Privacy Policy

1. Who We Are

Ephermal is an AI-powered advertising automation platform for Shopify merchants. Our service connects to your Shopify store, Meta Ads, and Google Ads accounts to autonomously generate creatives and manage campaigns on your behalf.

Data controller: Ephermal  ·  Contact: hello@ephermal.app
Full company registration details will be published upon incorporation. For any data protection queries in the interim, contact us at the email above.

2. Data We Collect

We collect only what is necessary to operate the service:

• Account data — name, email address, password (hashed with bcrypt), and optionally a Google account ID when using Google Sign-In.
• Shopify store data — store domain, products, orders, and customer analytics accessed via the Shopify Admin API under your authorised OAuth permissions.
• Ad account data — Meta Ads and Google Ads access tokens (encrypted at rest using AES-256 Fernet), ad account IDs, campaign performance metrics.
• Billing data — payment is processed entirely by Stripe. We store only a Stripe customer ID and subscription status — we never see or store your card details.
• Usage data — pages visited, features used, and session metadata for platform improvement.

3. Legal Basis for Processing (GDPR Art. 6)

Under the General Data Protection Regulation (GDPR) and UK GDPR, we rely on the following lawful bases for processing your personal data:

• Performance of contract (Art. 6(1)(b)) — Core service delivery: generating ad creatives, launching campaigns, managing integrations with Shopify/Meta/Google, sending transactional emails, and processing payments via Stripe.
• Legal obligation (Art. 6(1)(c)) — Retaining billing records for tax and accounting purposes as required by applicable law.
• Legitimate interests (Art. 6(1)(f)) — Analysing platform usage data to improve reliability and performance. You may object to this processing at any time by contacting us.
• Consent (Art. 6(1)(a)) — Where you choose to use Google Sign-In, we process your Google account ID on the basis of your consent. You may withdraw this consent at any time by contacting hello@ephermal.app; withdrawal does not affect the lawfulness of prior processing.

4. How We Use Your Data

• To deliver the core service: generating ad creatives, launching and optimising campaigns on your behalf.
• To manage your subscription and process payments via Stripe.
• To send transactional emails (account verification, billing receipts, campaign alerts). We do not send marketing emails without your explicit consent.
• To improve platform reliability and performance.

We do not sell, rent, or share your personal data with third parties for their own marketing purposes. We do not share personal information for cross-context behavioural advertising.

We do not use your store data, customer data, or advertising performance data to train, fine-tune, or improve any AI or machine learning model — data is used solely to generate creatives and manage campaigns on your behalf as part of the Service.

5. Third-Party Services & Sub-Processors

The following third-party processors handle data on our behalf under appropriate Data Processing Agreements, identifying their role, data received, and transfer safeguard:

• Stripe, Inc. (US) — payment processing; billing information. Safeguard: EU–US Data Privacy Framework (DPF). Stripe Privacy Policy
• Shopify Inc. (Canada) — store data via OAuth; store domain, products, orders, customer analytics. Safeguard: EU adequacy decision for Canada. Shopify Privacy Policy
• Meta Platforms Ireland Ltd (EU entity) — ad account management; ad account IDs and campaign data. Safeguard: Standard Contractual Clauses (SCCs) for onward transfers. Meta Privacy Policy
• Google Ireland Ltd (EU entity) — Google Ads management and optional Sign-In; ad account data and Google account ID. Safeguard: SCCs for onward transfers. Google Privacy Policy
• Clerk.com, Inc. (US) — authentication and user account management; name, email, session data. Safeguard: Standard Contractual Clauses. Clerk Privacy Policy
• Supabase, Inc. (US; EU-region data hosting) — database infrastructure; all account and operational data. Safeguard: Standard Contractual Clauses. Supabase Privacy Policy

6. International Data Transfers

Your personal data is stored on our EU-hosted infrastructure. Some sub-processors are incorporated outside the EEA; appropriate safeguards are in place for each as described in Section 5 (DPF adequacy, EU adequacy decisions, or Standard Contractual Clauses).

For users in the United Kingdom, transfers to non-UK countries are governed by UK International Data Transfer Agreements (IDTAs) or EU SCCs with the ICO's UK Addendum, as applicable to each processor.

EU–UK data flows rely on the European Commission's adequacy decision for the UK. We will update this policy promptly if that adequacy status changes.

7. Data Storage, Security & Retention

All data is stored on EU-hosted infrastructure (Supabase EU region). OAuth tokens are encrypted at rest using AES-256 (Fernet). Passwords are hashed using bcrypt. All data in transit is protected by TLS 1.3.

