🔒 Privacy Policy

1. Introduction

Welcome to Contento AI ("we," "our," or "us"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Instagram Post Generator application for Shopify stores (the "Service"). We are committed to protecting your privacy and ensuring transparency about our data practices.

By using our Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, do not use our Service.

2. Information We Collect

2.1 Personal Information You Provide

When you use our Service, we may collect the following types of personal information that you voluntarily provide:

Account Information:

• Name and Contact Details: Full name, email address, phone number
• Authentication Data: Username, password (encrypted), security questions
• Profile Information: Profile picture, bio, preferences

Business Information:

• Shopify Store Data: Store name, URL, product information, inventory data
• Instagram Business Account: Account handle, business profile information
• Payment Information: Billing address, payment method details (processed securely through third-party providers)

Content and Communications:

• Generated Content: AI-generated posts, captions, hashtags
• User-Generated Content: Custom posts, images, text modifications
• Communications: Support tickets, feedback, survey responses

2.2 Information We Collect Automatically

Usage and Analytics Data:

• Application Usage: Features used, time spent, click patterns, navigation paths
• Performance Data: Load times, error logs, crash reports
• Engagement Metrics: Post performance, user interactions, conversion rates

Technical Information:

• Device Information: Device type, operating system, browser version, screen resolution
• Network Data: IP address, ISP, geographic location (city/country level)
• Cookies and Identifiers: Session IDs, device identifiers, tracking pixels

2.3 Information from Third Parties

Shopify Integration:

• Store Data: Product catalogs, inventory levels, sales data, customer information
• App Permissions: Data accessed through Shopify API with your explicit consent

Instagram Business API:

• Account Metrics: Follower count, engagement rates, post performance
• Content Data: Published posts, stories, media files

3. How We Use Your Information

We use the information we collect for legitimate business purposes, including:

3.1 Service Provision and Enhancement

• AI Content Generation: Creating personalized Instagram posts, captions, and hashtags based on your Shopify products
• Platform Integration: Connecting your Shopify store with Instagram Business accounts
• Content Optimization: Analyzing performance data to improve content recommendations
• Feature Development: Developing new features and improving existing functionality

3.2 Communication and Support

• Customer Support: Responding to inquiries, troubleshooting issues, providing technical assistance
• Service Updates: Notifying you about new features, updates, and important changes
• Marketing Communications: Sending promotional content (with your consent)
• Transactional Messages: Order confirmations, billing notifications, security alerts

3.3 Security and Compliance

• Fraud Prevention: Detecting and preventing unauthorized access and fraudulent activities
• Security Monitoring: Monitoring for security threats and vulnerabilities
• Legal Compliance: Complying with applicable laws, regulations, and legal processes
• Terms Enforcement: Enforcing our Terms of Service and other policies

3.4 Analytics and Improvement

• Usage Analytics: Understanding how users interact with our Service
• Performance Optimization: Improving application speed, reliability, and user experience
• A/B Testing: Testing new features and improvements
• Business Intelligence: Analyzing trends and patterns to make informed business decisions

4. Information Sharing and Disclosure

We respect your privacy and do not sell your personal information. We may share your information only in the following circumstances:

4.1 Service Providers and Business Partners

• Cloud Infrastructure: AWS, Google Cloud, or similar providers for hosting and data storage
• Payment Processors: Stripe, PayPal, or other secure payment gateways
• Analytics Services: Google Analytics, Mixpanel for usage analytics (anonymized data)
• AI/ML Services: OpenAI, Google AI for content generation capabilities
• Customer Support: Zendesk, Intercom for customer service tools

4.2 Platform Integrations

• Shopify: Accessing your store data through official APIs with your explicit permission
• Instagram Business API: Publishing content and retrieving analytics with your authorization
• Meta Business: For Instagram Business account verification and content publishing

4.3 Legal and Safety Requirements

• Legal Compliance: When required by law, court order, or government request
• Safety Protection: To protect the rights, property, or safety of our users or the public
• Terms Enforcement: To investigate violations of our Terms of Service
• Fraud Prevention: To detect, prevent, or address fraud and security issues

4.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the new entity. We will notify you before your personal information is transferred and becomes subject to a different privacy policy.

