Privacy Policy

1. Information We Collect

We collect information you provide directly to us, such as when you:

• Create an account or sign up for our service
• Install Acurrate from the Shopify App Store
• Use our influencer ROI calculator
• Subscribe to our newsletter or marketing communications
• Contact us for support or feedback

This information may include your name, email address, and any other information you choose to provide.

Shopify Store Data: When you install Acurrate from the Shopify App Store, we access the following data from your Shopify store with your explicit permission:

• Orders: Order data including order totals, subtotals, shipping costs, and order dates (including orders older than 60 days for accurate 12-month historical metrics)
• Products: Product information including titles, types, tags, and vendors (used for industry detection)
• Analytics: Store analytics data for performance metrics
• Customer data (Shopify Protected Customer Data, Levels 1 + 2): Approved by Shopify on 2026-04-22 (reference 103226). This includes customer IDs, order numbers, customer name, and customer email address from your store's orders. See Section 6 for the full detail on how this data is stored, used, retained, and deleted.

Important: We have read-only access to your Shopify store data. We do not modify, edit, or write any data to your Shopify store. All data access is limited to what is necessary for providing customer-lifetime-value forecasting, returning-customer-rate analysis, and creator-to-customer matching as described in this policy.

1a. Creator Discovery Database

As part of our influencer discovery service, Acurrate maintains a database of publicly available information about content creators on third-party platforms (including Instagram, TikTok, and YouTube). This database is separate from customer account data and is collected from public sources, not from our customers.

What we collect about creators:

• Public profile information: username/handle, display name, profile picture URL, biography, external/linked URLs, stated location, verified status
• Public engagement metrics: follower count, following count, post/video counts, views, likes, comments, publication dates
• Public content metadata: captions, titles, descriptions, hashtags, tags, thumbnail URLs, video durations, music/audio identifiers
• Publicly listed contact information: business email addresses displayed on public profiles or creator-owned websites
• Derived/inferred attributes: estimated primary niche/category, estimated audience country, estimated audience age and gender distribution, authenticity/bot likelihood scores, brand affinity tags, posting cadence, and predicted performance metrics. These are inferences generated by automated analysis (including AI models) of the public data above and are estimates, not confirmed facts.

Sources: Public APIs and public web pages of third-party platforms, accessed directly or via data-provider services (including ScrapeCreators and official platform APIs such as the YouTube Data API). We do not access private accounts, private messages, or any information behind authentication walls belonging to creators who are not our customers.

Lawful basis (UK/EU GDPR): We process this information on the basis of legitimate interests (Article 6(1)(f)) — specifically, enabling brands to identify and evaluate professional content creators who publicly offer their services for commercial collaboration. We have assessed this basis against creators' rights and interests and have taken steps to minimise intrusion (we rely on public data only, do not collect special-category data, and provide an opt-out route described in Section 8).

Automated inferences: Audience demographics, authenticity scores, and niche classifications are produced by automated systems (including large language models such as Google Gemini) analysing public content and engagement. They are estimates and may be inaccurate. They are not used to make legally or similarly significant decisions about individuals.

Creators who are also our customers: If you are both a creator in our discovery database and a registered Acurrate customer, the two records are governed by the respective parts of this policy. You may request correction or deletion of your creator record using the process in Section 8.

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our services
• Calculate accurate influencer ROI metrics using your store's historical data
• Process your calculations and store your data securely
• Calculate metrics including Average Order Value (AOV), Conversion Rate, and Returning Customer Rate (RCR) using aggregated data
• Send you technical notices, updates, and support messages
• Send you marketing communications (with your consent)
• Respond to your comments and questions
• Analyze usage patterns to improve our platform
• Manage team memberships and seat access for your store
• Operate the creator discovery database described in Section 1a — including indexing, search, filtering, and displaying public creator information to our customers
• Generate automated inferences (niche, audience estimates, authenticity, brand affinity) to help customers evaluate creators for potential collaboration

