Privacy Policy

In this Privacy Policy ("Policy"), references to "We", "Us" or "Our" mean Alpomi Ltd, whose registered address is 3 Centenary Sq, Birmingham B1 2DR, United Kingdom. This Policy describes how Alpomi collects, uses, discloses, transfers and protects personal information in connection with our marketing website at alpomi.com and our business-intelligence software-as-a-service (the "Platform", accessible at app.alpomi.com).

We comply with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR) and the Data Protection Act 2018. We are registered as a data controller with the UK Information Commissioner's Office.

Please read this Policy carefully. If you have any questions, contact our Privacy Team at privacy@alpomi.com.

1. Our Role — Controller and Processor

Alpomi acts in two different capacities depending on the data involved:

Controller: for personal information about visitors to our marketing website, prospects, our account holders (the individual users who sign in to the Platform), our billing contacts and our staff. We decide why and how this information is processed.
Processor: for personal information contained within data that our business customers ("Customers") upload to or connect to the Platform — for example Shopify customer records, advertising-account data, analytics data, contact exports or CRM data. In relation to that data, our Customer is the controller and Alpomi processes it on the Customer's documented instructions under a Data Processing Agreement. See our Data Processing Agreement for the processor terms.

2. Definitions

Term	Definition
"Account"	An account required to access and use the Platform.
"Customer"	A business or agency that subscribes to the Platform.
"Customer Data"	Personal information contained within data uploaded to or connected with the Platform by or on behalf of a Customer (e.g. Shopify customer data, ad-account data).
"Personal Information" / "Personal Data"	Any information relating to an identified or identifiable natural person.
"Platform"	Our business-intelligence SaaS product, accessible at app.alpomi.com.
"Process"	Any operation or set of operations performed on Personal Information, whether or not by automated means.
"Site"	Our marketing website at alpomi.com.
"Sub-processor"	A third-party service provider engaged by Alpomi to process Personal Information on our behalf. Our current list is at alpomi.com/sub-processors.
"UK GDPR" / "EU GDPR"	The UK and EU General Data Protection Regulations, together with relevant national implementations.
"We/Us/Our"	Alpomi Ltd, 3 Centenary Sq, Birmingham B1 2DR.

3. What Personal Information We Collect

3.1 Marketing website visitors

Contact details you submit through forms (name, email, company, phone, role).
Technical data collected automatically by our servers and infrastructure: IP address, user-agent, referring URL, pages visited, timestamps, rough geolocation derived from IP.
Cookies — we use only strictly necessary cookies on the Site. See our Cookie Policy.

3.2 Platform account holders

Identity and contact data: name, email address, business phone number, job role, password hash, multi-factor-authentication state.
Company data: company name, website, industry, address, VAT / tax number, logo.
Billing data: billing contact name, email, billing address, subscription plan, invoices and payment history. Card numbers are collected by our payment processor (Stripe) and never stored on our systems.
Usage data: feature interactions, tool runs, AI credits consumed, login times, session identifiers, audit events required for security and billing.
Support data: content of support emails, chat messages and any attachments you send us.
Content you create: strategies, tasks, notes, recommendations, AI prompts and any files you upload.

3.3 Customer Data (processed on behalf of Customers)

When a Customer connects a third-party service to the Platform, data flows from that service into our database and is processed so that the Platform can compute analytics, attribution, AI recommendations and executive reports. Depending on the integrations enabled, Customer Data may include:

E-commerce data from Shopify and Taobao (order records, line items, customer names and email addresses, transaction amounts, shipping addresses).
Advertising data from Meta Ads (Facebook and Instagram) and Google Ads (campaigns, ad sets, creatives, audience insights, spend, attribution paths).
Analytics data from Google Analytics 4, Google Search Console and Google Tag Manager (aggregated and event-level traffic, conversion, attribution and SEO data).
Pixel data collected by the Alpomi Pixel when deployed by a Customer on their properties (page views, events, UTM parameters, device and browser details, timestamps).
API credentials and OAuth tokens for the services the Customer authorises. Tokens are encrypted at rest.

We do not allow third-party or public artificial intelligence or machine learning models (or the providers that operate them) to train on Customer Data we access or process, and we do not sell it. We process Customer Data only to provide, secure, maintain and improve the Platform and to fulfil our contract with the Customer.

