Privacy Policy

Supaforce ("Supaforce", "we", "us") is the data controller for personal data we collect about merchants who sign up for the service. When Supaforce processes data on behalf of a merchant — for example, the merchant's own customer data received through Shopify webhooks — we act as a processor, and the merchant is the controller.

For data protection enquiries, contact privacy@supaforce.app.

Account data. Email address, name, Slack workspace identifier, and authentication tokens you provide when signing up.

Brand and configuration data. Information you provide during onboarding — brand voice, target audience, sales playbooks, agent settings, content briefs.

Connected store data. When you connect your Shopify store, we receive products, collections, blog posts, themes, redirects, orders, customers, and webhook events through the Shopify Admin API and webhook subscriptions. We only request the scopes needed for the features you use.

Third-party integration data. When you connect Google Analytics, Google Ads, Meta Ads, TikTok Ads, Pinterest Ads, Instagram, Twitter/X, LinkedIn, or any other supported tool, we receive the data those providers return for the OAuth scopes you grant — for example, traffic reports, conversion events, campaign metrics, or post engagement.

Generated content and operational logs. Articles, ad creatives, prospect lists, sequences, agent conversation history, and timestamped logs of what each agent did on your behalf.

Billing data. Subscription status, plan, and payment method tokens are handled by Stripe; Supaforce stores only the Stripe customer and subscription identifiers.

End-customer data via the Web Pixel. If you enable Supaforce's attribution Web Pixel, we receive pseudonymous session, click, and order events from your storefront, which we attribute to the content and channel that drove them. This data belongs to you.

We use the data above to:

• Operate the agents you have purchased — researching keywords, writing content, publishing to your store, running campaigns, sending outbound emails on your behalf.
• Improve our prompts, agents, and recipes by analysing how outputs perform in your store. Where this involves your data, we use it only in your workspace — we do not train shared models on your private content.
• Operate the service — authentication, billing, error monitoring, abuse prevention, and customer support.
• Send transactional messages (account, billing, security) and, where you have opted in, product updates.

We do not sell your data and we do not use it for cross-customer profiling.

We process personal data under the following legal bases:

• Contract — to deliver the Supaforce service you have signed up for.
• Legitimate interests — to keep the service secure, prevent fraud, and improve product quality, balanced against your privacy rights.
• Consent — for optional marketing emails and certain integrations you explicitly authorise.
• Legal obligation — to respond to lawful requests and to retain records required by law.

Supaforce relies on the following sub-processors to deliver the service. We have data processing terms with each of them and only share the data needed for the function listed.

• Anthropic — AI reasoning for agent outputs.
• OpenAI — supplementary AI models for specific tasks (image and embedding generation).
• Supabase — managed database and authentication.
• Stripe — subscription billing and payments.
• Resend — transactional email delivery.
• Replicate — AI image generation.
• Canva — template-based graphic generation when enabled.
• Slack — the primary interface between you and your agents.
• Shopify — when you connect a store, data flows through Shopify APIs and webhooks under Shopify's privacy terms.
• Google, Meta, TikTok, Pinterest, LinkedIn — only when you connect the relevant ads or analytics account.

An up-to-date list is available on request via privacy@supaforce.app.

We retain account, brand, content, and operational data for as long as your subscription is active. If you cancel or your account is deleted, we delete or anonymise:

• Brand profiles, agent settings, and generated content within 30 days.
• Connected integration credentials immediately on disconnect or account closure.
• Operational logs within 90 days, except where retention is required for fraud prevention, tax, or legal reasons.

Billing records are retained for the period required by tax law in the United Kingdom.

Supaforce complies with Shopify's mandatory privacy webhooks:

• customers/data_request — when a store owner asks for a customer's data, we forward any data held about that customer to the merchant within 30 days.
• customers/redact — when a store owner asks us to delete a customer's data, we delete or anonymise it within 30 days, except where retention is required by law.
• shop/redact — 48 hours after a merchant uninstalls Supaforce, Shopify sends this webhook and we erase the merchant's shop and customer data from our systems within 30 days.

If you are a customer of a Supaforce merchant and want to exercise your rights, please contact the merchant directly; we will support them in fulfilling your request.

Subject to applicable law (UK GDPR, EU GDPR, CCPA), you have the right to:

• Access the personal data we hold about you.
• Ask us to correct inaccurate data.
• Ask us to delete data (subject to legal exceptions).
• Restrict or object to certain processing.
• Receive a copy of your data in a portable format.
• Withdraw consent where processing is based on consent.
• Lodge a complaint with your supervisory authority (in the UK, the ICO).

To exercise any of these rights, email privacy@supaforce.app. We respond within 30 days.

We protect data with industry-standard controls: encryption in transit (TLS 1.2+) and at rest, role-based access controls, audit logging, regular dependency and infrastructure patching, and time-bound credentials for third-party integrations. Sensitive credentials are encrypted at the application layer before being stored.

No system is perfectly secure. If we ever become aware of a personal data breach, we will notify affected merchants and, where required, supervisory authorities within 72 hours.

Supaforce is based in the United Kingdom. Some of our sub-processors store or process data in the United States and other regions. Where data leaves the UK or EEA, we rely on the UK International Data Transfer Agreement, EU Standard Contractual Clauses, or an applicable adequacy decision.

Our website and dashboard use only essential cookies for authentication and session management. We do not use third-party advertising or cross-site tracking cookies. If we ever add analytics cookies, we will request consent first.

We may update this policy as the service evolves or the law changes. When we make material changes, we will notify active merchants by email at least 14 days before the changes take effect. The "Last updated" date at the top of this page always reflects the current version.

For any privacy or data protection question, email privacy@supaforce.app.