Customer Data Usage: Under Shopify Protected Customer Data Levels 1 + 2, we use your customers' customer IDs, order numbers, names, and email addresses for the following purposes only:

• Repeat-purchase analysis. Count unique customers, frequency of orders, and repeat-customer ratio.
• Customer lifetime value (LTV) forecasting. Compute per-customer first-order revenue, 90-day revenue, and lifetime revenue to power the forecast-mode toggle in the product.
• Creator-to-customer matching ("Your Customers"). Match customer email addresses (and, as a fallback, names) against our public creator-discovery database to identify which of your existing customers already follow a given creator. Used only to inform creator selection; we never share customer identity with creators or with any third party.
• Campaign attribution. Tie specific orders to specific creator campaigns using promo codes and UTM links, so we can attribute revenue correctly over time.

Storage, retention, and deletion: Raw Protected Customer Data (names, emails, customer IDs, order numbers) is stored encrypted at rest in our Supabase database (EU region) and is automatically deleted 30 days after its last sync from your Shopify store. Aggregated, non-identifying metrics (LTV numbers, returning customer rate, segment counts) may be retained indefinitely because they no longer contain personal data. Every access of Protected Customer Data is logged to an append-only audit trail per Shopify's PCD requirements.

Never used for: Marketing emails to your customers, advertising, resale, or disclosure to any third party. We do not transmit customer Protected Data to AI providers, analytics services, or external tools. We do not access physical addresses, phone numbers, geolocation, IP addresses, or browser data from your customer records.

3. Information Sharing and Disclosure

We do not sell, trade, or otherwise transfer your personal information to third parties without your consent, except as described in this policy:

• Service Providers: We may share information with trusted service providers who assist us in operating our platform, including: Supabase (database and authentication, hosted in the EU), Shopify (app hosting and billing), Stripe (payment processing for direct customers), Klaviyo (email marketing), Google Cloud / Google Gemini (AI inference for niche tagging, audience estimation, and content classification), and data-provider services used to collect public creator information from third-party platforms (including ScrapeCreators and the official YouTube Data API).
• Shopify: When you install Acurrate from the Shopify App Store, your subscription billing is managed through Shopify's billing system. We share necessary billing information with Shopify to process payments and manage subscriptions.
• Team Members: If you add team members to your store, they will have access to your store's calculation data and settings based on their assigned role (Editor or Viewer). Team members do not have access to billing information or account management settings.
• Legal Requirements: We may disclose information if required by law or to protect our rights and safety
• Business Transfers: Information may be transferred in connection with a merger, sale, or acquisition

Customer Data (Shopify Protected Customer Data): We do not share, sell, resell, license, or disclose customer PCD (names, emails, customer IDs, order numbers) with any third party for any purpose. PCD is stored exclusively within Acurrate's Supabase infrastructure (EU region) and is not transmitted to AI providers, analytics services, advertising platforms, or any external tool. The only exceptions, as required by law, are (a) lawful order from a competent authority, or (b) a data-portability request initiated by the customer themselves under UK/EU GDPR Article 20.

4. Data Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. However, no method of transmission over the internet is 100% secure.

5. Email Marketing

If you opt-in to receive marketing emails, we use Klaviyo to manage our email communications. You can unsubscribe at any time by clicking the unsubscribe link in any email or contacting us directly.

6. Shopify Data Access and Customer Privacy

Shopify App Store Integration: When you install Acurrate from the Shopify App Store, we request the following access scopes with your explicit permission:

• read_analytics: Access to store analytics data
• read_orders: Access to order data including orders older than 60 days (approved access for 12-month historical metrics)
• read_products: Access to product information for industry detection
• read_customers: Access to customer records including customer IDs, order numbers, names, and email addresses (approved under Shopify Protected Customer Data Levels 1 + 2 on 2026-04-22, reference 103226)

Read-Only Access: Acurrate has read-only access to your Shopify store data. We do not modify, edit, create, or delete any data in your Shopify store. We do not have write permissions for products, orders, customers, or any other store data.

