Skip to content
Atlios

Legal

Privacy policy

This policy explains what data Atlios collects, why we collect it, who processes it on our behalf, and the choices you have. We try to keep the language plain. Where legal terms are unavoidable, we say what they mean.

Last updated: 28 May 2026

Who we are.Atlios is operated by SDFP Software Solutions ("Atlios", "we", "us"), an AI catalog operations product for Shopify merchants and agencies. Our business address and contact details are at the end of this policy.

1. What we collect

We collect only what we need to run the service:
  • Account data: your name, email address, password (hashed), and team or store role.
  • Shopify catalog data: products, variants, metafields, images, collections, and inventory levels we read from your Shopify store after you connect it. We do not request customer data, orders, or storefront analytics.
  • Google Merchant Center data: when you connect Google Merchant Center, we read your product feeds and attributes and the diagnostic and policy issues Google reports for them, through Google APIs. See section 6 for how we handle this Google user data.
  • Usage data: pages viewed, features used, scan and fix activity, timestamps, browser type, device type, and IP address (used for security, rate limiting, and product analytics).
  • Payment data: handled by Stripe. Card numbers never touch our servers. We retain billing metadata (plan, amount, invoice references) needed for accounting.
  • Support data: messages and attachments you send when contacting us.
  • Cookies: a session cookie for authentication and preference cookies for your saved settings. Analytics is collected by our hosting provider in aggregate.

2. Why we collect it

  • Provide the service: scan your catalog, surface issues, generate draft fixes, and publish what you approve.
  • Operate billing: charge paid plans, apply credits, prevent fraud.
  • Improve the product: understand what works, fix what breaks, prioritize roadmap.
  • Communicate: transactional emails (scan reports, billing receipts, security notices) and, only with your opt-in, product updates.
  • Protect the service and our users: detect abuse, enforce limits, comply with law.

3. Legal bases (EU, UK, and similar regimes)

Where applicable data-protection law requires a legal basis, we rely on: performance of our contract with you (running the service and billing), legitimate interest (product improvement, security, and analytics that do not override your rights), legal obligation (tax, accounting), and consent (where we ask explicitly, such as marketing email).

4. AI processing

Generative tasks (image edits, copy suggestions, alt text drafts) are processed via third-party model providers including Google Gemini, OpenAI, and Anthropic. Prompts include only the product fields needed for the task. We instruct providers via API settings not to use your data to train their shared models. Providers may retain prompts for short abuse-detection windows as described in their own terms. Atlios never sells your catalog or trains its own public models on it.

5. Sub-processors

We rely on the following sub-processors to deliver the service. Each is bound by data-processing terms with us:
  • Vercel, Inc. (hosting, edge analytics, performance monitoring)
  • Google Cloud (cloud infrastructure)
  • Neon (Postgres database)
  • Trigger.dev (background job processing)
  • Stripe, Inc. (payment processing)
  • Loops, Resend, and Postmark (transactional and product email)
  • Google Gemini, OpenAI, and Anthropic (AI model APIs for generative tasks)
We update this list when a sub-processor changes. Material additions will be announced in-product at least 14 days before they take effect.

6. Google user data

When you connect Google Merchant Center, Atlios accesses data from your Google account through Google APIs: your Merchant Center product feeds and attributes, and the diagnostic and policy issues Google reports for them. We use this data only to run checks, surface issues, and generate the draft fixes you ask for.

Who we share, transfer, or disclose it to. We share Google user data only with the sub-processors listed in section 5 that are needed to provide these features: Vercel and Google Cloud (hosting and infrastructure), Neon (database), and Trigger.dev (background processing). When you run a generative task on a Merchant Center field, the specific fields needed are sent to the AI model providers named in section 4 (Google Gemini, OpenAI, and Anthropic). We do not transfer or disclose Google user data to anyone else, except: to you and other members of your team or store account; where you direct us to; where required by law or to a regulator; or as part of a merger, acquisition, or sale of assets, in which case we will notify you first.

Atlios's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not sell Google user data, do not use it for advertising, and do not use it to train AI models.

7. Where data is stored

Production data is processed in cloud regions operated by our hosting and database providers, primarily in the European Union and the United States. Where data is transferred outside your country of residence, we rely on standard contractual clauses or equivalent safeguards.

8. Retention

  • Account data: retained while your account is active and for up to 90 days after deletion to recover from accidental deletion.
  • Shopify catalog snapshots: retained while you keep your store connected so health trends remain meaningful. Removed within 30 days of disconnection.
  • Usage data: retained in identifiable form for 12 months, then aggregated and anonymized.
  • Billing records: retained for the period required by tax and accounting law (typically 5 to 7 years).
  • Support data: retained for 24 months after the conversation closes.

9. Your rights

Depending on where you live, you may have the right to access your personal data, correct it, delete it, restrict or object to certain processing, port it to another provider, and withdraw consent. You can exercise these by emailing the address at the bottom of this policy. We will respond within the time required by applicable law and never longer than 30 days.
  • EU / UK (GDPR): rights above, plus the right to lodge a complaint with your supervisory authority.
  • California (CCPA / CPRA): right to know, delete, correct, and opt out of sale. We do not sell personal information.
  • United Arab Emirates (Federal Decree-Law No. 45 of 2021 on Personal Data Protection): rights above, exercised via the contact below.

10. Security

We use encryption in transit (TLS) and at rest, role-based access controls, audit logging, isolated production credentials, and regular dependency review. No system is perfectly secure. If we detect a breach affecting your data, we will notify you and the relevant authorities within the timeframes required by law.

11. Children

Atlios is a business product. We do not knowingly collect data from anyone under 18. If you believe a minor has used the service, contact us and we will remove the data.

12. Changes to this policy

We may update this policy from time to time. Material changes will be announced via email and in-product at least 30 days before they take effect. The "Last updated" date at the top reflects the most recent revision.

13. Contact

For privacy questions, data requests, or complaints:
  • Email: privacy@atlios.io
  • Postal: SDFP Software Solutions, Dubai, United Arab Emirates