Privacy Policy

1. Information we collect

1.1 Account data

When you create an account via Google OAuth or email authentication, we collect:

• Email address and display name
• Profile picture URL (if provided by Google)
• Google OAuth access token and refresh token
• A unique user identifier
• Organization name (if applicable)

1.2 Website crawl data

When you submit a URL for auditing, we crawl and collect:

• HTML content of publicly accessible pages (homepage, product pages, policy pages)
• Meta tags, Open Graph data, and structured data (JSON-LD/microdata)
• HTTP response headers, status codes, and redirect chains
• SSL certificate status and security headers
• Image URLs, alt text, and dimensions
• Policy page content (privacy, returns, shipping, terms)
• Contact information found on the website

1.3 Google Merchant Center data

If you connect your GMC account, we access (read-only):

• Product listings (titles, descriptions, prices, availability, images, attributes)
• Account-level and product-level compliance issues
• Feed status and diagnostic data
• Sub-account list and metadata

1.4 Analytics and usage data

• Pages visited within the app and features used
• Audit frequency and compliance score history
• Error logs and sync timestamps

1.5 Technical data

Collected automatically by our hosting infrastructure:

• IP address, browser type, operating system
• HTTP request details and access timestamps
• Device identifiers and screen resolution

2. How we use your information

We do not sell your data. We do not use your data for advertising. We do not share your data with third parties beyond the processors listed in Section 6.

3. Google API Services usage disclosure

FeedShield's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

3.1 What Google user data we access

When you connect a Google Merchant Center account, we request the https://www.googleapis.com/auth/content OAuth scope. Through this scope, we access:

• Product listings: titles, descriptions, prices, availability, images, and product attributes
• Account-level compliance issues and policy violations
• Product-level disapproval reasons and diagnostics
• Feed processing status and error reports
• Sub-account list and account metadata (for multi-client accounts)

We access this data in read-only mode. We do not modify, delete, or write to your Google Merchant Center account.

3.2 How we use Google user data

We use data received from Google APIs for these purposes only:

• Running compliance audits against Google Merchant Center policies
• Displaying product status and issue summaries on your dashboard
• Generating AI-powered fix recommendations for compliance issues
• Tracking compliance score trends over time

We do not use Google user data for advertising, user profiling, or any purpose unrelated to the compliance audit functionality described above.

3.3 Sharing and transfer of Google user data

We do not sell, rent, or lease Google user data to any third party. We share Google user data only in these limited circumstances:

• AI analysis: Anonymized product data and issue descriptions are sent to enterprise AI inference providers under data processing agreements with zero-retention commitments, used to generate fix recommendations. No OAuth tokens, user identifiers, or account credentials are included in AI requests.
• Infrastructure: Data is stored on a managed PostgreSQL platform hosted on AWS infrastructure and served via an enterprise edge network, both operating under data processing agreements with appropriate security controls.

We do not transfer Google user data to any other parties, and we do not allow the data to be used by human reviewers except where necessary to provide support you explicitly requested, comply with applicable law, or investigate security incidents.

3.4 Data protection for Google user data

• OAuth refresh tokens are stored encrypted at rest (AES-256) in our managed PostgreSQL database hosted on AWS infrastructure
• All API communication uses TLS 1.2 or higher
• Row-level security ensures each organization can only access its own connected accounts
• Access tokens are refreshed automatically and short-lived (1 hour expiry)

3.5 Retention and deletion of Google user data

• When you disconnect a Google Merchant Center account, we immediately delete the associated OAuth tokens (refresh token, access token) and stop all API access to that account.
• Product and issue data from disconnected accounts is retained for up to 12 months for audit history purposes, then automatically purged.
• When you delete your FeedShield account, all Google user data is deleted within 30 days from active systems and within 60 days from encrypted backups.

3.6 Revoking access

You can revoke FeedShield's access to your Google account at any time:

• From within FeedShield: Go to Settings > Merchant Center and click "Disconnect"
• From Google directly: Visit myaccount.google.com/permissions and remove FeedShield

Revoking access stops all data retrieval immediately. We cannot access your Merchant Center data after revocation.

