Privacy Policy for PODai

1. Introduction

This Privacy Policy describes how PODai ("we", "our", or "us") collects, uses, and protects information when you use our Shopify application. PODai is a Shopify embedded app that enables merchants to offer AI-powered custom image generation on their product pages.

By installing and using PODai, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Information Collected Through Shopify APIs

When you install PODai, we access the following information through Shopify's APIs:

• Store Information: Shop domain, store name, and Shopify store ID
• Product Data: Product IDs, titles, and tags for products you configure to use AI generation features
• OAuth Access Tokens: Securely stored tokens to authenticate API requests on your behalf

2.2 Information Collected Directly From Merchants

Through the PODai admin interface, we collect:

• App configuration settings (prompts, image quality preferences, usage limits)
• Billing plan selection and subscription preferences
• Support requests and communications you send to us

2.3 Information Collected From Your Customers

When your customers use the AI image generation feature on your storefront, we collect:

• IP Addresses: Used for rate limiting and preventing abuse
• Customer IDs: If provided by your theme, used to enforce per-customer usage limits
• Uploaded Images: Customer-provided images are temporarily processed for AI generation, then immediately deleted after processing
• Text Prompts: Customer input describing desired image modifications
• Generated Images: AI-generated images are stored temporarily (24 hours maximum) to allow customers to download them, then automatically deleted

2.4 Automated Technical Information

We automatically collect:

• API request logs and timestamps (for debugging and performance monitoring)
• Error logs and diagnostic information (to troubleshoot issues)
• Browser type and version (when customers use the storefront feature)

3. How We Use Your Information

3.1 Primary Uses (Core App Functionality)

We use your information to provide the core features of PODai:

• AI Image Generation: Process customer requests to generate custom images using OpenAI's API
• Product Configuration: Manage which products have AI generation enabled and their specific settings
• Usage Enforcement: Track usage against your billing plan limits to ensure fair use
• Billing: Calculate usage-based charges and process payments through Shopify's billing system

3.2 Additional Business Uses

Beyond core functionality, we use collected information for these business purposes:

• Security and Fraud Prevention: Detect and prevent abuse, spam, and malicious activity through rate limiting and IP tracking
• Technical Support: Diagnose and troubleshoot issues you report through error logs and usage data
• Service Improvement: Analyze aggregated, anonymized usage patterns to improve app performance and develop new features
• Compliance: Meet legal obligations including responding to GDPR data subject requests

We do not: Sell your data to third parties, use it for advertising purposes, or share it with anyone except as described in the "Third-Party Services" section below.

4. Third-Party Services

PODai integrates with the following third-party services that may have access to your data:

4.1 OpenAI

We use OpenAI's API to generate custom images. When customers request image generation:

• User-provided images and text prompts are sent to OpenAI for processing
• OpenAI processes this data according to their own privacy policy
• OpenAI's data usage policy: https://openai.com/policies/privacy-policy
• We do not control how OpenAI uses this data beyond the scope of image generation

4.2 Shopify

PODai is built on the Shopify platform and uses Shopify's APIs to access your store data. Shopify's privacy policy applies: https://www.shopify.com/legal/privacy

5. Data Storage and Security

5.1 Where We Store Your Data

Your data is stored in a secure PostgreSQL database. Database access is restricted to authorized personnel only and protected by industry-standard security measures.

5.2 Security Measures

We implement industry-standard security practices:

• All data transmissions use HTTPS/TLS encryption
• OAuth tokens are securely stored and never exposed to client-side code
• Database credentials are stored as environment variables and never committed to code
• Access to production systems is restricted and logged
• Rate limiting to prevent abuse and DoS attacks

5.3 Data Retention

• Merchant Data: Stored for as long as you have the app installed. Deleted when you uninstall the app or upon request.
• Generated Images: Automatically deleted after 24 hours to minimize data storage
• Usage Records: Retained for billing purposes and may be aggregated for analytics
• Session Data: OAuth sessions expire according to Shopify's standard session management

6. Your Rights and Choices

6.1 Access and Correction

You can access and update your configuration data through the PODai admin interface within your Shopify admin panel.

6.2 Data Deletion

You have the right to request deletion of your data:

• Uninstall the App: When you uninstall PODai, your store configuration and associated data are automatically removed from our systems
• Manual Request: Contact us at support@podai.it.com to request data deletion

6.3 Data Portability

You can request a copy of your data by contacting support@podai.it.com. We will provide your data in a structured, machine-readable format.

7. GDPR Compliance

PODai complies with the General Data Protection Regulation (GDPR) and processes personal data lawfully, fairly, and transparently.

7.1 Legal Basis for Processing

We process your data based on:

• Contractual Necessity: To provide the app services you've subscribed to
• Legitimate Interests: To improve our services, prevent fraud, and ensure security
• Consent: When required, we obtain explicit consent for data processing

7.2 Shopify GDPR Webhooks

We have implemented Shopify's mandatory GDPR webhooks to handle data subject requests:

• customers/data_request: Acknowledges customer data access requests; merchants are responsible for fulfilling data subject requests directly with their customers
• customers/redact: Removes customer data upon request
• shop/redact: Removes all merchant data after app uninstallation (48 hours after uninstall)

7.3 Your GDPR Rights

Under GDPR, you have the right to:

• Access your personal data
• Correct inaccurate data
• Request deletion of your data
• Object to processing of your data
• Request restriction of processing
• Data portability
• Withdraw consent at any time

To exercise any of these rights, contact us at support@podai.it.com.

8. Children's Privacy

PODai is not intended for use by individuals under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, please contact us immediately.

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by:

• Updating the "Effective Date" at the top of this policy
• Sending notification through the Shopify admin (for significant changes)
• Posting a notice in the app interface

Your continued use of PODai after changes are posted constitutes your acceptance of the updated Privacy Policy.

10. International Data Transfers and Geographic Processing

10.1 Data Processing Locations

Your data may be processed and stored on servers located in various jurisdictions, which may include locations outside of your country of residence or the European Economic Area (EEA).

10.2 Cross-Border Data Transfers

When data is transferred internationally, we ensure compliance with applicable data protection laws including GDPR. We implement appropriate safeguards such as:

• Standard Contractual Clauses approved by the European Commission
• Ensuring service providers maintain adequate data protection standards
• Encryption of data in transit and at rest

10.3 Third-Party Processing

Data sent to OpenAI for image generation is processed according to OpenAI's data processing locations and practices. Please refer to OpenAI's privacy policy for information about their data processing locations.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: support@podai.it.com

App Name: PODai

12. Shopify App Compliance

PODai complies with Shopify's App Store requirements and Partner Program Agreement. We follow Shopify's data protection and privacy guidelines for all app developers.

This privacy policy was last updated on February 24, 2026. By using PODai, you acknowledge that you have read and understood this Privacy Policy.