Privacy Policy
Effective date: May 23, 2026 Last updated: May 27, 2026
This Privacy Policy explains how DUMA DIGITAL SOLUTIONS S.R.L. ("AI Commerce Audit", "we", "us"), a Romanian limited liability company (societate cu răspundere limitată) with VAT ID RO51430401, collects, uses, shares, and protects personal data when you interact with aicommerceaudit.com and the AI Commerce Audit service (the "Service").
We are the data controller for personal data described in this Policy and are established in the European Union (Romania).
- Postal address: Strada Verzișori nr. 6, ap. Boxa 118, Sector 4, 030167 București, Romania
- General contact:
hi@aicommerceaudit.com - Privacy contact:
privacy@aicommerceaudit.com - Data protection contact: Vlad Duma,
vlad@aicommerceaudit.com - Lead supervisory authority: Romania — Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP),
dataprotection.ro
1. Summary (the short version)
- We collect: the email and profile data you sign in with, the URLs you submit, public crawl results derived from those URLs, basic billing identifiers from Stripe (never card numbers), and minimal product analytics.
- We do not sell personal data, ever.
- We use a small set of named subprocessors (Section 6).
- You can export and delete your account and data; details in Section 9.
- Crawled content from third-party stores is treated as factual public data for diagnostic purposes; see Section 7.
2. Personal Data We Collect
2.1 Data you provide
| Category | Examples | Source |
|---|---|---|
| Identity & account | Email, display name, profile image | Google OAuth sign-in |
| Audit submissions | URLs you submit for audit, optional notes | You |
| Billing identifiers | Stripe customer ID, subscription status, billing country, and limited card metadata if Stripe provides it | Stripe (we don't see full card data) |
| Support correspondence | Email content you send us | You |
2.2 Data collected automatically
| Category | Examples | Source |
|---|---|---|
| Request metadata | Timestamps, request paths, response codes, approximate region (derived from IP, not stored raw) | Service logs |
| Web analytics | Pages viewed, audit completions, coarse region/device | Google Analytics 4 (consent-gated in the EU) + self-hosted Umami (cookieless) |
We do not persist raw IP addresses in our application database. We use IPs transiently for SSRF protection, abuse prevention, rate-limiting, and to derive coarse geolocation. Logs at our hosting provider may retain IPs for the durations described in Section 8.
2.3 Cookies and similar technologies
- Strictly necessary cookies: session and authentication tokens, CSRF protection, Cloudflare Turnstile anti-abuse. These do not require consent under GDPR Art. 5(3) / ePrivacy Directive.
- Analytics cookies — Google Analytics 4: GA4 sets cookies to measure aggregate site usage. For visitors we detect as being in the EU/EEA (and UK), GA4 is off by default and loads only after you accept via our cookie banner. Outside those regions GA4 loads by default.
- Cookieless analytics — Umami: we self-host Umami with Do-Not-Track honored; it stores no cookies and no device identifiers, so it runs for all visitors and needs no consent.
You can configure your browser to refuse cookies; the Service will still function but some features (sign-in, audit submission) require strictly-necessary cookies. EU visitors can change their analytics choice at any time via the cookie settings link in the footer.
3. How We Use Personal Data
We process personal data for the following purposes:
| Purpose | Data categories | Lawful basis (GDPR) |
|---|---|---|
| Provide the Service (run audits, render dashboards, deliver Badge) | Identity, audit submissions, request metadata | Contract — Art. 6(1)(b) |
| Process payments and prevent fraud | Billing identifiers | Contract + Legal obligation — Art. 6(1)(b)/(c) |
| Send transactional emails (audit completion, billing receipts, security notices) | Identity, billing identifiers | Contract — Art. 6(1)(b) |
| Send product or marketing emails | Identity, product analytics | Consent — Art. 6(1)(a); opt-out anytime |
| Operate anti-abuse measures (rate limiting, bot detection, SSRF protection) | Request metadata, rate-limit counters | Legitimate interest — Art. 6(1)(f); protecting the Service |
| Detect and fix bugs | Error telemetry | Legitimate interest — Art. 6(1)(f) |
| Improve the Service via aggregated analytics | De-identified product analytics, aggregated audit statistics | Legitimate interest — Art. 6(1)(f); we balance against your interests |
| Comply with legal obligations (tax, court orders, GDPR requests) | As required | Legal obligation — Art. 6(1)(c) |
| Establish, exercise, or defend legal claims | As required | Legitimate interest — Art. 6(1)(f) |
If we ever rely on a lawful basis not listed above, we will update this Policy.
4. Automated Decision-Making
The Service performs automated scoring of websites. This scoring is applied to websites (Audit Subjects), not to natural persons. The scores are not used to make decisions that produce legal or similarly significant effects on individuals.
We do not engage in automated decision-making within the meaning of GDPR Art. 22 with respect to the natural persons who use the Service.
