Privacy Policy
01 Overview
SocialEngine Agency ("SocialEngine," "we," "us," or "our") operates the social media management platform at socialengine.agency (the "Service"). This Privacy Policy applies to all users of the Service, including merchants who access SocialEngine via the Shopify App Store and direct subscribers.
By creating an account, installing our application, or otherwise using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.
This Privacy Policy is incorporated into and forms part of our Terms of Service.
02 Who We Are
For the purposes of applicable data protection law:
SocialEngine Agency
Website: socialengine.agency
Email: hello@socialengine.agency
As a "data controller" (under GDPR) or "business" (under CCPA), we determine the purposes and means of processing personal data we collect from you. Where we engage third-party processors, we enter into data processing agreements to ensure your data is handled lawfully and securely.
03 Data We Collect
We collect the following categories of data in connection with providing the Service:
Account & Identity Data
- Full name — provided at registration;
- Email address — used for account access, billing communications, and product updates;
- Shopify store URL — used to identify and connect your store;
- Account credentials — hashed passwords (we never store plaintext passwords).
Shopify Store Data
- Product catalog — product titles, descriptions, images, pricing, variants, and SKUs;
- Inventory data — stock levels, inventory locations, and fulfillment details;
- Store metadata — store name, currency, locale, and timezone;
- Order data — limited order data as required to deliver inventory-aware content (processed in aggregate; individual customer PII from orders is not stored long-term).
Social Media Account Data
- OAuth access tokens and refresh tokens — credentials that authorize SocialEngine to publish and retrieve analytics on your behalf;
- Platform profile data — account names, follower counts, and business profile information as returned by platform APIs;
- Content performance data — engagement metrics (likes, comments, shares, reach, impressions) for content published via SocialEngine.
Billing & Payment Data
- Payment transactions are processed by Stripe or through Shopify Billing. We do not store full credit card numbers or financial account numbers. We receive and store billing confirmation records, subscription status, and plan information.
Usage & Technical Data
- Log data — IP address, browser type, operating system, pages visited, timestamps, and referring URLs;
- Device data — device type, screen resolution, and browser version;
- Feature usage data — which features you use, content scheduling actions, and AI generation requests (without storing the full generated output long-term unless you save it);
- Error and performance data — crash reports and performance metrics used to diagnose and improve the Service.
Communications Data
- Emails, support tickets, and chat messages you send to us;
- Survey responses and feedback you voluntarily provide.
What We Do Not Collect
- We do not collect sensitive personal information such as government ID numbers, financial account numbers, health data, or biometric data;
- We do not collect personal data about your Shopify store's end customers beyond what is minimally necessary for inventory-aware features, and we do not use such data for any purpose other than providing the Service to you.
04 How We Collect Data
| Method | Description |
|---|---|
| Direct input | Data you provide when creating an account, filling out forms, or contacting support |
| Shopify API | Store data accessed via OAuth-authorized Shopify API calls after you install and authorize the app |
| Social media APIs | Data from connected social platforms via OAuth, after you grant publishing and analytics permissions |
| Automatic collection | Technical and usage data collected automatically as you interact with the Service (see Cookies section) |
| Third-party processors | Billing confirmations from Stripe; analytics from infrastructure providers |
05 How We Use Your Data
We use the data we collect for the following purposes:
Service Delivery
- Providing, operating, and maintaining the Service;
- Generating AI-powered social media content tailored to your store's products, inventory, and brand voice;
- Scheduling and publishing posts to your connected social media accounts;
- Analyzing content performance and delivering analytics dashboards;
- Conducting inventory analysis to surface relevant products for promotion.
Account & Billing Management
- Creating and managing your account;
- Processing subscription payments and managing billing cycles;
- Sending transactional emails including receipts, renewal notices, and billing alerts;
- Administering the 14-day free trial and managing trial-to-paid conversions.
Communication
- Responding to your customer support requests and inquiries;
- Sending product updates, feature announcements, and service notifications;
- With your consent, sending marketing emails about SocialEngine features or promotions (you may opt out at any time).
