Back to home

Privacy Policy

Last updated: 2026-06-24

Controller

The controller responsible for processing personal data on this service is Ian Helmrich, Karolingerallee 9, 69181 Leimen, Germany. Contact: info@aigentably.com. For full legal details see the Impressum.

Data we collect

Account data. When you create an Aigentably account we store your email address, a salted password hash (or OAuth identifier if you sign in with a third party), and basic profile data you choose to provide.

Site configuration. For each website you connect we store the public domain, tool definitions you create, and a public site identifier used in our embed script.

Shopify shop data. When you connect a Shopify store we store the shop domain, the OAuth access token (encrypted at rest with AES-256-GCM), the theme identifier used for the app embed, and metadata about installation status. We request only the scopes listed on the Shopify App Store listing; tokens never leave our servers.

Tool call logs. For each call made by an AI agent to one of your tools we record the tool name, timestamp, originating site, the result status, and the request/response payloads necessary for debugging and analytics. We do not deliberately collect end-user personal data; if your tool definitions cause personal data to flow through Aigentably, you are responsible for that decision under your own privacy policy.

Billing data. Payment processing is handled by Stripe. We store the Stripe customer ID, subscription status, and the Shopify billing charge ID; we never see or store full card numbers.

Legal basis (GDPR Art. 6)

  • Performance of a contract (Art. 6(1)(b)) for account, site, Shopify integration, and billing data.
  • Legitimate interests (Art. 6(1)(f)) for security logs, fraud prevention, and short-term tool call logs used for debugging and analytics.
  • Consent (Art. 6(1)(a)) where you opt in to optional features such as marketing emails.
  • Legal obligation (Art. 6(1)(c)) for tax-relevant records and Shopify privacy-compliance webhook responses.

Subprocessors

  • Hetzner Online GmbH (Germany) — hosting and database storage.
  • Stripe, Inc. (USA, SCCs in place) — subscription billing for non-Shopify customers.
  • Shopify Inc. (Canada) — OAuth, merchant-managed billing, and Admin API access for shops you connect.
  • Resend (USA, SCCs in place) — transactional email delivery.
  • OpenAI / Anthropic (USA, SCCs in place) — only when you explicitly use the AI tool-generation feature. Prompts and generated outputs pass through these providers; we do not send your tokens or customer data.

Retention

Account data is kept while your account is active and for up to 30 days after deletion to handle reversal requests and abuse investigations. Tool call logs are retained for 90 days then purged.

Shopify-specific retention. When a merchant uninstalls Aigentably from their store, or when Shopify sends a shop/redact webhook, all shop data (access tokens, theme metadata, install state) is deleted within 48 hours. customers/redact and customers/data_requestwebhooks are handled per Shopify's privacy-compliance requirements; since Aigentably does not persist Shopify customer records, these requests are completed by confirming no such data exists in our systems.

Your rights (GDPR Art. 15–22)

You have the right to access, rectify, erase, restrict processing of, port, and object to processing of your personal data. To exercise any of these rights email info@aigentably.com. We respond within 30 days.

You may also lodge a complaint with a supervisory authority. The competent authority for the controller is the Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg.

Cookies and tracking

We use a small number of strictly necessary cookies for authentication and CSRF protection. We do not use third-party advertising or cross-site tracking cookies. Analytics, where used, are aggregated and do not rely on persistent identifiers.

International transfers

Where subprocessors are located outside the EU/EEA, transfers are governed by the EU Standard Contractual Clauses (Commission Decision 2021/914) and supplementary measures where required.

Security

All Shopify access tokens are encrypted at rest with AES-256-GCM. All traffic to the service is TLS-encrypted. Webhook signatures are verified with HMAC-SHA256 before processing.

Changes

We may update this policy from time to time. Material changes will be announced by email to active account holders at least 14 days before they take effect.