Shopify Protected Customer Data (PCD): The following customer fields are Protected Customer Data under Shopify's classification and are governed by additional safeguards described in this section:

• Customer ID (Level 1)
• Order number (Level 1)
• Customer name (Level 2)
• Customer email address (Level 2)

Purposes for which we use PCD:

• Calculating Returning Customer Rate and other per-customer retention metrics
• Calculating Customer Lifetime Value (first-order, 90-day, lifetime) to power the forecast modes in our product
• Matching your existing customers to creators in our public creator-discovery database (the "Your Customers" feature). Matching is done by email address (exact match) and, as a lower-confidence fallback, by name. Matching is performed only within your store's scope and results are only ever visible to you
• Attributing specific orders to specific creator campaigns when promo codes or UTM links are used

Storage location: PCD is stored encrypted at rest in Supabase (Frankfurt, EU region). It is not replicated outside the EU.

Retention and deletion: Raw PCD is automatically deleted 30 days after its last sync from your Shopify store. Aggregated metrics derived from PCD (such as LTV numbers, segment counts, or match counts) are non-identifying and may be retained indefinitely. If you uninstall Acurrate, all PCD tied to your store is deleted within 48 hours. You may request earlier deletion at any time by contacting us (see Section 11).

Audit logging: Every access of PCD is logged to an append-only audit trail (field names accessed, timestamp, purpose, number of records touched). Shopify may request this audit log under their Partner Program requirements, and we will provide it on request.

Access control: PCD is accessible only to active members of your store with viewer, editor, or owner role. Acurrate staff access PCD only for the purposes of providing technical support at your request or complying with a legal obligation; such access is additionally logged.

What we do NOT do with PCD:

• We do not send marketing emails to your customers
• We do not resell, trade, or share customer PCD with any third party for their marketing or commercial purposes
• We do not transmit PCD to AI providers, analytics services, or external tools (customer data does not leave Acurrate's infrastructure)
• We do not access customer phone numbers, physical addresses, geolocation data, IP addresses, or browser/device information
• We do not combine PCD from your store with PCD from another store

Your customers' rights: Your customers retain all rights granted under UK GDPR, EU GDPR, CCPA, and other applicable privacy laws, including the rights of access, rectification, erasure, and objection. If a customer of yours exercises one of these rights (directly with us or via you), we will process the request within 30 days and notify you. See Section 8 for details.

7. Cookies and Analytics

We use cookies and similar technologies to improve your experience, analyze usage patterns, and provide personalized content. We use Google Analytics to understand how our service is used.

8. Your Rights

Under UK GDPR and applicable data-protection laws, you have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate information (including inaccurate inferred attributes such as estimated demographics or niche)
• Request deletion of your personal information
• Object to processing based on legitimate interests, including inclusion in the creator discovery database (Article 21 UK GDPR)
• Restrict processing of your information
• Opt-out of marketing communications
• Data portability (receive your data in a structured format)
• Lodge a complaint with the UK Information Commissioner's Office (ICO) or your local supervisory authority

Creator removal requests: If you are a content creator and do not wish to appear in our discovery database, email privacy@acurrate.com from an address clearly associated with the account(s) in question, or include a link to the profile(s). We will remove your record(s) within 30 days and suppress them from re-ingestion. We may retain a minimal hash of the handle solely to enforce the suppression.

9. Children's Privacy

Our service is not intended for children under 13. We do not knowingly collect personal information from children under 13.

10. International Data Transfers

Your information may be transferred to and processed in countries other than your own. Our primary database is hosted in the European Union (Supabase EU region). Some service providers (including Google Cloud for AI inference, Shopify for billing, and Stripe for payments) may process data in the United States or other jurisdictions. Where personal data is transferred outside the UK/EEA, we rely on appropriate safeguards such as the UK International Data Transfer Agreement, the EU Standard Contractual Clauses, or equivalent mechanisms.

11. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the "Last updated" date.

12. Contact Us

If you have any questions about this privacy policy or our practices, please contact us at: