Legal

Privacy Policy

Last updated: [ date — TBD ]

1. Who we are & scope

Optonomous, Inc. (“Optonomous,” “we,” “us”) provides an AI operations platform for e-commerce merchants and, separately, licenses de-identified research datasets derived from platform activity. This policy explains how we handle information across both activities. It covers our websites, the Optonomous application, and our merchant-installed app (e.g., on Shopify). Contact: [ privacy@optonomous.ai — TBD ].

For most consumer personal data we process on a merchant's behalf, the merchant is the data controller and Optonomous acts as a processor/service provider; that relationship is governed by our Data Processing Agreement.

2. Information we collect

Merchant account data

Name, business details, email, authentication data, and billing information for the people who sign up for Optonomous.

Store & operations data

When a merchant connects their store, we access data needed to operate the service through platform APIs (e.g., the Shopify Admin API): orders, products, inventory, fulfillment, support messages, subscription and chargeback records, and connected ad-account metrics. We request only what the service needs (data minimization).

Consumer personal data (processed for merchants)

To run support, subscriptions, and disputes, we process personal data of a merchant's customers — such as names, contact details, and order history — strictly on the merchant's instructions.

Usage data

Device, log, and product-usage data from our websites and app.

3. Payment data & PCI

Optonomous does not store full payment card numbers or cardholder authentication data. Payments are processed by [ payment processor — TBD ]. Payment / PCI data is excluded from any dataset at source and never enters our research pipeline.

4. How we use information

To provide, operate, secure, and improve the platform and its AI agents.
To communicate with merchants and provide support.
To process billing and, for enrolled merchants, revenue-share payouts.
To create de-identified and aggregated datasets — only for merchants who opt in (see §5).
To comply with legal obligations and enforce our Terms.

5. The data program (opt-in + revenue share)

Merchants may choose to enroll in our data program. If they do:

We derive de-identified datasets from their operational activity and license them to third parties such as AI labs.
Enrolled merchants receive a share of the revenue those datasets generate, per the program terms.
What may be included: de-identified agent actions and outcomes, PII-scrubbed support conversations, and de-identified or aggregated basket/catalog signal.
What is never included: customer PII (names, emails, addresses), payment/PCI data, or any data from merchants who have not opted in.
Participation is optional and reversible — merchants can opt out at any time (see §10).

See Data & Trust for a plain-language overview.

6. De-identification

Before any data is used for the data program, it passes a fixed pipeline: PII redaction before data leaves the source system; re-identification risk scoring against k-anonymity thresholds; aggregation for cohort-level products; and hard exclusion of PCI/payment data. We treat resulting datasets as de-identified and apply contractual restrictions against re-identification.

7. Shopify Protected Customer Data

Where we access customer data through Shopify, we comply with Shopify's Protected Customer Data requirements, including data-minimization, purpose limitation, retention limits, and applicable security and consent obligations. [ Confirm protection level & specific commitments — TBD with counsel/Shopify review. ]

8. How we share information

Sub-processors / service providers that help us run the platform (hosting, infrastructure, analytics, payments): [ list — TBD ].
De-identified dataset licensees, only for opted-in merchants and only de-identified data (§5–6).
Legal & safety disclosures where required by law.
Business transfers in connection with a merger, acquisition, or asset sale.

We do not sell consumer PII.

9. Data retention

We retain personal data for as long as needed to provide the service and for legitimate business or legal purposes, then delete or de-identify it. Retention periods: [ schedule — TBD ].

10. Your choices & rights

Depending on your location, you may have rights to access, correct, delete, or port your personal data, and to object to or restrict certain processing. Consumers of a merchant should direct requests to that merchant; we assist merchants in fulfilling them and, where applicable, propagate deletions to derived datasets. Merchants can opt out of the data program at any time, which halts new collection. To make a request: [ contact / portal — TBD ].

11. Security

We use administrative, technical, and physical safeguards appropriate to the sensitivity of the data. See Data & Trust. [ Certifications / audits — TBD ]

12. International transfers

We may process data in countries other than your own. Where required, we use appropriate transfer mechanisms such as [ SCCs / other — TBD ].

13. Children

The service is not directed to children, and we do not knowingly collect personal data from children.

14. Changes

We will post updates here and revise the “last updated” date; material changes will be communicated as required.

15. Contact

Questions or requests: [ privacy@optonomous.ai / mailing address / DPO — TBD ].