Privacy Policy

Last Updated: October 27, 2025

Data We Collect

We collect several types of information to provide and improve our AI-powered popup generator service. This section details the specific data we collect, organized by how we obtain it and why we need it.

1.1 Data You Provide Directly

When you use our Service as a merchant, we collect the following information directly from you:

Account Information

• Name and email from Google authentication
• Profile information
• Account preferences

Business Information

• Brand guidelines and tone
• Website URLs and store information
• Subscription preferences

Content & Preferences

• Product information and metadata
• Discount rules and promotional offers
• AI generation preferences and settings

Moderation Settings

• Word blacklists and blocked terms
• Tone and style preferences
• Content approval workflows

1.2 Data from Your Website Visitors

When your visitors interact with popups on your website, we collect the following information to provide context-aware popup generation:

Behavioral Data

• Time spent on site and pages viewed
• Click patterns and navigation flow
• Scroll depth and engagement metrics

E-commerce Activity

• Cart additions and removals
• Product views and browsing history
• Purchase intent signals

Technical Information

• Browser type and version
• Device type and operating system
• IP address and general location

Identification Data

• Browser fingerprint for session management
• Anonymous visitor identifiers
• Popup interaction history

1.3 Automatically Collected Data

We automatically collect certain technical information when you use our Service:

Usage Data

Service interaction logs
Feature usage patterns
Performance metrics

Technical Data

Error reports and crash analytics
API request/response times
System performance data

Important Data Collection Notice

We do not intentionally collect highly sensitive personal data such as government IDs, financial account numbers, health information, or biometric data. Browser fingerprints are used for session management and fraud prevention only, not for individual identification.

Legal Bases for Processing

We process your personal data based on one or more of the following legal bases as required by applicable data protection laws, including the GDPR:

2.1 Contractual Necessity

We process your data when it is necessary to perform our contractual obligations to you:

Service Delivery

Processing your brand guidelines, product data, and preferences to generate AI-powered popups as specified in our service agreement with you.

Account creation and management

Popup generation and delivery

Subscription billing and payment

Customer support and communication

2.2 Legitimate Interests

We process data when we have a legitimate business interest that is not overridden by your data protection rights:

Service Improvement

Enhancing AI models and service functionality

Security & Fraud Prevention

Protecting our service and users

Analytics & Business Intelligence

Understanding usage patterns

Marketing & Communication

Relevant service updates and offers

2.3 Legal Obligation

We process your data when required to comply with legal obligations:

Compliance Requirements

Processing necessary to comply with legal, regulatory, or tax obligations, including data retention for accounting purposes and responding to lawful requests from authorities.

2.4 Consent

In specific circumstances, we may ask for your explicit consent before processing your data:

Where We Seek Consent

Certain marketing communications
Non-essential cookies and tracking
Optional data sharing for research

Your Control

You can withdraw consent anytime
Withdrawal doesn't affect prior processing
Manage preferences in your account

2.5 Processing of Website Visitor Data

When we process data from your website visitors, we act as a data processor under your instructions. The legal basis for this processing is:

Your Legitimate Interests as Data Controller

We process visitor data on your behalf to provide the popup generation services you've requested. As the website owner, you are responsible for establishing your own legal basis for this processing and providing appropriate privacy notices to your visitors.

Legal Basis Transparency

We process your data under multiple legal bases depending on the purpose. For service delivery, we rely on contractual necessity. For improvements and analytics, we use legitimate interests. We only use consent for optional activities. You have rights regarding your data regardless of the legal basis used.

Third-Party Data Sharing

We share your data with trusted third-party service providers to operate and improve our Service. All third parties are carefully vetted and required to protect your data in accordance with applicable data protection laws.

3.1 AI and LLM Providers

We share data with artificial intelligence and large language model providers to generate popup content:

Providers We Use

OpenAI, Anthropic, Llama, and other AI service providers. We may change providers based on performance, cost, and feature requirements.

Data Shared

Product information, brand guidelines, prompts, and context data necessary for popup generation. This data may be used by AI providers for model training and improvement.

Product descriptions and metadata

Brand voice and tone guidelines

Discount rules and promotions

Visitor context and behavior data

3.2 Infrastructure and Hosting

We use the following infrastructure providers to host and deliver our Service:

Hetzner Online

Primary hosting provider

All user data, account information, and service data are stored and processed on Hetzner servers in secure data centers.

