Privacy Policy

1. Introduction and Scope

This Privacy Policy describes how Shopbot Inc. ("Company", "we", "us", "our") collects, uses, discloses your information when you use our Service. We are committed to protecting your privacy through compliance with global data protection standards.

2. Legal Basis for Processing

We process your Personal Data under the following valid legal bases:

• Consent: When you have given us clear and explicit consent or permission for a specific purpose.
• Performance of a Contract: When processing is necessary for the execution of our services you requested, manage your account, fulfill our Terms of Service, or Agreements with you.
• Legitimate Interests: When it is necessary for our business interests, such as ensuring our tech infrastructure security, preventing fraud, and improving our AI models and platform security, provided these interests do not override your fundamental privacy rights.
• Legal Obligation: When we must comply with the law.

3. Types of Data We Collect

While using our Service, we may collect the following:

• Identity or Personal Data: First and last name, email address, phone number.
• Usage Data: IP address, browser type, browser version, device identifiers, and other diagnostic data (pages of our service you visit, time and date of your visit, time spent on those pages, and others collected automatically when using our service as well as, information that your browser sends to our service through any device).
• AI Interaction Data: Information provided during "Human-In-The-Loop" (HITL) tasks or AI validation processes.

4. Purposes of Processing (How We Use Your Data)

We process your Personal Data for the following purposes:

• Provision of Services and Maintenance: To provide access to the Shopbot Platform, manage your account registration, and ensure the technical functionality of our AI and HITL services. (Legal Basis: Performance of a Contract).
• Contractual Obligations: To fulfill purchase agreements, process payments through Stripe, and manage the relationship between AI Owners and Human Consultants. (Legal Basis: Performance of a Contract).
• Critical Communications: To send security updates, administrative alerts, and technical notices via email or push notifications. (Legal Basis: Legal Obligation / Contractual Necessity).
• Customer Support: To manage and respond to your inquiries, requests, and comments. (Legal Basis: Performance of a Contract).
• Platform Optimization: To analyze usage trends, evaluate the effectiveness of our AI models, and improve the user experience. (Legal Basis: Legitimate Interest).
• Marketing (Optional): To provide news and offers similar to those you have purchased, provided you have not cancelled your subscription. (Legal Basis: Consent / Legitimate Interest).

5. AI and Automated Decision-Making

• Human Oversight: We implement Human-In-The-Loop (HITL) protocols to ensure that high-risk outcomes are validated by licensed professionals or qualified human consultants.
• No Profiling: We do not use your personal data to make automated decisions that have legal or similarly significant effects on you without your explicit consent or a contractual need.

6. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this privacy policy or to comply with applicable legal, tax, or reporting requirements, or to resolve disputes. Usage data used for internal analysis will be retained for shorter periods, except when used to strengthen the security or improve the functionality of our technology infrastructure.

7. Transfer of Your Personal Data

By accessing or using our technological infrastructure, you acknowledge and agree that your Personal Data may be transferred to, stored in, and processed in the United States (where our servers and cloud infrastructure are primarily located) and other countries where our service providers or corporate affiliates are located (who work as hosting, payment, analytics partners and others), ensuring the security of your data.

For data transfers from the European Economic Area (EEA), the United Kingdom, and Switzerland to countries not considered "adequate" by their respective data protection authorities, we guarantee a similar level of protection by implementing at least one of the following safeguards or protection mechanisms:

• Standard Contractual Clauses (SCCs): We use specific contracts approved by the European Commission and competent authorities that provide personal data with the same protection it enjoys in Europe.
• Data Protection Framework (DPF): We comply with the EU-U.S., UK-U.S., and Swiss-U.S. Data Protection Frameworks established by the U.S. Department of Commerce.
• Adequacy Decisions: We prioritize processing data in jurisdictions that have been officially recognized as providing an adequate level of protection for personal data.

8. Sharing and Disclosure of Data

We do not sell your personal data. We only share information in the following strictly defined scenarios:

• Service Providers: Cloud infrastructure providers, payment processors, and analytics tools, who process data on our behalf under strict confidentiality agreements.
• Business Transfers: In the event of a merger, acquisition, or sale of assets.
• Corporate Affiliates: With our parent company or subsidiaries, ensuring they uphold this same Privacy Policy.
• Legal Mandates: When required by competent authorities pursuant to a valid and applicable legal requirement. To comply with court orders, valid request from law enforcement authorities, or to protect the safety and rights of our users.

9. Your Privacy Rights

Depending on your location and complying with global standards, you have the following rights regarding your Personal Data:

• Access and Portability: Request a copy of your data in a structured format, commonly used, and machine-readable format to move it to another service.
• Correction/Erasure: Request that we fix, modify, correct, delete your inaccurate or incomplete Personal Data.
• Erasure: Request the deletion of your account or Personal Data associated with it at any time (or when it is no longer necessary for the purposes for which it was collected) through your account settings or by contacting our support team. Please note that we may retain certain information when we have a legal obligation or a compelling legitimate interest to do so, as outlined in the Data Retention section.
• Restriction: Request that we suspend processing of your data for specific purposes and scenarios (while we verify the accuracy of the data).
• Object: Request that we object to the processing of your data for direct marketing or profiling purposes at any time. You may also object to processing based on our 'Legitimate Interests'.
• Withdrawal of Consent: If the processing of your data is based on your consent, you may withdraw consent at any time without affecting the lawfulness of the processing carried out before its withdrawal.

10. Security and Data Protection

Security of your personal data is a priority for our Company; therefore, we implement acceptable security measures through a multi-layered security framework. This framework includes industry-standard encryption (AES-256 for data at rest and TLS 1.2+ for data in transit), and access to confidential information is strictly controlled through Multi-Factor Authentication (MFA) and the Principle of Least Privilege (PoLP). Although we have these acceptable security measures, while we maintain a comprehensive internal Information Security Policy (ISP), and conduct periodic vulnerability assessments, no method of electronic transmission or storage is 100% secure. Consequently, in the event of a data breach or compromise of security, our Information Security Policy (ISP) establishes protocols for notifying the relevant authorities and affected users in accordance with applicable legal requirements.

11. Children's Privacy and Age Limits

Our service is designed for professional and business use and is not directed at individuals under the age of 18. We do not collect data or request personally identifiable information from children under the age of 13 (or 16 in the EEA/UK, depending on local law). If we discover that we have collected personal data from anyone under the age of 13 without verification of parental or legal guardian consent, we will immediately delete that information from our servers. If you are a parent or legal guardian and believe that your child has provided us with Personal Data, please contact us at privacy@sanctifai.com.

12. Changes to this Privacy Policy

We may update our Privacy Policy periodically to reflect changes in our practices, technology, or legal obligations. When changes are made, we will notify you after the "Last Updated" date at the top of this policy is published, and the updated policy will be effective from the date published on this page.

In the case of material changes (those that significantly affect your rights or how we handle your data), we will provide you with more prominent notice, which may include an email notification or a notification on the Platform dashboard, before the change takes effect. We encourage you to review this policy periodically.