4.5 Aggregated and Anonymized Data

We may share aggregated, anonymized data that cannot identify you personally for:

• Industry research and analysis
• Marketing and promotional purposes
• Product development and improvement
• Academic research (with appropriate safeguards)

5. Data Security

We implement comprehensive security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction:

5.1 Technical Safeguards

• Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
• Secure Infrastructure: Cloud hosting with enterprise-grade security (SOC 2 Type II compliant)
• Access Controls: Multi-factor authentication, role-based access, principle of least privilege
• Network Security: Firewalls, intrusion detection systems, DDoS protection
• Regular Updates: Automated security patches and vulnerability management

5.2 Operational Safeguards

• Security Audits: Regular third-party security assessments and penetration testing
• Employee Training: Comprehensive security awareness training for all staff
• Incident Response: 24/7 monitoring and rapid incident response procedures
• Data Backup: Regular encrypted backups with disaster recovery procedures

5.3 Compliance and Certifications

• GDPR Compliance: Full compliance with EU General Data Protection Regulation
• CCPA Compliance: California Consumer Privacy Act compliance
• SOC 2 Type II: Annual compliance audits for security controls
• ISO 27001: Information security management system certification

6. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy:

6.1 Retention Periods

Account and Profile Data:

• Active Accounts: Retained while your account is active
• Inactive Accounts: Deleted after 3 years of inactivity (with prior notice)
• Deleted Accounts: Permanently deleted within 30 days of deletion request

Content and Usage Data:

• Generated Content: Retained for 2 years or until account deletion
• Analytics Data: Aggregated data retained for 3 years, personal identifiers removed after 1 year
• Log Files: Retained for 1 year for security and troubleshooting purposes

Legal and Compliance Data:

• Financial Records: Retained for 7 years as required by law
• Legal Disputes: Retained until resolution plus applicable statute of limitations
• Compliance Records: Retained as required by applicable regulations

6.2 Data Deletion Process

When data reaches the end of its retention period or when you request deletion:

• Secure Deletion: Data is securely overwritten using industry-standard methods
• Backup Removal: Data is removed from all backup systems within 90 days
• Third-Party Notification: We instruct service providers to delete your data
• Verification: Deletion is verified and documented for compliance purposes

7. Your Rights and Choices

We believe you should have control over your personal information. You have the following rights:

7.1 Access and Transparency Rights

• Right to Access: Request a copy of all personal information we hold about you
• Right to Information: Understand how your data is collected, used, and shared
• Data Portability: Receive your data in a structured, machine-readable format
• Processing Activities: Learn about all processing activities involving your data

7.2 Control and Correction Rights

• Right to Rectification: Correct inaccurate or incomplete personal information
• Right to Update: Modify your account information and preferences at any time
• Right to Restrict: Limit how we process your personal information
• Right to Object: Object to processing based on legitimate interests

7.3 Deletion and Withdrawal Rights

• Right to Erasure: Request deletion of your personal information ("Right to be Forgotten")
• Account Deletion: Permanently delete your account and associated data
• Consent Withdrawal: Withdraw consent for specific processing activities
• Marketing Opt-out: Unsubscribe from marketing communications

7.4 How to Exercise Your Rights

Self-Service Options:

• Account Settings: Update profile information, privacy preferences, and communication settings
• Data Export: Download your data directly from your account dashboard
• Privacy Controls: Manage cookie preferences and tracking settings

Contact Methods:

• Privacy Request Form: Submit requests through our dedicated privacy portal
• Email: Send requests to privacy@contentoai.com
• Support Ticket: Create a support ticket marked "Privacy Request"