Cloudflare

CDN and security services

All web traffic passes through Cloudflare for DDoS protection, CDN acceleration, and security filtering.

3.3 Analytics and Monitoring

We use analytics services to understand how our Service is used and to improve performance:

PostHog Analytics

We use PostHog to analyze service usage patterns, feature adoption, and performance metrics. This helps us improve user experience and identify areas for enhancement.

Feature usage statistics

Performance and error monitoring

User interaction patterns

Service reliability metrics

3.4 Payment Processing

We use third-party payment processors to handle subscription payments:

Polar Payments

We use Polar to process subscription payments. Polar handles all payment card information and transaction processing. We do not store or process payment card details on our servers.

Note: Payment card information is handled exclusively by Polar and is never accessible to our systems. We only receive payment confirmation and subscription status information.

3.5 Data Protection Measures

We ensure all third-party providers meet stringent data protection standards:

Contractual Safeguards

Data processing agreements in place
Confidentiality and security obligations
GDPR-compliant data transfer mechanisms

Security Standards

Encryption in transit and at rest
Regular security audits and compliance
Access controls and monitoring

3.6 International Data Transfers

Your data may be transferred to and processed in countries outside of your residence:

Global Service Providers

Our third-party providers operate globally. Data may be processed in the United States, European Union, and other countries where our providers have facilities.

Adequacy Decisions and Safeguards

We use Standard Contractual Clauses (SCCs) and other approved mechanisms to ensure adequate protection for international data transfers as required by GDPR.

Third-Party Sharing Transparency

We only share data with trusted partners necessary to provide our Service. All providers are bound by strict data protection agreements. AI providers may use your data for model training - consider this when sharing sensitive business information. Payment data is handled exclusively by our payment processor and never touches our servers.

Your Data Rights

Under data protection laws like GDPR and CCPA, you have specific rights regarding your personal data. This section explains your rights and how to exercise them.

4.1 Right to Access

You have the right to know what personal data we hold about you and how we process it.

What You Can Request

You can request a copy of your personal data, including information about how we use it, who we share it with, and how long we keep it.

How to Exercise: Contact us at [email protected] with "Data Access Request" in the subject line. We'll respond within 30 days.

4.2 Right to Rectification

You can request correction of inaccurate or incomplete personal data.

Self-Service Options

Update account information in settings
Modify brand guidelines and preferences
Adjust AI generation settings

Manual Requests

Email for complex data corrections
Provide evidence for corrections
We'll confirm when corrections are made

4.3 Right to Erasure (Right to Be Forgotten)

You can request deletion of your personal data in certain circumstances.

When Deletion Applies

You can request deletion when: data is no longer necessary, you withdraw consent, you object to processing, or data was processed unlawfully.

Immediate Deletion

Cancel your account through dashboard settings. Most data is deleted immediately, some retained for legal requirements.

Manual Request

Email [email protected] for specific data deletion requests. We'll confirm what can be deleted and any exceptions.

4.4 Right to Restrict Processing

You can request that we temporarily stop processing your data in certain situations.

When You Can Restrict

You contest data accuracy
Processing is unlawful but you oppose deletion
We no longer need data but you require it for legal claims

What Happens During Restriction

Data is stored but not processed
Service functionality may be limited
We'll notify you before lifting restrictions

4.5 Right to Data Portability

You can request your data in a structured, commonly used, and machine-readable format.

Export Your Data

We provide data exports in JSON format containing your account information, brand guidelines, popup history, and settings. This allows you to transfer your data to another service.

Available Formats: JSON, CSV. Request through your account dashboard or email [email protected]. Processed within 30 days.

4.6 Right to Object

You can object to certain types of data processing.

Direct Marketing

Opt-out of promotional emails in account settings or unsubscribe links

Analytics & Research

Object to data use for service improvement and research

Automated Processing

Object to AI-generated content decisions affecting you

Legitimate Interests

Object to processing based on legitimate interests

4.7 Rights for Website Visitors

If you are a visitor to a website using our Service, your rights are exercised through the website owner:

Data Controller Relationship

The website owner (our customer) is the data controller for visitor data. We act as a data processor. To exercise your rights regarding popup-related data, contact the website owner directly. We will assist them in fulfilling your requests.

