Privacy Policy

Last Updated: February 1, 2026

1. Introduction

Visibility Kit commits to protecting user privacy. This policy outlines how the company collects, uses, discloses, and safeguards information when users access the AI Engine Optimization service.

2. Information We Collect

2.1 Account Information

The platform gathers email addresses and profile details users voluntarily provide. Google OAuth sign-ups result in receipt of name and email from Google.

2.2 Product Data

For Shopify stores, we collect product information including:

  • Product titles, descriptions, and metadata
  • Product images and pricing
  • Inventory levels and variants
  • Product categories and tags

For non-Shopify brands, product data is uploaded via CSV or API integration.

2.3 AI Visibility Metrics

We collect performance data including:

  • AI shopping agent recommendations and rankings
  • Query performance across AI shopping agents that consume Shopify's Storefront Catalog MCP
  • Competitive positioning data
  • Visibility scores and trends

2.4 Payment Information

Stripe handles payment processing. The service collects encrypted card details and billing addresses. Full payment credentials are not stored by Visibility Kit.

2.5 Usage Data

The platform automatically collects interaction data including pages visited, features used, browser type, IP address, and device information.

3. How We Use Your Information

  • Provide and maintain AI visibility monitoring services
  • Send audit reports and visibility alerts
  • Generate competitive analysis and recommendations
  • Process payments and manage subscriptions
  • Improve services and develop features
  • Communicate account updates
  • Detect and prevent fraud
  • Comply with legal obligations

4. Legal Basis for Processing (GDPR)

EEA users' data processing relies on:

  • Contract: Service provision requirements
  • Legitimate Interest: Service improvement, fraud prevention, security
  • Consent: Optional features like marketing
  • Legal Obligation: Regulatory compliance

5. Data Sharing and Third Parties

Data is shared with:

  • Supabase: Database and authentication (USA)
  • Stripe: Payment processing (USA)
  • Google: OAuth authentication
  • Shopify: App integration and product sync
  • Vercel: Application hosting (USA)

Personal information is not sold. Disclosure occurs only when legally required or to protect rights.

6. International Data Transfers

Data may be transferred to the United States where service providers operate. EEA users benefit from Standard Contractual Clauses and safeguards.

7. Data Retention

  • AI Visibility Metrics: Per subscription plan (30 days to 1 year)
  • Account Information: Until deletion
  • Payment Records: 7 years for tax compliance
  • Usage Logs: Up to 90 days

Anonymized or aggregated data may be retained after account deletion.

7.1 Shopify Store Data — Post-Uninstall Retention

When you uninstall the VisibilityKit app from your Shopify store, your store data follows this retention path:

  • Immediately on uninstall: your store is marked inactive and we stop using or displaying any data from it.
  • Within 48 hours: when Shopify sends us the mandatory shop/redact webhook, we hard-delete all data associated with your store — synced products, audit history, recommendations, competitor lists, prompts, and OAuth session tokens.
  • 60-day safety net: if Shopify's shop/redactwebhook is never received (e.g. delivery failure), an internal daily job automatically hard-deletes any store still marked as uninstalled past 60 days. No store data persists beyond that window.
  • Customer-level data: VisibilityKit does not store personally-identifiable customer information from your store. We honour the customers/data_request and customers/redactwebhooks by logging the request and confirming we hold no such data.

Reinstalling within the 60-day window restores access to your existing store record. After deletion you start with a fresh sync.

8. Data Security

Security measures include:

  • TLS 1.3 encryption in transit
  • Encryption at rest
  • Unique API keys for Shopify integration
  • Regular security audits
  • Access controls and authentication

No transmission method guarantees absolute security.

9. Your Rights

9.1 All Users

  • Access personal data via dashboard
  • Correct inaccurate information
  • Delete accounts and data
  • Export data in portable format
  • Opt out of marketing communications

9.2 EEA Users (GDPR)

  • Object to processing based on legitimate interests
  • Restrict processing in certain circumstances
  • Withdraw consent anytime
  • Lodge complaints with local data protection authorities

9.3 California Users (CCPA)

  • Know what information is collected
  • Know if information is sold or disclosed
  • Opt out of sales (data not sold)
  • Non-discrimination for exercising rights

9.4 Indian Users (DPDPA)

  • Access personal data
  • Correct or erase personal data
  • Grievance redressal
  • Nominate representatives

We acknowledge complaints within 2 working days, resolving within 10 business days. Escalation to India's Data Protection Board available.

10. Data Breach Notification

The company notifies affected users via email within 72 hours of discovering breaches, per GDPR and DPDPA requirements. Regulatory authorities, including India's Data Protection Board, receive notification where required.

11. Children's Privacy

Services are not directed to children under 16. The company does not knowingly collect information from minors.

12. Changes to This Policy

Updates occur periodically with notification via email or the service. Continued use constitutes acceptance of changes.

13. Contact Us

Questions or rights exercise requests: support@visibilitykit.app

GDPR inquiries may be directed to local data protection authorities.