Improvement & Development
- Analyzing aggregate usage patterns to improve Service features and user experience;
- Debugging errors and improving platform performance;
- Training and improving AI models using anonymized and aggregated data — we will not use your identifiable business data to train models that benefit other customers without your explicit consent.
Legal & Safety
- Complying with applicable laws, regulations, and legal obligations;
- Enforcing our Terms of Service;
- Detecting, preventing, and responding to fraud, abuse, or security incidents;
- Protecting the rights, property, and safety of SocialEngine, our users, and the public.
Legal Basis for Processing (GDPR)
For users in the EU/EEA, we rely on the following legal bases:
| Processing Purpose | Legal Basis |
|---|---|
| Providing the Service, account management, billing | Performance of a contract (Art. 6(1)(b) GDPR) |
| Fraud prevention, security, legal compliance | Legitimate interests (Art. 6(1)(f) GDPR) |
| Marketing emails, optional analytics | Consent (Art. 6(1)(a) GDPR) |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c) GDPR) |
06 Data Sharing & Disclosure
We do not sell your personal data to third parties. We do not rent or trade your data. We share data only as described below:
Service Providers (Data Processors)
We engage trusted third-party companies to help us deliver the Service. These providers access your data only to perform specific tasks on our behalf and are contractually bound to protect it:
- Stripe — payment processing and subscription management;
- Shopify Inc. — app platform, billing infrastructure;
- AI/ML infrastructure providers — compute infrastructure for content generation (data is processed under strict confidentiality agreements);
- Cloud hosting providers — data storage and application hosting;
- Customer support tools — help desk software for managing support tickets;
- Analytics providers — product analytics to help us understand feature usage (aggregated and anonymized).
Business Transfers
If SocialEngine undergoes a merger, acquisition, reorganization, or sale of assets, your data may be transferred as part of that transaction. We will notify you via email or in-app notice prior to your data being transferred and becoming subject to a different privacy policy.
Legal Requirements
We may disclose your data if we believe in good faith that such disclosure is necessary to: (a) comply with a legal obligation, court order, or government request; (b) enforce our Terms of Service; (c) protect our rights, privacy, safety, or property; or (d) respond to an emergency involving risk to the life or safety of any person.
With Your Consent
We may share your data with additional third parties when you give us explicit consent to do so.
Aggregated or Anonymized Data
We may share aggregated, non-personally identifiable information about users and usage patterns with partners, investors, or publicly. This data cannot reasonably be used to identify you.
07 Data Retention
We retain your data for as long as necessary to provide the Service and fulfil the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.
- Account data: Retained for the duration of your active subscription, plus up to 90 days following account closure to allow for reactivation. After 90 days, personal account data is deleted or anonymized.
- Shopify store data: Retained while your subscription is active and for up to 30 days after uninstallation, then deleted. If required by Shopify Partner Program policies, deletion occurs immediately upon receiving a mandatory data erasure webhook from Shopify.
- Social media tokens: Deleted upon disconnection of the platform, or within 30 days of account closure.
- Billing records: Retained for up to 7 years for tax and accounting compliance purposes.
- Log and technical data: Typically retained for 90 days for security and debugging purposes, then purged.
- Support communications: Retained for up to 3 years from the date of the communication.
You may request earlier deletion of your data as described in the Rights sections below, subject to legal retention requirements.
08 Security
We implement industry-standard technical and organizational security measures to protect your data against unauthorized access, alteration, disclosure, or destruction. These measures include:
- Encryption of data in transit using TLS 1.2 or higher;
- Encryption of sensitive data at rest (including access tokens and payment information);
- Role-based access controls limiting employee access to personal data on a need-to-know basis;
- Regular security assessments and vulnerability management;
- Secure OAuth 2.0 flows for all third-party integrations;
- Multi-factor authentication options for user accounts.
However, no method of transmission over the internet or method of electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. In the event of a data breach affecting your rights and freedoms, we will notify you and relevant authorities as required by applicable law (within 72 hours under GDPR where feasible).
