Embedded Files
Privacy Policy
Last updated: 25.04.2026
This Privacy Policy describes how Synapse SEO AI (“the App”) collects, uses, and shares information when merchants install and use the App via the Shopify platform.
The App is operated by Jacek Richert, located at ul. Sadowa 109a, 82-300 Elbląg, Poland.
Business ID (NIP): 5783175415
Email: richert.jacek1@gmail.com
1. Data Controller
1. Data Controller
For the purposes of applicable data protection laws, including RODO (GDPR), Jacek Richert acts as the data controller of merchant data processed through the App.
In relation to store customer data (if any is processed), the merchant remains the data controller and the App acts as a data processor.
2. Information We Collect
2. Information We Collect
When you install and use the App, we collect the following categories of data via Shopify APIs and direct usage:
Store Data (via Shopify API):
Product data (titles, descriptions, images, metadata)
Collections and menus
User Data:
Merchant email address
Store domain
Usage Data:
Logs of actions performed within the App
Feature usage and performance data
We access this data using permissions granted during installation (Shopify API scopes), such as reading and modifying product and collection data as required for App functionality.
We do not intentionally collect or process customer personal data from your store.
3. Legal Basis for Processing
3. Legal Basis for Processing
We process personal data under the following legal bases:
Performance of a contract – to provide the App’s functionality
Legitimate interests – to improve, secure, and optimize the App
4. How We Use Your Information
4. How We Use Your Information
We use collected data to:
Provide, operate, and maintain the App
Analyze and optimize product content
Generate SEO content using AI
Organize collections and navigation structures
Improve performance, reliability, and user experience
5. AI Processing
5. AI Processing
To provide content generation and optimization features, selected store data (such as product titles, descriptions, and collection data) may be transmitted to third-party AI services, including Google (Gemini).
Data is processed solely to generate requested outputs
Data is not used by us to train AI models
We do not knowingly allow third-party providers to use this data for independent purposes
6. Data Sharing and Subprocessors
6. Data Sharing and Subprocessors
We do not sell or rent your data.
We may share data only with trusted service providers necessary to operate the App, including:
Render – hosting infrastructure
Google – AI processing services
Shopify – to enable App functionality within the platform
All third-party providers process data on our behalf and are subject to appropriate contractual safeguards.
7. International Data Transfers
7. International Data Transfers
Some service providers may process data outside the European Economic Area (EEA).
Where such transfers occur, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) to ensure compliance with GDPR.
8. Data Retention
8. Data Retention
We retain data only for as long as necessary to provide App functionality.
When the App is uninstalled:
Data is automatically deleted via Shopify’s app/uninstalled webhook
Remaining data is permanently deleted within a maximum of 30 days
9. Data Subject Rights
9. Data Subject Rights
Under GDPR, you have the right to:
Access your personal data
Request correction or deletion
Restrict or object to processing
Request data portability
Requests can be submitted to: richert.jacek1@gmail.com
We will respond within 30 days of receiving a verified request.
10. Security
10. Security
We implement appropriate technical and organizational measures, including:
Encrypted data transmission (TLS/HTTPS)
Access controls and authentication mechanisms
Restricted internal data access
Monitoring and logging of system activity
11. Cookies and Tracking
11. Cookies and Tracking
The App does not use independent cookies or tracking technologies.
Authentication and session management are handled by Shopify’s platform mechanisms.
12. Marketing Communications
12. Marketing Communications
We may use your email address to send service-related or marketing communications.
13. Changes to This Policy
13. Changes to This Policy
We may update this Privacy Policy from time to time.
Any changes will be posted within the App or on the App listing, with an updated revision date.
14. Contact
14. Contact
Jacek Richert
ul. Sadowa 109a
82-300 Elbląg
Poland
Email: richert.jacek1@gmail.com
15. Shopify Compliance Webhooks and Data Subject Requests
15. Shopify Compliance Webhooks and Data Subject Requests
Synapse SEO AI subscribes to all three mandatory compliance webhooks required by the Shopify App Store and responds to each within 30 days of receipt:
customers/data_request — When a store customer submits a data access request, Shopify forwards it to installed apps. We acknowledge receipt and confirm whether any personal data related to that customer is held by the App. As Synapse SEO AI does not process store customer personal data, such requests will result in a confirmation that no relevant data is held.
customers/redact — Upon receiving a customer data erasure request, we verify whether any information linked to that customer exists within our systems and delete it immediately. The App does not store personal data of end customers.
shop/redact — Following uninstallation and the expiry of the applicable retention period (see Sections 8 and 16), all remaining store data is permanently deleted. This webhook is triggered automatically by Shopify, and we confirm receipt and complete the action within the required timeframe.
