Privacy Policy
1. Introduction and Scope
AsterBeam Ads is a Shopify embedded app that helps merchants generate advertising creatives (images and videos) from their product data and optionally push them to Meta (Facebook/Instagram) business accounts. This Privacy Policy explains what personal data we process, how we use it, how long we retain it, and your rights.
Applicable law: This Privacy Policy complies with the EU General Data Protection Regulation (GDPR) and Spanish Data Protection Law (LOPDGDD/Organic Law 3/2018). As a data controller established in Rocafort, Spain, we are subject to these laws and the oversight of the Spanish Data Protection Authority (Autoridad de Protección de Datos, AEPD).
Users covered: This policy applies to Shopify merchants who install and use the App, as well as any authorized admin users in their store.
2. What Data We Process
Depending on how the merchant uses the App, we process the following categories of personal data:
2.1 Shopify Store & Admin Data
- Shopify shop domain and store identifier
- Shopify session/authentication tokens (managed by Shopify)
- Merchant shop (App's) configuration: subscription tier, credit balance, billing cycle dates
- Admin user identifiers and email addresses (derived from Shopify session context)
2.2 Product Data
- Product IDs, titles, descriptions, images, and status
- Product pricing and metadata (optional fields)
- Last synchronized timestamp
- Product inventory and category information (if synced)
2.3 Generated Creative Assets & Metadata
- Creative set records (status, timestamp, analysis results, configuration)
- Creative asset URLs (generated images and videos)
- Asset metadata: format type (portrait, square, landscape, video), resolution, safe zone analysis
- Generation job details: stage (analyzing, generating, assembling), timestamps, error logs
2.4 Operational & Billing Records
- Credit transaction ledger: amounts, types (generation, regeneration, top-up, subscription reset), timestamps
- Subscription event records: tier changes, renewal dates, cancellations
- Job queue records: job type, status, payload, retry attempts, error messages
- Audit trail of operations (for support, debugging, and fraud prevention)
2.5 Meta Connection Data (if merchant connects Meta)
- Meta business account ID and ad account IDs (required to push creatives)
- Meta OAuth access token (encrypted at rest using AES-256-GCM)
- Token expiry and refresh information
- Record of successful/failed pushes to Meta campaigns
2.6 Technical & Security Data
- Request logs: timestamps, endpoints, IP addresses, user agent
- Error and diagnostic logs (for reliability and security)
- Rate-limit and abuse detection records
Important: The App only processes product and merchant/admin data. It does not access, store, or process Shopify customer data, customer orders, customer contact information, or end-customer personal data. All data processing is limited to what is necessary for the App to function.
3. Legal Basis for Processing
We process personal data under the following GDPR legal bases:
| Data Category | Legal Basis | Purpose |
|---|---|---|
| Shopify authentication, session tokens | Contract (GDPR Article 6(1)(b)) | Necessary to provide the App service |
| Product data, creative records | Contract (GDPR Article 6(1)(b)) | Necessary to perform creative generation and management |
| Billing, credits, transactions | Contract (GDPR Article 6(1)(b)) | Necessary to manage subscriptions, billing, and credit tracking |
| Job queue, audit logs | Legitimate Interest (GDPR Article 6(1)(f)) | Fraud prevention, security, service reliability, support |
| Meta connection data, tokens | Contract (GDPR Article 6(1)(b)) + Legitimate Interest | Necessary to fulfill merchant's request to integrate with Meta |
| Technical logs, diagnostics | Legitimate Interest (GDPR Article 6(1)(f)) | Service optimization, security monitoring, incident response |
4. How We Use Your Data
4.1 Core App Functionality
- Authentication & Authorization: Verify merchant identity and grant access to the App within Shopify Admin
- Creative Generation: Analyze product images, generate advertising creatives using AI models, and store results for download, editing, and reuse
- Asset Management: Track creative sets, manage versions, and maintain generation history
- Credit & Billing System: Calculate credit usage, manage subscription tiers (Free, Starter, Growth, Agency), reset/top-up credits, and record all transactions
4.2 Meta Integration (if connected)
- Account Connection: Store encrypted Meta access tokens securely to enable merchant-authorized actions
- Creative Push: Send generated creative assets to Meta ad accounts/campaigns as directed by the merchant
- Account Listing: Retrieve and display the merchant's Meta ad accounts and campaigns in the App UI (read-only)
