SpectoAI — Privacy Policy

Effective date: 14 February 2026

Last updated: 14 February 2026

1) Who We Are

SpectoAI (the "Service") is operated by GetRobo ("Company", "we", "us").

Website: https://spectoai.getrobo.xyz

Contact: contact@getrobo.xyz

2) Scope

This Privacy Policy explains how we collect, use, disclose, and protect information when you:

  • visit our public landing page, or
  • install/use the SpectoAI app inside BigCommerce (via BigCommerce App Marketplace).

The Service is intended for business users (B2B) and is not directed to consumers.

3) Roles: Controller vs Processor (B2B Context)

Depending on the data and context:

  • We act as a data controller for account/admin contact data we receive from BigCommerce (e.g., admin email) and for support/contact requests.
  • We typically act as a data processor when processing Product Data (and related identifiers) on behalf of the merchant operating the Store.

Your organization (the merchant) is generally the controller for Store content and Product Data.

4) Information We Collect

4.1 Information from BigCommerce OAuth (on install/login)

We receive (via BigCommerce) and store:

  • Store Hash (Store identifier)
  • Access Token (to call BigCommerce APIs on your behalf)
  • BigCommerce User ID
  • Email address (admin/user)
  • Scopes (permissions granted)

4.2 Product Data from BigCommerce APIs

We may access the following to generate and manage Alt Text:

  • product names/titles
  • short product descriptions (we recommend/limit to short excerpts where possible)
  • categories, brands
  • SKUs
  • custom fields (e.g., color, material, size)
  • product image URLs
  • existing alt text

We are designed not to collect your Store's end-customer data (orders, payment data, financial data).

4.3 Generated and Operational Data

  • generated Alt Text (AI Output)
  • final/applied Alt Text (including manual edits)
  • processing context (e.g., JSON payload describing the product context used for generation)
  • status flags (PENDING / GENERATED / APPLIED / REJECTED / MANUAL)
  • timestamps (generation/applied)
  • usage records (credits used; action type such as single/bulk/regenerate)

4.4 Session and Technical Data

  • session tokens (e.g., JWT containing storeHash, userId, email)
  • session records in our database (storeHash, userId, email, expiry)
  • basic logs for security/operations (IP address may be included depending on infrastructure defaults)

4.5 Contact Form Data (Landing Page)

  • email address (provided voluntarily)
  • message content

5) How We Use Information (Purposes)

We use information to:

  • provide and operate the Service (authenticate, fetch products, generate Alt Text, apply Alt Text)
  • provide support and respond to inquiries
  • manage subscriptions/entitlements (via BigCommerce billing signals)
  • monitor and improve reliability, security, and performance
  • prevent abuse and investigate incidents
  • comply with legal obligations and enforce our Terms

6) Legal Bases (EEA/UK)

Where GDPR/UK GDPR applies, we rely on:

  • Contract necessity (Art. 6(1)(b)) to provide the Service
  • Legitimate interests (Art. 6(1)(f)) for security, fraud prevention, service improvement
  • Legal obligations (Art. 6(1)(c)) where required (e.g., compliance, lawful requests)

7) Sharing and Disclosure

We disclose information only as needed:

  • Service providers/sub-processors (see Section 8)
  • BigCommerce (API calls, webhooks, billing events)
  • Legal/compliance: when required by law, court order, or to protect rights and safety
  • Business transfers: in connection with merger, acquisition, or asset sale (subject to safeguards)

We do not sell personal information.

8) Sub-Processors / Third Parties We Use

8.1 AI Processing — OpenAI

We send limited data to OpenAI to generate Alt Text:

  • product image URL and limited product context (e.g., name, brand, category, custom fields, short description excerpt)

OpenAI states that, by default, data sent via the API is not used to train or improve models, unless you opt in, and that abuse monitoring logs may be retained for up to 30 days (unless legally required to retain longer).

8.2 BigCommerce (Platform)

BigCommerce hosts your Store and provides OAuth, APIs, billing mechanisms, and webhooks.

8.3 Hosting/Database — Railway (and underlying cloud)

We host the app and database using Railway (including managed PostgreSQL).

8.4 Email Delivery — Resend

We use Resend to send and receive support/contact emails (email address and message content).

9) International Data Transfers

Because the Service uses vendors headquartered and/or processing data in the United States (e.g., BigCommerce and OpenAI), personal data may be transferred outside the EEA/UK.

Where required, we use appropriate safeguards, such as:

  • Standard Contractual Clauses (SCCs) (EU) and/or
  • reliance on the EU–U.S. Data Privacy Framework where the recipient is certified, and/or
  • the UK International Data Transfer Agreement (IDTA) or UK Addendum to SCCs.

10) Data Retention

  • Store/Alt Text/usage data: retained while the app is installed and your subscription is active.
  • Sessions: JWT sessions expire after 24 hours (and/or stored sessions expire accordingly).
  • Uninstall/cancellation: Store-related data is deleted within 30 days, unless retention is required by law or for dispute/security purposes.
  • Contact form emails: retained as needed to resolve the request and for record-keeping/security.

11) Security

We use industry-standard safeguards, including:

  • TLS/HTTPS in transit
  • access controls and secret management (environment variables)
  • input validation and parameterized database access (ORM)
  • store-level data isolation keyed by Store identifier

No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

12) Cookies and Similar Technologies

We use essential cookies or local storage mechanisms to maintain your authenticated session (e.g., JWT). We do not use third-party advertising cookies on the app experience by default. If analytics are introduced, we will update this Policy and provide choices where required.

13) Your Rights and Choices

13.1 EEA/UK (GDPR/UK GDPR)

Subject to law, you may have rights to:

  • access, rectify, delete
  • restrict or object to processing
  • data portability
  • lodge a complaint with a supervisory authority

13.2 California (CCPA/CPRA)

If applicable, you may have rights to know, delete, correct, and opt out of "sale"/"sharing" (we do not sell/share for cross-context behavioral advertising). We may need to verify your request and authority to act on behalf of a business.

13.3 Canada (PIPEDA) and Québec Law 25

You may have rights to access and correct personal information and to withdraw consent where applicable. Additional Québec requirements (e.g., privacy impact assessment for certain cross-border transfers) may apply depending on facts.

To exercise rights: contact@getrobo.xyz

14) Children

The Service is not intended for individuals under 18. We do not knowingly collect personal data from children.

15) Changes

We may update this Privacy Policy. Material changes will be notified via the Service and/or email. The "Last updated" date will change accordingly.

16) Contact

Privacy questions and requests: contact@getrobo.xyz

Security reports: contact@getrobo.xyz