Privacy Policy

Last updated: May 31, 2026

This Privacy Policy describes how Convertly ("we," "us," "our") collects, uses, and shares personal data. Convertly is operated in the United States by Convertly (a Delaware-organized entity, "Convertly US") and in India by its Indian operating affiliate (a sole proprietorship, "Convertly India"). Both entities act as data controllers (or, under the Indian DPDP Act, as Data Fiduciaries) for the personal data they collect through the Service.

1. Information We Collect

From brand users (Shopify merchants):

  • Account information: name, email, password hash, role
  • Shopify store URL, OAuth access token (encrypted at rest)
  • Billing identifiers via Shopify (we don't store card numbers)
  • Brand profile: business name, address, contact, optional GSTIN
  • Usage data: page views, feature interactions, audit-log events

From Shopify webhooks (with your authorization):

  • Order data (totals, items, currency)
  • Customer data (name, email, address — when required for attribution)
  • Product catalog data

From creator users (ambassadors / affiliates):

  • Account information: name, email, password hash, profile photo, social handles
  • Payout preferences: chosen method (PayPal, UPI, bank, etc.) and account identifier
  • Tax KYC data when applicable: India PAN, US SSN/EIN, address, phone. SSN/EIN and similar high-sensitivity identifiers are encrypted at rest using AES-256-GCM and are never returned by our API
  • Content submissions: photos, videos, social-post URLs
  • Usage data: page views, feature interactions

2. How We Use Your Information

  • Provide and maintain the Service (account management, dashboards, integrations)
  • Track referrals and attribute orders to creators
  • Calculate commissions and surface tax-withholding suggestions
  • Generate payout records and notify creators when brands initiate payments
  • Send transactional emails (welcome, password reset, payout notifications, audit alerts)
  • Provide AI-generated suggestions (email drafts, storefront content, recommendations)
  • Improve our product, debug issues, and prevent fraud
  • Comply with legal obligations (tax record retention, GDPR/DPDP/CCPA requests)

3. Sub-Processors

We use the following sub-processors to operate the Service. Each is bound by appropriate data-protection terms and (for international transfers from the EU/UK) Standard Contractual Clauses where applicable:

  • Shopify — primary integration; OAuth + webhooks + billing
  • Vercel — frontend application hosting (US-region)
  • Railway — API server hosting
  • Neon — managed Postgres (US-East)
  • Upstash — managed Redis (job queue, rate limiting)
  • Cloudflare — DNS, CDN, R2 object storage for uploads
  • ImageKit — image CDN and transformation
  • Resend — transactional email delivery
  • Sentry — error monitoring
  • Crisp — in-app chat (when enabled)
  • Anthropic, PBC — large-language-model provider (Claude) for AI features. Inputs sent only when you use an AI feature; outputs are suggestions only
  • Payment providers when configured: PayPal, Stripe, Razorpay — used only when a brand explicitly connects credentials and uses a feature that requires them. As of v1, Convertly itself does not move funds; brands send payments directly

4. Data Sharing and Disclosure

We do not sell personal data. We share data only with the sub-processors listed above to operate the Service, with brands and creators as needed to fulfill the platform's intended function (e.g., a brand sees its creators' payout methods), and where required by law (subpoena, court order, regulatory request).

5. AI Features

Some features (AI email drafts, AI storefront generation, recommendations) send relevant inputs to a third-party large-language-model provider (currently Claude by Anthropic, PBC) under their terms. Inputs may include brand metadata, campaign descriptions, creator profile fields, and related context. Outputs are returned to us and shown as suggestions for you to review. We do not use your data to train third-party models; the LLM provider is contractually limited to processing inputs for the purpose of generating the requested output.

6. Encryption and Security

We use industry-standard security practices. Data is encrypted in transit (TLS 1.2+) and at rest. High-sensitivity identifiers (US SSN/EIN, Shopify OAuth tokens) are encrypted at the application layer using AES-256-GCM with rotating keys. Access to production data is restricted to authorized personnel with least-privilege scoping and is logged.

7. International Transfers

Personal data may be processed in the United States, the European Union, or India depending on the sub-processor. For transfers out of the EEA / UK, we rely on Standard Contractual Clauses (SCCs) and equivalent transfer mechanisms required by applicable law. For transfers between Convertly US and Convertly India for India-side operations, an intra-group data-transfer arrangement is in place.

8. Data Retention

We retain account data while your account is active. Financial records (commissions, payouts, audit logs) are retained for 7 years to comply with US and Indian tax record-keeping requirements. Marketing data is retained until you opt out. After account deletion, residual records required for legal/audit purposes are kept for the retention period and then deleted.

9. Your Rights — GDPR (EU/UK)

If you are in the EEA or UK, you have rights of access, rectification, erasure, portability, restriction of processing, and objection. You may withdraw consent at any time. Submit requests to privacy@convertlyhq.com; we respond within 30 days. You may also lodge a complaint with your local supervisory authority.

10. Your Rights — DPDP Act (India)

If you are in India, you have rights under the Digital Personal Data Protection Act, 2023, including access to summary of personal data processed, correction and erasure, grievance redressal, and nomination. Convertly India is the Data Fiduciary for India- collected data. Submit requests to privacy@convertlyhq.com; we acknowledge within 7 days and respond within 30. Our designated grievance officer for DPDP matters can be contacted at legal@convertlyhq.com. You may also escalate unresolved complaints to the Data Protection Board of India.

11. Your Rights — CCPA (California)

If you are a California resident, you have rights under the California Consumer Privacy Act / CPRA, including the right to know what personal information we have, to delete it, to correct inaccurate information, and to opt out of any "sale" or "sharing" of personal information. We do not sell personal information. Where our use of sub-processors for analytics or product improvement may be considered "sharing" under CPRA, you may opt out by emailing privacy@convertlyhq.com.

12. Cookies

We use essential cookies for authentication and session management on the Convertly app and website. We use limited analytics cookies (when consented to in EU/UK contexts) to measure usage. We do not use third-party advertising or cross-site tracking cookies.

13. Children

The Service is not directed to children under 18 and we do not knowingly collect personal data from anyone under 18. If you believe we have, contact us to delete it.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification at least 14 days before they take effect.

15. Contact Us

General privacy questions: privacy@convertlyhq.com
Legal / DPDP grievance officer: legal@convertlyhq.com

This Privacy Policy is provided for clarity about how the Service processes data. It is not legal advice. If you need legal counsel about your data-protection obligations, consult a qualified attorney.