4. Data processing with AI

We use enterprise AI inference providers to analyze compliance data and generate fix recommendations. Here is what happens with your data during AI processing:

What data is sent to AI models

• Website compliance audit findings (extracted data, not full HTML)
• Product listing details (titles, descriptions, attributes)
• Google Merchant Center issue descriptions
• Structured data and policy page extractions

What is NOT sent to AI models

• Your email address or personal identifiers
• OAuth tokens or authentication credentials
• Payment information
• IP addresses or device information

How AI providers handle your data

Our enterprise AI inference layer routes requests to commercial large language model providers under data processing agreements. Per the inference policies in force with those providers, inference data is not used for model training, is not stored beyond the duration of the request, and is not shared with third parties. We select providers that commit to zero data retention for API requests. A current list of subprocessors is available to customers and prospective customers on request via hello@feedshield.ai.

5. Web crawling and data collection

What we crawl

When you submit a URL, our automated crawler visits the publicly accessible pages of that website, including the homepage, product pages, category pages, policy pages (privacy, returns, shipping, terms), and the contact page. We identify our crawler via its User-Agent string.

How we store crawl data

We extract and store structured compliance data from the crawled pages, including meta tags, structured data (JSON-LD), policy page content summaries, HTTP headers, and compliance check results. We do not store complete page HTML beyond the initial processing phase. Extracted data is stored in our managed PostgreSQL database (hosted on AWS infrastructure) with row-level security ensuring tenant isolation.

Crawl frequency

• Free plan: On-demand only (user-triggered)
• Pro plan: Daily automated crawls
• Agency plan: Daily automated crawls with on-demand refresh

Robots.txt compliance

Our crawler respects robots.txt directives where applicable. If you wish to prevent our crawler from accessing your site, you may add our User-Agent to your robots.txt file or contact us to opt out.

6. Third-party data processors

We share data with the categories of subprocessors listed below to operate the Service. All processors operate under data processing agreements that comply with applicable data protection laws.

A current list of named subprocessors is available to customers and prospective customers on request via hello@feedshield.ai. We do not sell or share your data with data brokers, advertisers, or any other parties.

7. Cookies and tracking

We use minimal, essential cookies required to operate the Service:

We do not use advertising cookies, third-party tracking pixels, analytics cookies, or social media tracking. We do not track you across other websites. All cookies are strictly necessary for the Service to function.

8. Data security measures

We implement industry-standard security measures to protect your data:

• Encryption at rest using AES-256 (managed PostgreSQL on AWS)
• Encryption in transit via TLS 1.2+ on all connections
• Row-level security (RLS) on every database table for tenant isolation
• OAuth 2.0 authentication with no password storage
• API rate limiting and SSRF protection on all endpoints
• Security headers (HSTS, CSP, X-Frame-Options) on all responses
• Automated dependency scanning and vulnerability detection
• Principle of least privilege for all system access
• Regular security audits and code reviews

No system is 100% secure. If we discover a data breach that poses high risk to your rights, we will notify you and relevant supervisory authorities within 72 hours as required by GDPR Article 33.

9. Data retention periods

10. Your rights (GDPR)

If you are in the European Economic Area, United Kingdom, or Switzerland, you have these rights under GDPR:

• Right of access (Art. 15) - Request a copy of all personal data we hold about you.
• Right to rectification (Art. 16) - Request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17) - Request deletion of your personal data when we have no legal basis to retain it.
• Right to data portability (Art. 20) - Receive your data in a structured, machine-readable format (JSON or CSV).
• Right to restrict processing (Art. 18) - Request that we limit how we process your data in certain circumstances.
• Right to object (Art. 21) - Object to processing based on legitimate interests. We will stop unless we demonstrate compelling legitimate grounds.
• Right to withdraw consent (Art. 7) - Revoke Google OAuth access at any time via myaccount.google.com/permissions.
• Right to lodge a complaint - File a complaint with your local data protection supervisory authority if you believe we are processing your data unlawfully.
• Right regarding automated decisions (Art. 22) - Our AI generates recommendations for informational purposes. No automated decision produces legal or similarly significant effects on you. You can always request human review.

To exercise any right, email hello@feedshield.ai. We will respond within 30 days. We may verify your identity before processing your request. No fee is charged for exercising your rights, except for manifestly unfounded or excessive requests.