No action is required from the merchant — all compliance webhook processing is handled automatically by the App.
16. Detailed Data Retention Schedule After Uninstallation
Upon uninstallation of the App, the following retention periods apply:
All shop-related data, including store domain, billing information, product and collection data (including SEO content), and related metadata, is retained for up to 30 days after uninstallation. This retention period is necessary for billing verification, settlement of charges, dispute resolution, and operational integrity.
App activity logs are also retained for up to 30 days for security, monitoring, and diagnostic purposes.
After the applicable retention period, all data is permanently and irreversibly deleted from our systems and those of our subprocessors.
17. Automated Processing and AI-Generated Decisions
17. Automated Processing and AI-Generated Decisions
Synapse SEO AI uses artificial intelligence models (Google Gemini) to analyze store data — such as product titles, descriptions, and collection data — and generate SEO content suggestions.
Nature of processing: The AI generates suggestions and content proposals only. No decision affecting the merchant's store, products, or data is made automatically without the merchant's explicit review and approval. Every piece of AI-generated content must be manually accepted by the merchant before it is applied to the store.
No profiling: The App does not create personal profiles of merchants or their customers based on processed data.
Article 22 GDPR: As the App does not engage in automated decision-making that produces legal or similarly significant effects on individuals, Article 22 GDPR does not apply. If you have any concerns regarding automated processing, please contact us at richert.jacek1@gmail.com.
18. Marketing Communications — Legal Basis and Opt-Out
18. Marketing Communications — Legal Basis and Opt-Out
We may send merchants marketing communications about Synapse SEO AI, including information about new features, updates, and special offers.
Legal basis: Marketing communications are sent on the basis of our legitimate interests (Article 6(1)(f) GDPR). As an existing user of the App, you are an established customer, and our marketing relates exclusively to similar services and products.
Right to object (opt-out): You may object to the processing of your personal data for marketing purposes at any time, at no cost and without providing justification. To do so:
click the unsubscribe link included in every marketing email, or
send an email to richert.jacek1@gmail.com with the subject line "Unsubscribe from marketing".
We will stop processing your data for marketing purposes promptly upon receipt of your objection.
19. Personal Data Breach Procedure
19. Personal Data Breach Procedure
In the event of a personal data breach, we take the following steps:
Risk assessment — Upon detection, we immediately assess the scope of the incident and its potential impact on individuals.
Notification to the supervisory authority — If the breach is likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR.
Notification to affected individuals — If the breach is likely to result in a high risk to the rights and freedoms of natural persons, we will notify those individuals without undue delay, in accordance with Article 34 GDPR.
Remediation — We will implement measures to mitigate the effects of the breach and prevent similar incidents in the future.
For any security-related concerns, please contact us at richert.jacek1@gmail.com.
20. Data Protection Officer (DPO)
20. Data Protection Officer (DPO)
As a micro-enterprise processing personal data on a limited scale, we are not currently required to appoint a Data Protection Officer under Article 37 GDPR. That obligation applies to organizations processing personal data on a large scale or processing special categories of data — neither of which applies to our operations.
All data protection enquiries are handled directly by the data controller: Jacek Richert, richert.jacek1@gmail.com.
Should the scope of data processing by the App change materially, we will reassess our obligations regarding the appointment of a DPO.
21. Rights Under U.S. Privacy Laws (CCPA/CPRA)
21. Rights Under U.S. Privacy Laws (CCPA/CPRA)
For merchants operating in California or serving customers located in California, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) may apply.
To the extent that Synapse SEO AI processes personal data subject to CCPA/CPRA, we provide the following rights:
Right to Know — You may request information about the categories of personal data we have collected and the purposes for which it is used.
Right to Delete — You may request the deletion of your personal data, subject to exceptions permitted by law.
Right to Opt-Out of Sale — We do not sell personal data of merchants or their customers to any third parties.
Right to Non-Discrimination — Exercising any of the above rights will not result in any negative consequences with respect to the services provided to you.
Requests under CCPA/CPRA should be submitted to richert.jacek1@gmail.com. We will respond within 45 days.
22. Supervisory Authority
22. Supervisory Authority
If you believe that the processing of your personal data infringes applicable data protection law, you have the right to lodge a complaint with a supervisory authority.
For merchants based in Poland and the EU: President of the Personal Data Protection Office (UODO) ul. Stawki 2, 00-193 Warsaw, Poland www.uodo.gov.pl Email: kancelaria@uodo.gov.pl
You also have the right to lodge a complaint with the supervisory authority of the EU member state of your habitual residence, place of work, or place of the alleged infringement.
We encourage you to contact us directly before initiating a formal complaint — most concerns can be resolved quickly and informally.
Page updated
Google Sites
Report abuse