4.3 Support & Operations
- Customer Support: Use operational records, audit logs, and error messages to investigate issues, provide support, and improve reliability
- Fraud Prevention & Security: Monitor for abuse patterns, enforce rate limits, and maintain security logs
- Service Improvement: Analyze non-personal operational metrics to optimize performance and identify bugs
4.4 Legal & Compliance
- Audit Trail: Maintain records to meet contractual obligations and resolve disputes
- Data Subject Rights: Process and respond to deletion, access, and other GDPR requests
5. Data Sharing & Subprocessors
We do not sell or rent personal data. We share data only with trusted vendors and only to the extent necessary:
5.1 Shopify
Role: Platform provider
Data shared: Shop domain, product IDs (to fetch additional product data via Shopify APIs)
Legal basis: Contract; Shopify is a data processor under our controller relationship
Standard: Shopify processes data under its own privacy terms and EU-US Data Privacy Framework arrangements
5.2 Meta (when merchant enables integration)
Role: Advertising platform
Data shared: Generated creative assets (image/video URLs), creative metadata, ad account/campaign identifiers, merchant-directed push configurations
Legal basis: Contract (merchant's explicit authorization to push to Meta)
Standard: Meta's own privacy policy and terms apply; merchants can revoke access in Meta Business Settings at any time
5.3 AI & Image Processing Providers
Role: Subprocessors for creative generation
Vendors: Replicate (models for Analysis, Generation), FFmpeg Assembling step
Data shared: Product images, product metadata, generation job payloads
Legal basis: Contract (necessary to deliver creative generation functionality)
Standard: We maintain Data Processing Agreements with subprocessors; international transfers use EU-approved mechanisms (Standard Contractual Clauses)
5.4 Infrastructure Providers
Role: Hosting, database, job queue services
Vendors: PostgreSQL database, Redis job queue, server hosting infrastructure
Data shared: All operational data (configuration, creatives, audit logs, billing records)
Legal basis: Contract
Standard: Infrastructure providers are bound by data processing agreements and GDPR compliance requirements
5.5 Billing & Subscription Management
Role: Managing app subscriptions and billing charges
Provider: Shopify (via the Shopify Billing API)
Data Handling: All billing is processed directly by Shopify as part of your existing store invoice. We do not collect, process, or have access to your credit card, bank account, or payment details. Our system only receives confirmation of your active subscription status.
Legal Basis: Performance of Contract (Provision of Service)
More Info: Please refer to Shopify's Terms of Service and Privacy Policy.
6. Data Retention
We retain data only as long as necessary to fulfill the purposes described above:
| Data Category | Retention Period | Reason |
|---|---|---|
| Active creative sets & assets | Until merchant uninstalls App or requests deletion | Core product functionality |
| Credit transaction ledger | 5 years | Tax/accounting requirements (Spanish law) |
| Job queue & operational logs | 90 days | Debugging, support, performance monitoring |
| Subscription event records | Duration of subscription + 3 years | Billing disputes, audit trail |
| Meta access tokens | Until revoked by merchant | Required for Meta integration to function |
| Error/diagnostic logs | 30 days | Security and reliability |
| Support/audit records related to disputes | 3 years after dispute resolution | Legal compliance and contractual obligations |
Automatic cleanup: Logs older than their retention period are automatically deleted. Merchants can request early deletion at any time.
7. Your Rights & How to Exercise Them
Under GDPR and Spanish law, you have the following rights:
7.1 Right of Access (Article 15, GDPR)
You may request a copy of all personal data we hold about you and your shop. We will provide this within 30 calendar days.
7.2 Right to Rectification (Article 16, GDPR)
If your data is inaccurate or incomplete, you may request correction.
7.3 Right to Erasure / "Right to Be Forgotten" (Article 17, GDPR)
You may request deletion of your data, except where we are obliged to retain it for legal or tax purposes (e.g., transaction records for 5 years under Spanish accounting law).
7.4 Right to Restrict Processing (Article 18, GDPR)
You may request that we limit how we use your data while a request or dispute is pending.
7.5 Right to Data Portability (Article 20, GDPR)
You may request a copy of your data in a structured, commonly used format (e.g., CSV) to transfer it to another service.
7.6 Right to Object (Article 21, GDPR)
You may object to processing based on legitimate interest. However, objecting may prevent the App from functioning.