You are responsible for maintaining the confidentiality of your account credentials and for all activity that occurs under your account. Please use a strong, unique password and enable multi-factor authentication where available.
09 Cookies & Tracking Technologies
We use cookies and similar tracking technologies (such as local storage and session tokens) to operate and improve the Service. Cookies are small data files placed on your device.
Types of Cookies We Use
| Category | Purpose | Required? |
|---|---|---|
| Essential | Authentication session management, CSRF protection, security tokens | Yes — necessary for the Service to function |
| Functional | Remembering your preferences, language, and dashboard layout | No — may be declined |
| Analytics | Aggregate product usage analysis to improve features (anonymized) | No — may be declined |
| Marketing | Tracking interactions with our marketing pages (not placed in the app) | No — may be declined |
Managing Cookies
You can control and delete cookies through your browser settings. Please note that disabling essential cookies will prevent you from using the Service. For analytics and marketing cookies on our marketing website, a cookie consent banner is presented upon first visit. You may change your consent at any time via the cookie preferences link in the site footer.
For more information on managing cookies, visit allaboutcookies.org.
Do Not Track
Some browsers transmit "Do Not Track" (DNT) signals. Our Service does not currently respond to DNT signals from browsers, but we honor equivalent opt-outs made through our cookie preference center and the opt-out mechanisms described in this Policy.
10 GDPR — Rights of EU/EEA Users
If you are located in the European Union or European Economic Area, you have specific rights under the General Data Protection Regulation (GDPR) regarding your personal data. We are committed to upholding these rights.
Right of Access
Request a copy of all personal data we hold about you (Art. 15 GDPR).
Right to Rectification
Request correction of inaccurate or incomplete personal data (Art. 16 GDPR).
Right to Erasure
Request deletion of your personal data ("right to be forgotten") where no lawful basis for retention exists (Art. 17 GDPR).
Right to Restrict
Request that we restrict processing of your data in certain circumstances (Art. 18 GDPR).
Right to Portability
Receive your data in a structured, machine-readable format and transfer it to another controller (Art. 20 GDPR).
Right to Object
Object to processing based on legitimate interests or for direct marketing (Art. 21 GDPR).
Automated Decisions
Not to be subject to solely automated decisions with legal or significant effects (Art. 22 GDPR).
Right to Complain
Lodge a complaint with your local Data Protection Authority (supervisory authority).
How to Exercise Your Rights
To exercise any of these rights, submit a request to hello@socialengine.agency with the subject line "GDPR Data Request." We will respond within 30 days. We may request identity verification before processing your request. Where requests are complex or numerous, we may extend the response period by a further 60 days with notice.
Withdrawing Consent
Where processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing before withdrawal. To withdraw consent for marketing communications, use the unsubscribe link in any marketing email or contact us directly.
Data Protection Officer
We have not appointed a Data Protection Officer (DPO) as we do not meet the thresholds requiring mandatory DPO appointment. Privacy inquiries are handled by our team at hello@socialengine.agency.
11 CCPA — California Consumer Privacy Rights
If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). This section supplements the rest of this Privacy Policy.
Categories of Personal Information Collected
In the preceding 12 months, we have collected the following categories of personal information as defined under CCPA:
- Identifiers — name, email address, IP address, account ID;
- Commercial information — subscription plan, billing history, product/store data;
- Internet or network activity — browsing activity within the Service, log data;
- Geolocation data — general location derived from IP address (city/country level only);
- Professional or employment information — store name and business type.
Your California Privacy Rights
- Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, our business purposes, and any third parties with whom we shared it;
- Right to Delete: Request deletion of personal information we have collected, subject to certain exceptions (e.g., legal compliance, contractual obligations);
- Right to Correct: Request correction of inaccurate personal information;
- Right to Opt Out of Sale or Sharing: We do not sell or share personal information for cross-context behavioral advertising. No opt-out is required, but you may submit one at any time;
- Right to Limit Use of Sensitive Personal Information: We do not collect sensitive personal information as defined by CPRA beyond what is necessary for the Service;
- Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
How to Exercise California Rights
Submit a verifiable consumer request to hello@socialengine.agency with the subject line "California Privacy Request." We will respond within 45 days. You may designate an authorized agent to make requests on your behalf with appropriate proof of authorization.