4.8 How to Exercise Your Rights

To exercise any of your data protection rights:

Email

[email protected]

Account Dashboard

Self-service options in settings

Support

In-app support chat

Response Time: We respond to all legitimate requests within 30 days. We may need to verify your identity before processing certain requests.

Your Data Rights Summary

You have comprehensive rights over your personal data including access, correction, deletion, and portability. Most rights can be exercised through your account dashboard. For complex requests, contact our privacy team. We never charge for legitimate data rights requests and respond within 30 days. Website visitors should contact the website owner for popup-related data requests.

Data Security Measures

We implement comprehensive technical and organizational security measures to protect your data against unauthorized access, alteration, disclosure, or destruction.

5.1 Encryption

We use strong encryption protocols to protect your data both in transit and at rest:

Data in Transit

TLS 1.2+ encryption for all web traffic and API communications

Data at Rest

AES-256 encryption for databases and file storage

Key Management

Secure key management with regular rotation and access controls

Backup Encryption

All backups are encrypted and stored in secure locations

5.2 Access Controls

We implement strict access controls to ensure only authorized personnel can access your data:

Principle of Least Privilege

Employees and systems are granted only the minimum access necessary to perform their duties. Regular access reviews ensure permissions remain appropriate.

Authentication

Multi-factor authentication for admin access
Strong password policies enforced
Session timeout and re-authentication

Authorization

Role-based access control (RBAC)
API key management and rotation
Audit logs for all access attempts

5.3 Infrastructure Security

Our infrastructure is designed with security as a primary consideration:

Network Security

Firewalls, DDoS protection, and intrusion detection systems

Server Hardening

Regular security patches and minimal attack surface

Vulnerability Management

Regular security scanning and penetration testing

Physical Security

Data center security with biometric access controls

5.4 Monitoring and Logging

We maintain comprehensive monitoring to detect and respond to security incidents:

Comprehensive Monitoring

24/7 monitoring of system activities, network traffic, and access patterns. Automated alerts for suspicious activities and potential security incidents.

Real-time security event monitoring

Audit logs for all data access

Anomaly detection and alerting

Incident response procedures

5.5 Data Backup and Recovery

We maintain robust backup and disaster recovery procedures:

Backup Procedures

Automated daily backups with point-in-time recovery
Encrypted backups stored in geographically separate locations
Regular backup integrity testing and validation

Recovery Capabilities

Documented disaster recovery procedures
Regular disaster recovery testing and drills
Recovery Time Objective (RTO) of less than 4 hours

5.6 Employee Security Training

Our team is trained to handle data securely and responsibly:

Security Awareness Program

All employees complete mandatory security training covering data protection, phishing awareness, incident response, and secure development practices. Regular refresher training ensures ongoing compliance.

Background checks for all employees

Confidentiality agreements signed

Secure development lifecycle training

Incident response role training

5.7 Third-Party Security

We ensure our third-party providers maintain high security standards:

Vendor Security Assessments

We conduct security assessments of all third-party providers handling your data. Providers must demonstrate compliance with industry security standards and data protection regulations.

Contractual Security Requirements

All data processing agreements include strict security requirements, breach notification obligations, and data protection commitments.

Security Commitment

We implement a defense-in-depth security strategy with multiple layers of protection. While no system can be 100% secure, we continuously monitor, test, and improve our security measures. All employees are trained in security best practices, and we maintain comprehensive incident response procedures. Security is fundamental to our service design and operations.

Cookie Policy

We use cookies and similar tracking technologies to enhance your experience, analyze service usage, and support our marketing efforts. This policy explains what cookies are, how we use them, and your choices regarding cookies.

6.1 What Are Cookies?

Cookies are small text files that are stored on your device when you visit websites. They help websites remember information about your visit, which can make it easier to visit the site again and make the site more useful to you.

Session Cookies

Temporary, deleted when you close your browser

Persistent Cookies

Remain until expired or manually deleted

Similar Technologies

Local storage, pixels, and other tracking methods

6.2 How We Use Cookies

We use cookies for the following purposes:

Essential Cookies

Required for the basic functionality of our Service. These include authentication, security, and session management cookies.

Analytics Cookies

Help us understand how visitors interact with our Service, which pages are popular, and how users navigate through the site.