Retention periods by data category:

• Account data (name, email, password hash) — retained for the duration of your account; deleted within 30 days of account closure.
• Shopify store data (products, orders, customer analytics) — retained for the duration of your Shopify integration; deleted within 30 days of disconnection or account closure.
• Ad account tokens & campaign data — tokens deleted immediately on disconnection; campaign metrics retained for the duration of your account, deleted within 30 days of closure. Google Ads data is subject to Google's 37-month retention limit.
• Usage data (session metadata, feature usage) — retained on a rolling 12-month basis.
• Billing data (Stripe customer ID, subscription status) — retained for 7 years as required by applicable tax law.

8. Automated Processing & Decision-Making

Ephermal uses automated processing — including analysis of your Shopify store data, product catalogue, and advertising performance metrics — to autonomously generate ad creatives and optimise campaign targeting. This constitutes automated decision-making within the meaning of GDPR Article 22.

The logic analyses product attributes, historical performance, and audience signals to select creative formats, copy, and targeting parameters. The envisaged consequences are adjustments to how your advertising budget is deployed across Meta and Google.

You retain the right to review and approve all AI-generated creatives before publication, reject any automated output, and request human review of any decision by contacting hello@ephermal.app.

9. Your Rights (GDPR & UK GDPR)

Under GDPR and UK GDPR, you have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — correct inaccurate data.
• Erasure ("Right to be forgotten") — request deletion of your data.
• Portability — receive your data in a machine-readable format.
• Objection / Restriction — object to or restrict certain processing, including processing based on legitimate interests.
• Withdraw consent — at any time where processing is based on consent (e.g. Google Sign-In), without affecting the lawfulness of prior processing.

To exercise any of these rights, email hello@ephermal.app. We will respond within one month (extendable by a further two months for complex requests, with notice within the first month).

10. Additional Rights for California Residents (CCPA/CPRA)

If you are a California resident, the CCPA and CPRA grant you the following additional rights:

• Right to Know — request the categories and specific pieces of personal information collected, used, or disclosed about you in the preceding 12 months.
• Right to Delete — request deletion of your personal information, subject to certain exceptions.
• Right to Correct — request correction of inaccurate personal information.
• Right to Opt-Out of Sale or Sharing — We do not sell personal information. We do not share personal information for cross-context behavioural advertising. No opt-out action is required, but you may contact us to confirm at any time.
• Right to Limit Sensitive Personal Information — We do not process sensitive personal information beyond what is necessary to provide the Service.
• Right to Non-Discrimination — We will not discriminate against you for exercising any CCPA/CPRA right.
• Right to Use an Authorised Agent — You may designate an authorised agent to submit requests on your behalf.

To submit a CCPA/CPRA request, email hello@ephermal.app. We will respond within 45 days, with a possible 45-day extension for complex requests.

11. Cookies

We use only strictly necessary cookies for authentication (session tokens) and security. We do not use third-party tracking cookies or advertising pixels on our own website. You may disable cookies in your browser settings, though this will prevent you from remaining logged in.

No cookie consent banner is shown because we rely solely on cookies that are strictly necessary for a service you have explicitly requested, which are exempt from consent requirements under the EU ePrivacy Directive and UK PECR.

12. AI-Generated Content & EU AI Act

Ephermal uses artificial intelligence to generate advertising creatives on your behalf. In compliance with Article 50 of the EU AI Act (Regulation (EU) 2024/1689, applicable from 2 August 2026), AI-generated content will be marked with machine-readable provenance metadata, in line with technical standards adopted by the European Commission.

As a merchant who approves and publishes AI-generated creatives, you also bear disclosure obligations as a "deployer" under the EU AI Act. We will provide guidance on meeting these obligations as the relevant standards are finalised.

We do not use your data to train, fine-tune, or improve any third-party AI models. All AI processing is solely to generate creatives and manage campaigns on your behalf.

13. Changes to This Policy

We may update this policy periodically. We will notify you of material changes by email or via a notice within the platform at least 14 days before they take effect.

14. Contact & Complaints

Questions about this policy: hello@ephermal.app

If you believe we have not handled your data appropriately, you have the right to lodge a complaint:

• EU data subjects: Contact our lead supervisory authority (to be confirmed upon company incorporation) — or the DPA in your own EU member state of residence.
• UK data subjects: Contact the Information Commissioner's Office (ICO) at ico.org.uk.