eCommos
Legal · 2026-05-06

Privacy Policy

1. Who we are

This Privacy Policy describes how eCommos ("we," "us") collects, uses, and shares personal information when you use eCommos.ai (the "Service").

2. Information we collect

From you directly

  • Account email + hashed password
  • Communications you send us (support requests, feedback)
  • Information you provide to AI agents during app scoping (free-text descriptions of your business needs)

From Shopify

  • Shopify Partner identity tokens you authorize via the Device Authorization Grant flow (used to call the Partner API on your behalf)
  • Shop access tokens issued when our data-sync app is installed on your store (used to read CDM data — customers, products, orders, inventory, locations, collections, shop settings)
  • Shop entity data synced into our Canonical Data Model (CDM) — used to power generated apps and surface insights

Automatically collected

  • Standard server logs (IP address, user agent, request paths)
  • Application telemetry (errors, performance, generation events)
  • Cookies (see Cookie Policy)

3. How we use information

  • Provide the Service: authenticate you, generate and deploy apps, sync data
  • Send service-related communications (auth confirmations, deploy notifications)
  • Improve the Service: aggregate analytics, detect abuse, debug issues
  • Comply with legal obligations

We do not use merchant data or end-customer data to train shared AI models. AI generation prompts that include merchant context are scoped to that merchant's session.

4. Sharing

We share personal data with:

  • Shopify — to create apps in your Partner organization, deploy Theme App Extensions, and read merchant data you have authorized
  • Anthropic — our AI model provider; receives generation prompts and returns generated code. Anthropic does not retain prompts for training under our API agreement.
  • Hosting + infrastructure providers — Supabase (database), Railway / Fly.io (compute), Cloudflare R2 (storage), to operate the Service
  • Authorities — when required by valid legal process; we will notify you unless legally prohibited

We do not sell personal data. We do not share for cross-context advertising.

5. Where data is stored

Production data is currently stored in Supabase's ap-northeast-1 region. EU-only data residency is on our roadmap for Phase 2; if you have EU data residency requirements, contact us before signing up.

6. Retention

  • Account data: retained while your account is active; deleted on request within 30 days unless legal obligation requires retention
  • Authentication tokens: deleted on revocation
  • CDM merchant data: retained while your shop is connected; soft-deleted on uninstall (30-day window before hard delete) unless you request immediate deletion
  • Server logs: 90 days

7. Your rights

Depending on your location, you may have the right to access, correct, delete, port, or restrict processing of your personal data, and to object to processing. Exercise these rights by emailing hoangch@firegroup.io. We respond within 30 days.

If you are an EU/UK data subject and are unsatisfied with our response, you may complain to your local supervisory authority.

8. Security

We use AES-256-GCM encryption for stored Shopify access tokens and identity tokens. All connections use TLS 1.2+. Access to production systems is restricted and audit-logged. Despite these measures, no system is perfectly secure; we will notify affected users of any security incident as required by applicable law.

9. Children

The Service is not directed to individuals under 18. We do not knowingly collect data from children.

10. Changes

Material changes to this Privacy Policy will be communicated via email and a notice in the Service.

11. Contact

Privacy questions and rights requests: hoangch@firegroup.io.