3.4 API integrations (Limited Use)

The use of raw or derived user data received from Workspace APIs will adhere to the applicable User Data Policy, including the Limited Use requirements.

We use data obtained through those integrations only to provide the Platform features the relevant Customer has connected and authorised, in line with that User Data Policy and Limited Use requirements. We do not allow third-party or public artificial intelligence or machine learning models (or their providers) to train on that data. Our processing complies with those policies.

4. Legal Basis for Processing

We rely on the following lawful bases under Article 6 of the UK/EU GDPR, depending on the activity:

Activity	Lawful basis
Providing the Platform to an account holder and billing them	Performance of a contract (Art 6(1)(b))
Processing Customer Data connected through integrations	Performance of the Customer's instructions under our DPA; processor role (Art 28)
Product analytics, service security, fraud prevention, service improvement	Legitimate interests (Art 6(1)(f)) — balanced against your rights
Direct marketing emails to prospects and customers	Legitimate interests (soft opt-in) or consent (Art 6(1)(a)) — you can opt out at any time
Responding to law-enforcement and regulatory requests	Legal obligation (Art 6(1)(c))
Keeping tax, accounting and statutory records	Legal obligation (Art 6(1)(c))

5. How We Use Personal Information

We use Personal Information to:

Create and administer your Account and billing relationship.
Deliver, maintain, secure and improve the Platform.
Compute analytics, attribution, AI recommendations and reports based on data you or your Customer connect.
Respond to support enquiries and operational communications.
Send transactional messages (e.g. invoice receipts, security alerts, service-status updates).
Send marketing communications where we have a lawful basis, with an unsubscribe link in every message.
Detect, investigate and prevent fraud, abuse and security incidents.
Comply with our legal, tax and regulatory obligations.

We do not sell Personal Information. We do not use Customer Data for targeted advertising. We do not allow third-party or public artificial intelligence or machine learning models (or their providers) to train on Customer Data we access or process.

6. Data Retention

We retain Personal Information only for as long as needed for the purposes set out in this Policy, unless a longer retention period is required or permitted by law. Our standard retention periods are:

Category	Retention period
Account and Customer Data	Duration of the subscription; deleted within 30 days after account closure or on request, except where longer retention is legally required.
Backups containing Personal Information	Up to 30 days after deletion, after which backups rotate out.
Billing and tax records (invoices, payment records)	6 years from the end of the financial year (UK HMRC requirement).
Security logs and audit trails	12 months, unless needed for an ongoing investigation.
Marketing contact data (prospect lists)	Until you unsubscribe, then suppression list only.
Support tickets and email correspondence	3 years after ticket closure.
Web-server and application logs (IP, user-agent)	90 days unless flagged for security review.

7. Sub-processors and Sharing

We use a number of sub-processors to host, secure and operate the Platform. We contractually require each of them to implement appropriate technical and organisational measures, to process Personal Information only under our instructions and to support us in responding to data-subject requests. A complete and up-to-date list, including the sub-processor's location and transfer mechanism, is published at alpomi.com/sub-processors.

Our sub-processors currently include (in summary):

Hosting and database: Supabase (managed Postgres, storage, authentication), Vercel (application hosting and edge compute), Amazon Web Services (Lambda, SQS, CloudWatch), Upstash (Redis cache).
Payments and billing: Stripe.
Transactional email: Resend.
AI inference providers: we use external providers only to generate recommendations, content and summaries when you or your Customer trigger those features. Prompts and responses are handled under each provider's data-processing terms and, where available, limited-retention settings. We do not permit those providers to use Customer Data or prompts to train public or general-purpose systems.
Integrations (data source APIs): e-commerce, advertising, analytics, search, tag management and other services you or your Customer connect — data flows from those sources into the Platform when an integration is enabled.

We do not sell, rent or lease Personal Information. We may share Personal Information only (a) with sub-processors as above; (b) with your consent or at your instruction; (c) where required by law or by a competent authority; (d) in connection with a reorganisation, merger or sale of the business (in which case we will give you reasonable notice).

8. International Transfers

Our primary data infrastructure is located within the European Economic Area and the United Kingdom:

Our application database (Supabase / managed Postgres) is hosted in Germany (eu-central-1, Frankfurt).
Our asynchronous-processing infrastructure (AWS Lambda, SQS, CloudWatch) runs in the United Kingdom (eu-west-2, London).

