Privacy Policy

1. Introduction

Okiela ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered e-commerce analytics platform.

2. Data We Collect

Account Information

• Email address
• Name and company name (optional)
• Password (encrypted)

Analytics Data

• E-commerce transaction data you upload (CSV, Excel)
• Shopify store data (if you connect your store)
• Usage patterns within our platform

3. How We Use Your Data

• To provide and improve our analytics services
• To generate AI-powered insights and recommendations
• To communicate with you about your account
• To detect and prevent fraud or abuse

4. Data Security

We implement industry-standard security measures including:

• 256-bit SSL encryption for all data transfers
• Encrypted data storage at rest
• Regular security audits
• SOC 2 Type II compliance (in progress)

5. Your Rights

You have the right to:

• Access your personal data
• Request correction of inaccurate data
• Request deletion of your data
• Export your data in a portable format
• Withdraw consent at any time

6. Shopify Data Handling

When you connect your Shopify store or upload Shopify export data, the following applies:

6.1 Data Access & Scope

• We only request the minimum Shopify API access scopes required to provide our analytics service (orders, products, and basic store information).
• We do not access or store customer personal data (names, addresses, emails) from your Shopify store beyond what is needed for order-level profit calculations.
• All Shopify data access complies with Shopify's Protected Customer Data Requirements.

6.2 Data Retention & Deletion

• CSV uploads: Processed in-browser using DuckDB WASM. Raw CSV data is never stored on our servers. Only aggregated analytics results are saved to your account.
• Shopify API data: Synced order and product data is retained for the duration of your active subscription. Upon account deletion or app uninstall, all synced Shopify data is permanently deleted within 48 hours.
• Webhook compliance: We process Shopify mandatory webhooks (customers/data_request, customers/redact, shop/redact) and will delete all associated data within 48 hours of receiving a redaction request.

6.3 AI & Automated Processing Disclosure

• Okiela uses AI (Google Gemini) to generate profit insights, SKU repricing recommendations, and natural-language answers about your data.
• Your data is sent to the AI model only in temporary, session-scoped context. The AI does not retain or learn from your data after the session ends.
• All profit calculations (5D Pipeline: GMV → Net Revenue → Gross Profit → Net Profit → True Profit) are deterministic and auditable — not AI-generated.
• You can opt out of AI features at any time by using the dashboard without the AI chat sidebar.

6.4 Shopify App Uninstall

• If you uninstall the Okiela Shopify app, all stored Shopify data associated with your store is queued for permanent deletion.
• Deletion is completed within 48 hours of uninstall.
• Your Okiela account and any non-Shopify data (e.g., CSV analysis history) remains accessible unless you separately request full account deletion.

6.5 Customer Data Request Handling

• When a customer of your Shopify store submits a data request (access, portability, or erasure) through Shopify, we receive a customers/data_request webhook.
• We will compile and deliver all data associated with that customer within 30 days of the request, or confirm that no personal data is held.
• For erasure requests, all identifiable customer data is permanently deleted within 48 hours of receiving the customers/redact webhook from Shopify.
• To submit a data request directly, contact privacy@okiela.io.

6.6 Sub-Processors (GDPR Article 28)

The following third-party sub-processors may process personal data on our behalf in connection with the Shopify integration:

• Supabase Inc. (USA/EU) — Authentication, database storage. SOC 2 Type II certified.
• Vercel Inc. (USA) — Application hosting, serverless functions, edge network.
• Polar Software Inc. (USA) — Payment processing (Merchant of Record). PCI DSS compliant.
• Stripe Inc. (USA) — Secondary payment processor. PCI DSS Level 1 certified.
• Google LLC (USA) — Gemini AI for analytics insights. Data is not used for model training; session-scoped only.
• Functional Software Inc. (Sentry) (USA) — Error monitoring. No personal data collected.

All sub-processors are bound by Data Processing Agreements (DPAs) and Standard Contractual Clauses (SCCs) where required. We will notify users of any material changes to this sub-processor list via email at least 30 days in advance.

7. Third-Party Services

We use the following third-party services to operate Okiela:

• Supabase: Authentication and database (EU/US regions, SOC 2 Type II compliant)
• Vercel: Hosting and serverless functions
• Polar / Stripe: Payment processing (PCI DSS compliant)
• Google Gemini: AI-powered insights (data not used for model training)
• Sentry: Error monitoring (no personal data collected)
• Vercel Analytics: Anonymous usage analytics

8. GDPR & International Compliance

Okiela complies with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other applicable data protection laws.

• Data Controller: Okiela (operated by Dai Nguyen Tuan), contact: privacy@okiela.io
• Legal Basis for Processing: Contract performance (providing the analytics service), legitimate interest (improving our product), and consent (marketing communications).
• International Transfers: Data may be processed in the United States and European Union through our hosting providers (Vercel, Supabase). All transfers are covered by Standard Contractual Clauses.
• Data Protection Officer: For DPO inquiries, contact privacy@okiela.io

9. Contact Us

For privacy-related questions or requests, contact us at: privacy@okiela.io

For general support: support@okiela.io

For legal inquiries: legal@okiela.io