Privacy Policy

Last updated: 2026-05-31

⚠️ Placeholder content. Replace with Termly-generated text or lawyer-reviewed prose before public launch. See file comment.

Who we are

Aftercosts ("we", "us") is operated by [COMPANY_NAME], registered at [COMPANY_ADDRESS]. For privacy questions, email [DPO_EMAIL].

What we collect

Account data: email, password hash (via Supabase Auth).
Shop data: orders, customers, products, refunds, ad spend pulled from your connected Shopify, Meta, TikTok, Google Ads, and Klaviyo accounts. We only pull what we display.
Customer PII from your shop: email addresses appear in cohort / LTV analysis. You are the data controller for your customers; we are a data processor on your behalf (see DPA below).
Billing data: handled by Stripe. We store only the Stripe customer ID and subscription status — no card numbers.
Cookies: session cookie (Supabase Auth) + a non-tracking preference cookie (selected_store_id). No analytics, no advertising cookies.

Why we collect it

Solely to provide the dashboard you signed up for. We do not sell, share, or train AI on your data. Legal basis: contract (GDPR Art. 6(1)(b)).

Subprocessors

We rely on these processors to provide the service:

Supabase (EU region) — database, auth, storage.DPA
Vercel — application hosting.DPA
Stripe — payments + EU VAT calculation.DPA
Shopify — fulfilment of order sync (you authorise via OAuth).
Meta / TikTok / Google Ads / Klaviyo — ad-spend and email metrics sync (you authorise via OAuth or API key).

Data residency

Production data is stored in the EU (Supabase EU region). Vercel may serve assets globally via CDN but application data and database queries terminate in the EU.

Retention

Account-tied data is kept until you delete your account or 12 months after your subscription cancels, whichever comes first. Stripe retains payment records for 7 years per their financial-records policy (outside our control).

Your rights

Export all your data: Account → Export
Delete your account: Account → Delete
Correct any field via the dashboard, or email [DPO_EMAIL] for help.
File a complaint with your local data-protection authority.

Security

Third-party access tokens (Shopify, Meta, TikTok, Google, Klaviyo) are encrypted at rest with AES-256-GCM. Database access is RLS-isolated per user. Application traffic is TLS-only with HSTS. All staff access is through SSO + MFA.

Contact

For any privacy request: [DPO_EMAIL]. We'll respond within 30 days.