Some of our other sub-processors are established outside the UK / EEA — notably in the United States (payments, transactional email, AI model providers) — or, at the Customer's instruction, receive data from non-EEA data sources (e.g. a Customer connecting a Taobao store). When we transfer Personal Information outside the UK / EEA, we rely on one or more of the following safeguards required by UK / EU data-protection law:

UK or EU adequacy decisions (where available for the destination country);
UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses;
EU Standard Contractual Clauses (2021 modules);
EU–U.S. Data Privacy Framework and its UK Extension, where a sub-processor is certified;
Additional supplementary measures such as encryption in transit and at rest, pseudonymisation, and reduced retention.

The specific location and transfer mechanism for each sub-processor is listed at alpomi.com/sub-processors. Copies of the relevant transfer agreements are available on request at privacy@alpomi.com.

9. Security

We implement appropriate technical and organisational measures designed to protect Personal Information against unauthorised or unlawful processing and against accidental loss, destruction or damage. These include:

Encryption of data in transit (TLS 1.2+) and at rest (AES-256 at the hosting layer).
Row-level security on tenant data, strict access controls and principle of least privilege for our staff.
Multi-factor authentication on administrative consoles.
Secrets management with rotation for API keys and OAuth tokens.
Logging and monitoring of security-relevant events, with an incident-response runbook.
Regular dependency and platform patching; periodic internal security reviews.
Sub-processors are selected to hold recognised security certifications (e.g. SOC 2, ISO 27001) where relevant.

No system is completely secure. If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and notify you without undue delay where required by law.

10. Your Rights

Subject to applicable law you have the following rights in relation to your Personal Information:

Access — obtain a copy of the Personal Information we hold about you.
Rectification — correct inaccurate or incomplete data.
Erasure — ask us to delete your data (subject to legal-retention exceptions).
Restriction — ask us to suspend processing in certain circumstances.
Portability — receive your data in a structured, machine-readable format.
Objection — object to processing based on legitimate interests, including direct marketing.
Withdraw consent — where processing is based on consent, you may withdraw it at any time.
Lodge a complaint — with the UK Information Commissioner's Office (ico.org.uk) or another competent EEA supervisory authority.

Account holders can exercise access, erasure and portability rights self-service from inside the Platform: go to Settings → Privacy → "Export my data" or "Delete my account". Alternatively, contact us at privacy@alpomi.com. We will respond within one month of receipt (extendable by up to two months for complex requests, with notice).

If you are an end-user whose data has been uploaded to the Platform by one of our Customers, please direct your request to that Customer. We will assist them in responding.

11. Automated Decision-Making and AI

The Platform uses automated analysis, including machine-learning and large-language models, to generate analytics, benchmarks, recommendations and content. These outputs are decision-support aids for you or your Customer; they do not produce legal or similarly significant effects on any individual on their own. Outputs are reviewed and actioned by a human operator (account holder).

If you believe an automated output has been used in a way that significantly affects you, please contact us to request a review.

12. Children

The Platform and Site are intended for business use by adults (18+). We do not knowingly collect Personal Information from children under 16. If you believe a child has provided us with Personal Information, please contact privacy@alpomi.com and we will delete it.

13. Cookies and Similar Technologies

The marketing Site uses only strictly necessary cookies. The Platform uses cookies strictly necessary to authenticate and maintain a session. See our Cookie Policy for details.

If a Customer deploys the Alpomi Pixel on their own properties, the pixel operates only to the extent permitted by the Customer's own cookie-consent mechanism; the Customer is the controller for that processing.

14. Changes to This Policy

We may update this Policy from time to time. If changes are material we will notify account holders by email or in-product notice before they take effect, and we will update the "Last updated" date above. Your continued use of the Platform after the effective date constitutes acceptance of the updated Policy.

15. Contact Us

For any questions or to exercise any of your rights, contact our Privacy Team:

Alpomi Ltd — Privacy Team
3 Centenary Sq, Birmingham B1 2DR, United Kingdom
Email: privacy@alpomi.com

If you are based in the EEA and require an EU representative under Article 27 of the EU GDPR, contact us at the address above and we will provide our appointed representative's details.

16. Complaints

You have the right to lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) or your local EEA supervisory authority. We would, however, appreciate the chance to address your concerns first, so please contact us before approaching the regulator.