7.5 Response Timeline

• Acknowledgment: We acknowledge receipt within 48 hours
• Simple Requests: Completed within 30 days (GDPR) or 45 days (CCPA)
• Complex Requests: May require up to 90 days with explanation
• Verification: Identity verification may be required for security

7.6 Complaints and Appeals

If you're not satisfied with our response to your privacy request:

• Internal Appeal: Contact our Data Protection Officer
• Regulatory Complaint: File a complaint with your local data protection authority
• EU Users: Contact your national supervisory authority
• US Users: Contact relevant state attorney general's office

8. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience and provide our services:

8.1 Types of Cookies We Use

Essential Cookies (Always Active):

• Authentication: Keep you logged in and secure your session
• Security: Protect against cross-site request forgery and other attacks
• Functionality: Remember your preferences and settings
• Load Balancing: Ensure optimal performance and availability

Analytics Cookies (Optional):

• Usage Analytics: Google Analytics to understand how you use our Service
• Performance Monitoring: Track application performance and errors
• A/B Testing: Test new features and improvements
• Heatmaps: Understand user interaction patterns

Marketing Cookies (Optional):

• Advertising: Show relevant ads on third-party websites
• Retargeting: Display personalized content based on your interests
• Social Media: Enable sharing and social media integration
• Conversion Tracking: Measure the effectiveness of our marketing campaigns

8.2 Cookie Management

You can control cookies through:

• Cookie Banner: Manage preferences when you first visit our site
• Privacy Settings: Update cookie preferences in your account settings
• Browser Settings: Configure cookie settings in your web browser
• Opt-out Tools: Use industry opt-out tools for advertising cookies

8.3 Third-Party Tracking

We work with the following third-party services that may use tracking technologies:

• Google Analytics: Website analytics and user behavior tracking
• Facebook Pixel: Advertising and conversion tracking
• Hotjar: User experience analytics and feedback
• Intercom: Customer support and messaging

9. Third-Party Services

Our Service integrates with various third-party platforms and services. Here's how we handle data in these integrations:

9.1 Platform Integrations

Shopify Partnership:

• Data Access: We access only the data necessary for our Service through official Shopify APIs
• Permissions: You explicitly grant permissions during the installation process
• Data Use: Shopify data is used solely for generating Instagram content
• Data Sharing: We do not share your Shopify data with other third parties

Instagram Business API:

• Publishing Rights: We publish content only with your explicit authorization
• Analytics Access: We retrieve performance data to improve content recommendations
• Content Ownership: You retain full ownership of all published content
• Account Control: You can revoke access at any time through Instagram settings

9.2 AI and Machine Learning Services

• OpenAI GPT: Content generation (data is not used to train their models)
• Google Cloud AI: Image processing and analysis
• AWS Machine Learning: Recommendation algorithms and personalization

9.3 Infrastructure and Support Services

• Cloud Hosting: AWS, Google Cloud for secure data storage and processing
• CDN Services: CloudFlare for fast and secure content delivery
• Email Services: SendGrid for transactional and marketing emails
• Customer Support: Zendesk for support ticket management

10. International Data Transfers

As a global service, your personal information may be transferred to and processed in countries other than your own:

10.1 Transfer Locations

• Primary Processing: United States (where our main servers are located)
• Backup Storage: European Union (for EU user data)
• Support Services: Various countries where our service providers operate

10.2 Transfer Safeguards

For EU Users (GDPR):

• Adequacy Decisions: Transfers to countries with adequate protection levels
• Standard Contractual Clauses: EU-approved contracts for international transfers
• Binding Corporate Rules: Internal policies ensuring consistent protection
• Certification Programs: Privacy Shield successors and similar frameworks

For All Users:

• Encryption: All data is encrypted during transfer and storage
• Access Controls: Strict limitations on who can access transferred data
• Audit Requirements: Regular audits of international data handling
• Incident Response: Coordinated response procedures across all locations

