SpectoAI - Privacy Policy (Shopify App)

Effective date: 22 February 2026

Last updated: 23 February 2026

1) Who We Are

SpectoAI (the "Service") is operated by GetRobo ("Company", "we", "us").

Registered address: Stefana Banacha 29/54, 31-235 Krakow, Poland

Email: contact@getrobo.xyz

2) Scope

This Privacy Policy explains how we collect, use, disclose, and protect information when you:

  • visit our websites/landing pages, or
  • install and use the SpectoAI app inside Shopify (via the Shopify App Store).

The Service is intended for business users (merchants). However, certain data we process may relate to individuals (for example, store staff contact details or, in rare cases, personal data that appears in product content).

3) Roles: Controller vs Processor (B2B Context)

Depending on the context:

  • Controller: We act as a controller for (a) merchant account/admin contact information we receive from Shopify (for example, shop domain, billing/admin contact details if provided), and (b) communications/support requests.
  • Processor: We typically act as a processor when we process Product Data and generate/apply alt text on the merchant's instructions.

The merchant is generally the controller for Store content and Product Data, including any personal data embedded in that content.

4) Information We Collect

4.1 Information from Shopify (OAuth / App Installation)

When you install or authenticate the app, Shopify provides and we store:

  • Shop domain (e.g., mystore.myshopify.com)
  • Shopify access token / session credentials (to call Shopify APIs on your behalf)
  • Granted scopes/permissions and session metadata (expiry, identifiers)

4.2 Product Data from Shopify APIs (for Alt Text generation)

To generate and manage alt text, we may access:

  • product titles/names
  • product descriptions (limited excerpts)
  • vendor/brand, product type, tags
  • product image URLs (media references)
  • existing alt text

Data minimization: Our app is designed to operate without accessing end-customer order/payment/financial data unless you explicitly enable features that require it.

Image storage model: we store image references (URLs) and related metadata; we do not store raw image binaries/files in our primary application database.

4.3 Generated and Operational Data

We generate and store:

  • AI-generated alt text ("AI Output")
  • final/applied alt text (including merchant edits)
  • processing context used for generation (e.g., which product fields were used)
  • status flags (PENDING / GENERATED / APPLIED) and timestamps
  • usage records (credits used, action type: single/bulk)

Stored record fields (current implementation): shop domain, plan/subscription status, credit counters, product ID, image ID, image URL, original alt text (if present), generated/final alt text, status, and created/updated/applied timestamps; plus Shopify session records needed for authentication (which may include account email and related session metadata).

4.4 Technical, Security, and Log Data

We may process:

  • basic logs for security and operations (may include IP address, user-agent, timestamps, request IDs)
  • error reports and audit events (for example, "bulk generation started")

Prompt/log behavior: prompt text is assembled in-memory and sent to the AI provider for generation. In our current implementation, we do not intentionally persist full prompt text in database records and we do not intentionally log full prompt/alt text content in normal operational logs.

5) How We Use Information (Purposes)

We use information to:

  • provide and operate the Service (authenticate, fetch products, generate alt text, apply alt text)
  • provide support and respond to inquiries
  • manage subscriptions/entitlements (via Shopify App Billing)
  • monitor and improve reliability, performance, and security
  • prevent abuse, investigate incidents, and enforce our Terms
  • comply with legal obligations

6) AI Processing (OpenAI) - Data Use & Retention

To generate alt text, we send limited Product Data to our AI provider (OpenAI), such as:

  • product image URL and limited product context (title/vendor/type/tags/short description excerpt)

No training by us: We do not use your data to train our own AI models.

OpenAI training: By default, OpenAI does not train models on API inputs/outputs for business/API usage unless an organization explicitly opts in.

OpenAI retention: OpenAI may retain certain API content in abuse-monitoring logs for up to ~30 days (unless legally required otherwise).

7) Legal Bases (EEA/UK)

Where GDPR/UK GDPR applies, we rely on:

  • Contract necessity (Art. 6(1)(b)) to provide the Service
  • Legitimate interests (Art. 6(1)(f)) for security, fraud prevention, and service improvement
  • Legal obligations (Art. 6(1)(c)) where required

8) Sharing and Disclosure

We disclose information only as needed:

  • Service providers / sub-processors (see Section 9)
  • Shopify (API calls, webhooks, billing events)
  • Legal/compliance (when required by law, or to protect rights and safety)
  • Business transfers (merger, acquisition, asset sale-subject to safeguards)

We do not sell personal information.

9) Sub-Processors / Third Parties

We use the following categories of providers:

  • AI processing: OpenAI (alt text generation)
  • Platform: Shopify (OAuth, Admin APIs, Billing, webhooks)
  • Hosting/Database: Railway (application hosting, managed database)

We require service providers to protect Merchant Data and use it only to provide services to us, consistent with Shopify API requirements.

10) International Data Transfers

Because some vendors process data in the United States (e.g., Shopify and OpenAI), data may be transferred outside the EEA/UK.

We use appropriate safeguards where required, such as SCCs and/or other lawful transfer mechanisms.

11) Data Retention

We retain data only as long as needed for the purposes described above:

  • Store/Product/Alt Text/usage data: kept while the app is installed and the subscription is active.
  • Uninstall and redact behavior (current implementation): when we receive app/uninstalled or shop/redact, we delete the shop row and associated app data from the primary database (including dependent alt text and usage records), and remove app sessions for that shop.
  • Security logs: retained for a limited period necessary for security and operations.
  • Backups: we do not maintain separate app-level long-term archives in code; infrastructure/database backups are managed by our hosting provider on a rolling basis and residual backup copies may persist until rotated out per provider policy.
  • Compliance requests (Shopify GDPR webhooks): we process and complete required actions within 30 days of receiving a valid request, unless we are legally required to retain certain data.

Shopify mandatory webhooks (privacy law compliance)

If applicable, Shopify can send mandatory webhooks:

  • customers/data_request (request to provide customer data to merchant)
  • customers/redact (request to delete customer data)
  • shop/redact (request to delete shop-related personal data)

Shopify typically attempts to send shop/redact about 48 hours after uninstall.

In the current implementation, we do not maintain a separate customer profile/order dataset; customers/data_request and customers/redact are handled as compliance events, and shop/redact triggers shop-level deletion in the primary database.

12) Security

We use industry-standard safeguards, including:

  • TLS/HTTPS in transit
  • access controls and least-privilege for systems and databases
  • secure secret management
  • store-level logical isolation (e.g., keyed by shop domain)
  • monitoring and incident response practices

No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

13) Cookies and Similar Technologies

Within the Shopify embedded app, we use essential session mechanisms to maintain authentication. We do not use third-party advertising cookies. If we introduce analytics or tracking, we will update this Policy and provide choices where required.

14) Your Rights and Choices

Depending on your location, you may have rights to access, correct, delete, restrict, object, or port your personal data, and to lodge a complaint with a supervisory authority.

To exercise rights or ask questions: contact@getrobo.xyz

California (CCPA/CPRA)

If applicable, you may have rights to know, delete, correct, and opt out of "sale"/"sharing". We do not sell personal information and do not share it for cross-context behavioral advertising.

We may need to verify your request and coordinate with the merchant (where the merchant is the controller).

15) Children

The Service is not intended for individuals under 18. We do not knowingly collect personal data from children.

16) Changes

We may update this Privacy Policy. Material changes will be notified via the Service and/or email, and the "Last updated" date will change accordingly.

17) Contact

Privacy questions and requests: contact@getrobo.xyz

Security reports: contact@getrobo.xyz

Postal address: GetRobo, Stefana Banacha 29/54, 31-235 Krakow, Poland