"Do Not Sell or Share My Personal Information"
We do not sell or share personal information as defined under CCPA/CPRA. If our practices change, we will update this Privacy Policy and provide appropriate opt-out mechanisms.
12 Shopify Store Data & Merchant Data Practices
As a Shopify app, we are required to comply with Shopify's API Terms and Partner Program Agreement. The following describes our specific practices related to Shopify data:
- Data minimization: We request only the Shopify API scopes necessary to deliver the Service. A complete list of requested scopes is displayed during app installation;
- No sale of store data: We do not sell, license, or share your Shopify store data with third parties for their independent business purposes;
- Shopify customer data: We may access limited customer data only to the extent strictly required for inventory-aware features. We do not store, analyze, or market to your Shopify customers independently;
- Mandatory deletion: Upon receiving Shopify's mandatory GDPR webhooks (
customers/data_request,customers/redact,shop/redact), we process those requests within the timeframes required by Shopify's policies; - Data access revocation: You may revoke our access to your Shopify store at any time by uninstalling the app from your Shopify admin. Upon uninstallation, we will cease API calls and begin data deletion as described in the Retention section.
13 Children's Privacy
The Service is intended for business use by adults and is not directed to children under the age of 16 (or 13 in the United States, or such higher age as applicable under local law). We do not knowingly collect personal information from children.
If you believe we have inadvertently collected data from a child under the applicable minimum age, please contact us immediately at hello@socialengine.agency and we will take steps to delete that information promptly.
14 International Data Transfers
SocialEngine operates from the United States. If you are accessing the Service from outside the United States, your data may be transferred to, stored in, and processed in the United States or other countries that may not have data protection laws equivalent to those in your country.
For transfers of personal data from the European Economic Area, United Kingdom, or Switzerland to the United States or other third countries, we rely on appropriate safeguards, including:
- Standard Contractual Clauses (SCCs) — approved by the European Commission for transfers to third countries;
- Adequacy decisions — where the destination country has been deemed to provide adequate protection;
- Consent — in specific circumstances where required by applicable law.
You may request a copy of our transfer safeguards by contacting us at hello@socialengine.agency.
15 Changes to This Privacy Policy
We may update this Privacy Policy periodically to reflect changes in our practices, technology, or applicable law. When we make material changes, we will:
- Update the "Last Updated" date at the top of this page;
- Send a notification to your registered email address;
- Display a prominent in-app notice for a reasonable period.
We encourage you to review this Privacy Policy regularly. For significant changes that require fresh consent (e.g., a new purpose for processing your data), we will seek your explicit consent before the change takes effect. Your continued use of the Service after changes become effective constitutes your acceptance of the updated Policy.
The most current version of this Privacy Policy is always available at socialengine.agency/privacy.
16 Contact & Privacy Requests
For any privacy-related questions, requests to exercise your rights, or concerns about our data practices, please contact us:
Email: hello@socialengine.agency
Website: socialengine.agency
Subject lines for faster processing:
· "GDPR Data Request" — for EU/EEA rights requests
· "California Privacy Request" — for CCPA/CPRA requests
· "Data Deletion Request" — for general deletion requests
· "Privacy Inquiry" — for general questions
We aim to acknowledge all privacy requests within 5 business days and respond fully within the timeframes required by applicable law (30 days for GDPR; 45 days for CCPA).
If you are unsatisfied with our response to a privacy request, you have the right to lodge a complaint with your applicable data protection supervisory authority:
- EU/EEA residents: Contact your national Data Protection Authority. A directory is available at edpb.europa.eu;
- UK residents: Contact the Information Commissioner's Office (ICO) at ico.org.uk;
- California residents: Contact the California Privacy Protection Agency (CPPA) at cppa.ca.gov.
This Privacy Policy was last reviewed and updated on April 9, 2026. For prior versions, contact hello@socialengine.agency.