10.3 Your Rights Regarding Transfers

• Information: Right to know where your data is processed
• Objection: Right to object to transfers in certain circumstances
• Safeguards: Right to information about transfer safeguards
• Complaints: Right to file complaints with supervisory authorities

11. Children's Privacy

Protecting children's privacy is important to us. Our Service is designed for business users and is not intended for children:

11.1 Age Restrictions

• Minimum Age: Our Service is not intended for anyone under 16 years of age
• Business Focus: Our Service is designed for business owners and marketers
• Account Requirements: Users must have legal capacity to enter into contracts

11.2 Data Collection from Minors

• No Intentional Collection: We do not knowingly collect personal information from children under 16
• Verification: We may request age verification during account creation
• Parental Rights: Parents can request deletion of their child's information

11.3 If We Learn of Child Data

If we become aware that we have collected personal information from a child under 16:

• Immediate Action: We will take steps to delete the information as quickly as possible
• Account Suspension: The account will be suspended pending verification
• Parental Contact: We will attempt to contact parents or guardians
• Data Deletion: All associated data will be permanently deleted

12. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

12.1 Categories of Personal Information

We collect the following categories of personal information:

• Identifiers: Name, email address, IP address, device identifiers
• Commercial Information: Purchase history, payment information
• Internet Activity: Browsing history, search history, interaction with our Service
• Geolocation Data: Approximate location based on IP address
• Professional Information: Business name, industry, job title

12.2 Your CCPA Rights

• Right to Know: Request information about personal information collected, used, or shared
• Right to Delete: Request deletion of personal information
• Right to Opt-Out: Opt-out of the sale of personal information (we do not sell personal information)
• Right to Non-Discrimination: Not be discriminated against for exercising CCPA rights

12.3 How to Exercise CCPA Rights

• Online Form: Submit requests through our privacy portal
• Email: Send requests to privacy@contentoai.com
• Phone: Call our privacy hotline at 1-800-PRIVACY
• Authorized Agent: Designate an authorized agent to make requests on your behalf

13. GDPR Rights (EU Users)

If you are located in the European Union, you have additional rights under the General Data Protection Regulation (GDPR):

13.1 Legal Basis for Processing

• Contract: Processing necessary for contract performance
• Legitimate Interest: Processing for our legitimate business interests
• Consent: Processing based on your explicit consent
• Legal Obligation: Processing required by law

13.2 Enhanced Rights

• Right to Rectification: Correct inaccurate personal data
• Right to Erasure: "Right to be forgotten" in certain circumstances
• Right to Restrict Processing: Limit how we process your data
• Right to Data Portability: Receive your data in a portable format
• Right to Object: Object to processing based on legitimate interests

13.3 Data Protection Officer

You can contact our Data Protection Officer:

• Email: dpo@contentoai.com
• Address: Data Protection Officer, Contento AI, [EU Office Address]

13.4 Supervisory Authority

You have the right to lodge a complaint with your local supervisory authority if you believe we have not complied with GDPR requirements.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors:

14.1 Notification of Changes

Material Changes:

• Email Notification: We will email all users about significant changes
• In-App Notice: Prominent notice within the application
• Website Banner: Notice on our website and privacy policy page
• 30-Day Notice: Material changes will be effective 30 days after notification

Minor Changes:

• Website Update: Updated policy posted on our website
• Version History: Previous versions available for comparison
• Change Log: Summary of changes provided

14.2 Your Options

When we make material changes:

• Review Period: You have 30 days to review changes before they take effect
• Opt-Out: You can opt-out of new practices that require consent
• Account Deletion: You can delete your account if you disagree with changes
• Data Export: Export your data before changes take effect

14.3 Version Control

• Effective Date: Each version includes an effective date
• Version Number: Sequential version numbering for tracking
• Archive: Previous versions archived and available upon request
• Change Summary: Summary of changes between versions