uninstall: Data deleted within 30 days of app removal
  • Backup retention: Backups cleared within 90 days
  • Legal holds: May retain data longer if legally required

7. International Data Transfers

Your data may be transferred to and processed in countries outside the EU/EEA. We ensure appropriate safeguards for such transfers:

  • Standard Contractual Clauses (SCCs) with service providers
  • Adequacy decisions where applicable
  • Binding corporate rules for group transfers

8. Data Security Measures

We implement technical and organizational measures to protect your data:

  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Access controls and authentication requirements
  • Regular security assessments and audits
  • Employee training on data protection
  • Incident response procedures
  • Data minimization practices

9. Sub-Processors

We use the following categories of sub-processors:

  • Cloud Infrastructure: Secure hosting and data storage
  • Email Services: Alert and notification delivery
  • AI/ML Providers: Diagnostic analysis processing
  • Analytics: Service performance monitoring

All sub-processors are bound by data processing agreements that meet GDPR requirements.

10. Data Protection Officer

For data protection inquiries, you may contact our designated privacy contact:

11. Supervisory Authority

If you believe we have not addressed your data protection concerns adequately, you have the right to lodge a complaint with a supervisory authority in your EU member state.

12. Automated Decision-Making

Our AI diagnosis feature involves automated processing, but:

  • It does not involve automated decision-making with legal effects
  • All AI suggestions are recommendations only
  • You maintain full control over actions taken
  • Human review is always possible upon request

13. Children's Data

Our Service is not intended for individuals under 16 years of age. We do not knowingly collect data from children. If you believe we have collected such data, please contact us immediately.

14. Updates to This Notice

We may update this GDPR compliance notice as regulations evolve. Material changes will be communicated via email to affected users.

15. Contact Information

For any GDPR-related inquiries:

🔒 We take your privacy seriously. Your trust is our priority.