Privacy Policy

1. Information we collect

1.1 Account data

When you create an account via Google OAuth or email authentication, we collect:

• Email address and display name
• Profile picture URL (if provided by Google)
• Google OAuth access token and refresh token
• A unique user identifier
• Organization name (if applicable)

1.2 Website crawl data

When you submit a URL for auditing, we crawl and collect:

• HTML content of publicly accessible pages (homepage, product pages, policy pages)
• Meta tags, Open Graph data, and structured data (JSON-LD/microdata)
• HTTP response headers, status codes, and redirect chains
• SSL certificate status and security headers
• Image URLs, alt text, and dimensions
• Policy page content (privacy, returns, shipping, terms)
• Contact information found on the website

1.3 Google Merchant Center data

If you connect your GMC account, we access (read-only):

• Product listings (titles, descriptions, prices, availability, images, attributes)
• Account-level and product-level compliance issues
• Feed status and diagnostic data
• Sub-account list and metadata

1.4 Analytics and usage data

• Pages visited within the app and features used
• Audit frequency and compliance score history
• Error logs and sync timestamps

1.5 Technical data

Collected automatically by our hosting infrastructure (Vercel):

• IP address, browser type, operating system
• HTTP request details and access timestamps
• Device identifiers and screen resolution

2. How we use your information

We do not sell your data. We do not use your data for advertising. We do not share your data with third parties beyond the processors listed in Section 5.

3. Data processing with AI

We use AI models via OpenRouter to analyze compliance data and generate fix recommendations. Here is what happens with your data during AI processing:

What data is sent to AI models

• Website compliance audit findings (extracted data, not full HTML)
• Product listing details (titles, descriptions, attributes)
• Google Merchant Center issue descriptions
• Structured data and policy page extractions

What is NOT sent to AI models

• Your email address or personal identifiers
• OAuth tokens or authentication credentials
• Payment information
• IP addresses or device information

How AI providers handle your data

OpenRouter routes requests to various large language model providers (Anthropic, OpenAI, Google, and others). Per OpenRouter's data policy, inference data is not used for model training, is not stored beyond the duration of the request, and is not shared with third parties. We select models and providers that commit to zero data retention for API requests.

4. Web crawling and data collection

What we crawl

When you submit a URL, our automated crawler visits the publicly accessible pages of that website, including the homepage, product pages, category pages, policy pages (privacy, returns, shipping, terms), and the contact page. We identify our crawler via its User-Agent string.

How we store crawl data

We extract and store structured compliance data from the crawled pages, including meta tags, structured data (JSON-LD), policy page content summaries, HTTP headers, and compliance check results. We do not store complete page HTML beyond the initial processing phase. Extracted data is stored in our Supabase database with row-level security ensuring tenant isolation.

Crawl frequency

• Free plan: On-demand only (user-triggered)
• Pro plan: Daily automated crawls
• Agency plan: Daily automated crawls with on-demand refresh

Robots.txt compliance

Our crawler respects robots.txt directives where applicable. If you wish to prevent our crawler from accessing your site, you may add our User-Agent to your robots.txt file or contact us to opt out.

5. Third-party data processors

We share data with the following processors to operate the Service:

All processors are contractually obligated to handle your data in compliance with applicable data protection laws. We do not sell or share your data with data brokers, advertisers, or any other parties.

6. Cookies and tracking

We use minimal, essential cookies required to operate the Service:

We do not use advertising cookies, third-party tracking pixels, analytics cookies, or social media tracking. We do not track you across other websites. All cookies are strictly necessary for the Service to function.

7. Data security measures

We implement industry-standard security measures to protect your data:

• Encryption at rest using AES-256 (Supabase/AWS)
• Encryption in transit via TLS 1.2+ on all connections
• Row-level security (RLS) on every database table for tenant isolation
• OAuth 2.0 authentication with no password storage
• API rate limiting and SSRF protection on all endpoints
• Security headers (HSTS, CSP, X-Frame-Options) on all responses
• Automated dependency scanning and vulnerability detection
• Principle of least privilege for all system access
• Regular security audits and code reviews

No system is 100% secure. If we discover a data breach that poses high risk to your rights, we will notify you and relevant supervisory authorities within 72 hours as required by GDPR Article 33.

8. Data retention periods

9. Your rights (GDPR)

If you are in the European Economic Area, United Kingdom, or Switzerland, you have these rights under GDPR:

• Right of access (Art. 15) - Request a copy of all personal data we hold about you.
• Right to rectification (Art. 16) - Request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17) - Request deletion of your personal data when we have no legal basis to retain it.
• Right to data portability (Art. 20) - Receive your data in a structured, machine-readable format (JSON or CSV).
• Right to restrict processing (Art. 18) - Request that we limit how we process your data in certain circumstances.
• Right to object (Art. 21) - Object to processing based on legitimate interests. We will stop unless we demonstrate compelling legitimate grounds.
• Right to withdraw consent (Art. 7) - Revoke Google OAuth access at any time via myaccount.google.com/permissions.
• Right to lodge a complaint - File a complaint with your local data protection supervisory authority if you believe we are processing your data unlawfully.
• Right regarding automated decisions (Art. 22) - Our AI generates recommendations for informational purposes. No automated decision produces legal or similarly significant effects on you. You can always request human review.