11. California privacy rights (CCPA/CPRA)

If you are a California resident, the CCPA (as amended by CPRA) grants you these rights:

• Right to know - Request disclosure of what personal information we collected, the sources, purposes, and who received it.
• Right to delete - Request deletion of your personal information, subject to legal exceptions.
• Right to correct - Request correction of inaccurate personal information.
• Right to opt out of sale/sharing - We do not sell or share your personal information for cross-context behavioral advertising. No action needed.
• Right to non-discrimination - We will not discriminate against you for exercising your privacy rights.

Categories of personal information collected (last 12 months)

• Identifiers: email, name, Google user ID
• Commercial information: product data from Merchant Center
• Internet/network activity: service usage, log data
• Professional information: business name, website URL

We do not sell any category of personal information. To exercise your California rights, email hello@feedshield.ai. We respond to verifiable requests within 45 days.

12. UAE data protection law compliance

XPAND ENTERPRISES - FZCO is a Free Zone Company registered in Dubai Silicon Oasis, Dubai, UAE. We comply with the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL) and its implementing regulations:

• Lawful basis for processing - We process personal data based on contractual necessity, legitimate interest, or your explicit consent, as required by the PDPL.
• Purpose limitation - We collect and process personal data only for specific, clear, and legitimate purposes disclosed in this policy.
• Data minimization - We collect only the minimum personal data necessary to provide the Service.
• Accuracy - We take reasonable steps to keep personal data accurate and up to date.
• Storage limitation - We retain personal data only for as long as necessary to fulfill the purposes described in Section 9.
• Cross-border transfers - We transfer personal data to processors outside the UAE (US-based infrastructure) as described in Section 13, with appropriate safeguards in place.
• Data subject rights - You have the right to access, correct, delete, and restrict processing of your personal data under the PDPL.
• Security measures - We implement appropriate technical and organizational measures to protect personal data from unauthorized access, loss, or misuse.

You may lodge a complaint with the UAE Data Office if you believe we have breached the Personal Data Protection Law.

13. International data transfers

XPAND ENTERPRISES - FZCO is based in Dubai, UAE. Our processors operate in the United States and other jurisdictions. When we transfer personal data internationally, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission for EU data transfers
• Adequacy decisions where applicable
• Processor certifications (SOC 2, ISO 27001) as supplementary safeguards
• Contractual obligations requiring equivalent data protection standards

Our primary data storage is on a managed PostgreSQL platform (AWS US East), with edge distribution globally. By using the Service, you acknowledge your data may be processed in countries outside your country of residence. We ensure appropriate legal safeguards are in place for all transfers.

14. Children's privacy

FeedShield is a business tool intended for users aged 18 and older. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected data from a minor, contact us at hello@feedshield.ai and we will delete it promptly.

15. Changes to this privacy policy

We may update this Privacy Policy periodically. When we make material changes:

• We will update the "Last updated" date at the top of this page.
• We will notify you via email or in-app notification at least 14 days before changes take effect.
• Where required by law (GDPR, UAE PDPL), we will obtain your consent before applying the changes.

Continued use of the Service after changes take effect constitutes acceptance. If you disagree, stop using the Service and request account deletion.

16. Data protection contact

For privacy inquiries, data access requests, or complaints:

We aim to respond to all privacy-related inquiries within 30 days. For GDPR requests, we are legally required to respond within one month. For CCPA requests, within 45 days.

17. Cookie policy details

This section provides additional detail on our cookie practices as required by the EU ePrivacy Directive and applicable cookie consent regulations.

What are cookies?

Cookies are small text files stored on your device when you visit a website. They enable the site to remember your actions and preferences over time.

Our cookie usage

We use only strictly necessary cookies required for the Service to function. These cookies are exempt from consent requirements under the ePrivacy Directive because the Service cannot operate without them. We do not use optional cookies (analytics, advertising, social media, performance) of any kind.

Managing cookies

You can control cookies through your browser settings. Disabling essential cookies will prevent you from logging in and using the Service. Refer to your browser's help documentation for instructions on managing cookies.

Do Not Track (DNT)

We honor Do Not Track browser signals. Since we do not use tracking cookies or third-party analytics, there is no tracking behavior to disable.