7.7 Right to Lodge a Complaint
You have the right to lodge a complaint with the Spanish Data Protection Authority (AEPD) if you believe we have violated your rights:
AEPD Contact:
Autoridad de Protección de Datos Españoles (AEPD)
C/ Jorge Juan, 6
28001 Madrid, Spain
Website: https://www.aepd.es
Phone: +34 91 266 35 17
8. How to Request Data Deletion or Exercise Your Rights
To submit a data deletion request or exercise any of your GDPR rights:
8.1 Email Method
Send an email to [email protected] with:
- Subject line: "Data Deletion Request" or "GDPR Rights Request"
- Your full name and Shopify shop domain
- A clear description of your request (deletion, access, correction, portability, etc.)
- Your preferred response method
8.2 In-App Method (Coming Soon)
We are implementing an in-app data deletion request form in the App dashboard for faster processing.
8.3 Response Timeline
- Initial acknowledgment: Within 5 business days
- Full response: Within 30 calendar days (may be extended by 60 days for complex requests, as permitted under GDPR Article 12)
8.4 What Happens When You Request Deletion
Upon receiving a valid deletion request:
- We immediately stop processing new data from your shop
- Generated creatives and creative assets are deleted from our systems
- Access tokens (Meta, Shopify) are revoked
- Operational logs and diagnostic records are flagged for deletion
- Billing/transaction records are retained only as required by Spanish tax law (5 years)
- You receive a confirmation email summarizing what was deleted and what was retained
Note: If you uninstall the App from Shopify, this also stops data collection and initiates a similar deletion process.
9. Data Security & Encryption
We implement appropriate technical and organizational measures to protect personal data:
- Encryption in transit: All communication uses TLS 1.2+
- Encryption at rest: Meta access tokens and sensitive credentials use AES-256-GCM encryption
- Database security: Access is restricted to authenticated services; backups are encrypted
- Infrastructure: Hosted on secure, monitored infrastructure with regular security updates
- Access controls: Only authorized personnel can access production data, and access is logged
- Incident response: We have a data breach notification procedure (see Section 10)
We conduct regular security reviews and maintain audit logs of all data access.
10. Data Breach Notification
If a security incident results in unauthorized access to personal data, we will:
- Investigate the breach within 24 hours to assess scope and impact
- Notify affected merchants by email within 72 hours (as required by GDPR Article 33)
- Notify the AEPD if the breach poses a risk to your rights and freedoms
- Document the breach and retain records for future reference
- Implement corrective measures to prevent recurrence
11. International Data Transfers
Some of our subprocessors are located outside the EU (e.g., AI model providers in the USA). For these transfers, we rely on:
- EU-US Data Privacy Framework (DPF): Where available (e.g., select cloud providers)
- Standard Contractual Clauses (SCCs): EU-approved contract terms for processors outside the EU
- Supplementary measures: Additional safeguards to ensure adequate protection
All international transfers are documented and comply with GDPR Chapter 5 requirements.
12. Children's Data
The App is not intended for or marketed to individuals under 18 years of age. If we become aware that a user is a minor, we will remove their data or obtain parental consent. Shopify merchants are expected to be business account holders (18+).
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in law, our practices, or other factors. We will:
- Post the updated policy on our website with a new "Effective date"
- Notify merchants of material changes via email or in-app notification
- Obtain explicit consent if required by law
Your continued use of the App after changes indicates acceptance of the updated policy.
14. Contact & Complaints
For questions, concerns, or to exercise your rights:
Data Controller:
[Your Full Legal Name]
Autónomo/a
Madrid, Spain
Email: [email protected]
Privacy Policy URL: https://asterbeam.arcpulselabs.com/privacy-policy
Data Deletion Instructions URL: https://asterbeam.arcpulselabs.com/data-deletion
Complaints: If you believe we have violated your GDPR rights, you may lodge a complaint with:
- Spanish Data Protection Authority (AEPD): https://www.aepd.es
- Your national authority (if you are in a different EU member state)
15. Appendix: Data Processing Agreement Summary
As a Shopify app, we act as a data processor for certain merchant data (product information, creative sets) and a joint controller for configuration and billing data. Under GDPR Article 28, any processing relationship should be governed by appropriate data processing terms.
For merchants requiring a formal Data Processing Agreement (DPA) or further clarification on our controller/processor role:
- Please email [email protected] with subject "DPA Request"
- We will provide a standard DPA or clarify our role within 10 business days
Document version: 1.0
Last updated: January 22, 2026
Jurisdiction: Spain (EU GDPR & LOPDGDD)