To exercise any right, email [email protected]. We will respond within 30 days. We may verify your identity before processing your request. No fee is charged for exercising your rights, except for manifestly unfounded or excessive requests.

10. California privacy rights (CCPA/CPRA)

If you are a California resident, the CCPA (as amended by CPRA) grants you these rights:

• Right to know - Request disclosure of what personal information we collected, the sources, purposes, and who received it.
• Right to delete - Request deletion of your personal information, subject to legal exceptions.
• Right to correct - Request correction of inaccurate personal information.
• Right to opt out of sale/sharing - We do not sell or share your personal information for cross-context behavioral advertising. No action needed.
• Right to non-discrimination - We will not discriminate against you for exercising your privacy rights.

Categories of personal information collected (last 12 months)

• Identifiers: email, name, Google user ID
• Commercial information: product data from Merchant Center
• Internet/network activity: service usage, log data
• Professional information: business name, website URL

We do not sell any category of personal information. To exercise your California rights, email [email protected]. We respond to verifiable requests within 45 days.

11. UAE data protection law compliance

XPAND ENTERPRISES - FZCO is a Free Zone Company registered in Dubai Silicon Oasis, Dubai, UAE. We comply with the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL) and its implementing regulations:

• Lawful basis for processing - We process personal data based on contractual necessity, legitimate interest, or your explicit consent, as required by the PDPL.
• Purpose limitation - We collect and process personal data only for specific, clear, and legitimate purposes disclosed in this policy.
• Data minimization - We collect only the minimum personal data necessary to provide the Service.
• Accuracy - We take reasonable steps to keep personal data accurate and up to date.
• Storage limitation - We retain personal data only for as long as necessary to fulfill the purposes described in Section 8.
• Cross-border transfers - We transfer personal data to processors outside the UAE (US-based infrastructure) as described in Section 12, with appropriate safeguards in place.
• Data subject rights - You have the right to access, correct, delete, and restrict processing of your personal data under the PDPL.
• Security measures - We implement appropriate technical and organizational measures to protect personal data from unauthorized access, loss, or misuse.

You may lodge a complaint with the UAE Data Office if you believe we have breached the Personal Data Protection Law.

12. International data transfers

XPAND ENTERPRISES - FZCO is based in Dubai, UAE. Our processors operate in the United States and other jurisdictions. When we transfer personal data internationally, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission for EU data transfers
• Adequacy decisions where applicable
• Processor certifications (SOC 2, ISO 27001) as supplementary safeguards
• Contractual obligations requiring equivalent data protection standards

Our primary data storage is on Supabase (AWS US East), with Vercel edge distribution globally. By using the Service, you acknowledge your data may be processed in countries outside your country of residence. We ensure appropriate legal safeguards are in place for all transfers.

13. Children's privacy

FeedShield is a business tool intended for users aged 18 and older. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected data from a minor, contact us at [email protected] and we will delete it promptly.

14. Changes to this privacy policy

We may update this Privacy Policy periodically. When we make material changes:

• We will update the "Last updated" date at the top of this page.
• We will notify you via email or in-app notification at least 14 days before changes take effect.
• Where required by law (GDPR, UAE PDPL), we will obtain your consent before applying the changes.

Continued use of the Service after changes take effect constitutes acceptance. If you disagree, stop using the Service and request account deletion.

15. Data protection contact

For privacy inquiries, data access requests, or complaints:

We aim to respond to all privacy-related inquiries within 30 days. For GDPR requests, we are legally required to respond within one month. For CCPA requests, within 45 days.

16. Cookie policy details

This section provides additional detail on our cookie practices as required by the EU ePrivacy Directive and applicable cookie consent regulations.

What are cookies?

Cookies are small text files stored on your device when you visit a website. They enable the site to remember your actions and preferences over time.

Our cookie usage

We use only strictly necessary cookies required for the Service to function. These cookies are exempt from consent requirements under the ePrivacy Directive because the Service cannot operate without them. We do not use optional cookies (analytics, advertising, social media, performance) of any kind.

Managing cookies

You can control cookies through your browser settings. Disabling essential cookies will prevent you from logging in and using the Service. Refer to your browser's help documentation for instructions on managing cookies.

Do Not Track (DNT)

We honor Do Not Track browser signals. Since we do not use tracking cookies or third-party analytics, there is no tracking behavior to disable.