Functional Cookies

Remember your preferences and settings to enhance your experience, such as language preferences and customized content.

6.3 Types of Cookies We Use

Here's a detailed breakdown of the cookies we use:

Cookie Name	Purpose	Type	Duration
session_id	Maintains your login session	Essential	Session
csrf_token	Protects against cross-site request forgery	Essential	Session
_posthog_*	Tracks user behavior and service usage	Analytics	1 year
_ga	Google Analytics - distinguishes users	Analytics	2 years
user_preferences	Stores your UI and feature preferences	Functional	1 year
theme_preference	Remembers your dark/light mode preference	Functional	1 year

6.4 Third-Party Cookies

We also allow certain third parties to set cookies through our Service:

PostHog

Analytics and product analytics

Helps us understand how users interact with our Service to improve user experience.

Cloudflare

Security and performance

Provides DDoS protection and CDN services, may set cookies for security purposes.

6.5 Your Cookie Choices

You have several options to control cookies:

Browser Settings

Most web browsers allow you to control cookies through their settings preferences. However, limiting cookies may affect your ability to use certain features of our Service.

Cookie Consent Banner

When you first visit our Service, you'll see a cookie consent banner where you can choose which types of cookies to accept, except for essential cookies which are required for the Service to function.

Delete existing cookies through browser settings

Use private/incognito browsing mode

Install browser plugins to block cookies

Opt-out of analytics through our settings

6.6 Essential Cookies Notice

Required for Service Functionality

Essential cookies are necessary for the Service to function properly and cannot be switched off in our systems. They are usually only set in response to actions made by you, such as setting your privacy preferences, logging in, or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the Service will not work without them.

6.7 Updates to This Cookie Policy

We may update this Cookie Policy from time to time to reflect changes in our practices, technology, legal requirements, or other reasons. We will notify you of any material changes through our Service or by other means to provide you the opportunity to review the changes before they become effective.

6.8 Contact Us About Cookies

If you have any questions about our use of cookies, please contact us at:

[email protected]

Please include "Cookie Policy" in the subject line

Cookie Usage Summary

We use essential cookies for security and functionality, analytics cookies to improve our Service, and functional cookies to remember your preferences. You can control non-essential cookies through our consent banner or your browser settings. Essential cookies are required for the Service to work properly. We do not use cookies for advertising purposes.

Contact Us

We are committed to protecting your privacy and being transparent about our data practices. If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please contact us using the information below.

7.1 Primary Contact Methods

For privacy-related inquiries, data subject requests, or security concerns:

Email

For privacy questions and data requests

[email protected]

Support

For technical and account assistance

[email protected]

7.2 Response Times

We are committed to responding to your privacy inquiries in a timely manner:

24-48h

Initial Response

For general privacy inquiries

30 Days

Data Subject Requests

For access, deletion, or portability requests

72h

Security Concerns

For potential security incidents

7.3 What to Include in Your Request

To help us process your request efficiently, please include the following information:

For Data Requests

Your full name and email address
Type of request (access, deletion, etc.)
Specific data you're inquiring about

For General Inquiries

Clear description of your question
Relevant account information
Any relevant screenshots or details

Identity Verification: For data subject requests, we may need to verify your identity to protect your personal information. This may require providing additional information to confirm you are the account owner.

7.4 Data Protection Authority

You have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal data violates applicable data protection laws.

Your Right to Complain

If you are not satisfied with our response or believe we are processing your personal data in a way that does not comply with data protection law, you can complain to the data protection authority in your country of residence. We would appreciate the opportunity to address your concerns first, but you have the right to contact your supervisory authority at any time.

Contact your local data protection authority

European Data Protection Board for EU residents

Information Commissioner's Office (UK)

Federal Trade Commission (US)

7.5 Our Information

Registered Address

[Your Company Legal Address]

Company Registration

[Your Company Registration Number]

Phone

[Your Company Phone Number]

Legal Inquiries

[email protected]

7.6 Updates to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other reasons. When we make changes, we will update the "Last Updated" date at the top of this policy and, where appropriate, notify you through our Service or by other means.

Thank You for Trusting Us With Your Data

We take your privacy seriously and are committed to protecting your personal information. If you have any questions or concerns about how we handle your data, please don't hesitate to reach out. We're here to help.

This Privacy Policy is effective as of