What we collect, why, and who has access.

What we collect

Account data. The name and email Google returns when you sign in, plus a Google account identifier so we can recognise you on return. We don’t receive your Google password and we don’t ask for one of our own.

Billing data. Stripe collects the card itself; we receive a customer identifier, the plan you chose, invoices, and the billing address you give Stripe. We never see card numbers.

Product data. The Shopify app URLs you add to track, the keywords you tag, your notes, and your saved views. This is the data you came here to manage.

Derived data. Daily rank readings for every tracked keyword × app, derived from public App Store data. No personal data is involved.

Telemetry. Pino structured logs of request paths, response codes, and timings. Sentry captures errors with stack traces. We do not run third-party analytics like GA4 or Segment.

Why we collect it

• Account data — to authenticate you and bill you.
• Product data — to render the dashboard you’re paying for.
• Derived data — to power KES, anomaly detection, and the public Market Intelligence page.
• Telemetry — to monitor performance and detect errors.

Who we share it with

We use a small set of subprocessors. Each one is named with the data it touches. The full DPA enumerates contractual safeguards.

• Stripe — billing, card data, invoices.
• Resend — transactional email delivery.
• OpenRouter — relays AI Visibility prompts (no customer PII).
• Sentry — error monitoring (no customer PII unless captured in a stack frame).
• Infrastructure provider — used to retrieve public web pages.
• Railway — application + database hosting (EU region).
• Cloudflare R2 — object storage for fixtures and exports.
• Google — OAuth identity provider.

We do not sell, lease, or barter personal data. Ever.

How long we keep it

• Account data — for the life of your account, then 30 days after deletion.
• Billing data — seven years (tax law in our home jurisdiction).
• Product data — for the life of your account; deletable on request inside the dashboard.
• Derived data — indefinitely, since it is aggregated from public pages and not tied to you.
• Telemetry — 30 days for logs, 90 days for errors.

Your rights

Wherever you are, you can:

• Ask for a copy of the data we hold about you.
• Ask us to correct anything that’s wrong.
• Ask us to delete your account and the data attached to it.
• Export your tracked apps, keywords, and notes as JSON.

EU/UK readers: under GDPR/UK-GDPR you have the rights to access, rectification, erasure, restriction, portability, and objection. California readers: CCPA rights to know, delete, and opt out apply. We do not sell personal data.

Email privacy@asomify.com with any of the above. We answer within five working days.

International transfers

Our primary infrastructure runs in the EU. Where data must move to other jurisdictions (Stripe, Sentry, Google, OpenRouter), we rely on Standard Contractual Clauses or the equivalent adequacy mechanism.

Children

The product is not directed at children under 16, and we do not knowingly collect data from them.

Changes to this policy

We update the version and date at the top of this page when we make material changes. Pro tier subscribers also get an email on material changes.