5. How We Share Personal Data
We share personal data only in these cases:
- Subprocessors that operate parts of the Service on our behalf (Section 6). They process personal data only under our instructions and under contractual data-processing obligations.
- Professional advisors (lawyers, accountants, auditors) bound by confidentiality.
- Legal & safety: to comply with law, valid legal process, or to protect the rights, property, or safety of AI Commerce Audit, our users, or others.
- Business transfers: if we are involved in a merger, acquisition, financing, or sale of assets, personal data may be transferred subject to standard confidentiality terms; we will notify you of any change in controller.
- With your consent, for any other purpose disclosed at the time of consent.
We do not sell personal data, do not "share" personal data for cross-context behavioral advertising as defined under the CCPA/CPRA, and do not provide personal data to advertising networks or data brokers.
6. Subprocessors
We rely on the following subprocessors. The list is maintained at aicommerceaudit.com/legal/subprocessors and updated on 30 days' notice for new additions where you have a Paid Plan with a DPA.
| Subprocessor | Purpose | Data categories | Location |
|---|---|---|---|
| Supabase, Inc. | Postgres database and authentication | Account data, audit metadata, scores, findings | USA / EU (region selected) |
| Vercel Inc. | Web hosting, edge runtime, build pipeline | All request traffic | USA + global edge |
| Stripe, Inc. | Payment processing, subscription billing | Billing identifiers, payment card data (we receive only token + last 4) | USA / global |
| Cloudflare, Inc. | Turnstile anti-abuse, CDN | IP, browser fingerprint signals (transient) | Global edge |
| Resend, Inc. | Transactional email delivery | Recipient email, subject, body of transactional emails | USA |
| Google LLC | OAuth sign-in + Google Analytics 4 web analytics (EU: consent-gated) | Email, name, avatar, OAuth tokens; GA cookie ID, page views, coarse region/device | USA / global |
We also run Umami analytics on our own infrastructure (analytics.aicommerceaudit.com). Because it is self-hosted and cookieless, no analytics data is shared with a third-party analytics vendor through Umami.
Where a subprocessor is located outside your country of residence, transfers are governed by appropriate safeguards (Section 7).
7. International Data Transfers
We are established in Romania (EU). Several of our subprocessors are located in the USA. Because we are an EU controller, transfers of personal data to these US-based subprocessors are cross-border transfers subject to Chapter V of the GDPR.
For transfers from the EEA, UK, or Switzerland to countries without an adequacy decision, we rely on:
- EU Standard Contractual Clauses (SCCs) as adopted by the European Commission (Decision 2021/914/EU), including module-appropriate clauses (controller-to-processor or processor-to-processor as relevant); and
- UK International Data Transfer Addendum (IDTA) or the UK Addendum to the SCCs, as applicable; and
- Swiss FDPIC recognition of the SCCs where relevant.
Where a subprocessor participates in the EU-US Data Privacy Framework, UK Extension, or Swiss-US Data Privacy Framework, we may additionally rely on that framework.
You may request a copy of the safeguards in place by emailing privacy@aicommerceaudit.com (with proprietary commercial terms redacted).
8. Audit Subject Data — Special Notice
The Service crawls publicly accessible URLs of third-party stores ("Audit Subjects") that may or may not be operated by the user submitting them. This crawling and the data we collect from it are described in detail in our Bot Policy.
What we process from an Audit Subject:
- Bytes returned by HTTP GET requests to a small number of public endpoints (homepage,
/robots.txt,/sitemap.xml,/llms.txt,/.well-known/ucp, platform feed endpoints, and up to 20 product detail pages). These raw response bodies are used to compute the audit and are not currently retained as long-term raw snapshots. - HTTP response headers and status codes.
- Derived structured data (JSON-LD, OpenGraph, Microdata) extracted from those pages.
What we do not collect:
- Authenticated content. We never sign in, never submit forms, never authenticate.
- Content blocked by
robots.txtfor our user agent. - JavaScript-rendered content (we don't currently render JavaScript; any future rendered probes will remain un-authenticated).
- Images, videos, fonts, CSS payloads (we extract URLs but do not download binaries).
If an Audit Subject is your store: the submitted URL, audit metadata, scores, and findings are your Customer Data and you control retention via your dashboard.
If an Audit Subject is not your store and contains personal data of others (e.g., a publicly visible customer review on a product page): we process this incidentally and only as part of the diagnostic run. Such data is not used for any purpose other than producing the audit report and is not displayed in the audit report, which surfaces structural findings rather than customer reviews verbatim.
If you are an Audit Subject operator and want your store removed from the public leaderboard or want associated personal data deleted, contact privacy@aicommerceaudit.com or see the takedown route at /bots. We will action verified requests within one business day.
9. Data Retention
We retain personal data for as long as needed for the purposes described, then delete or de-identify it:
| Data | Retention |
|---|---|
| Account & identity | Until you delete your account, then 30 days for backup expiry |
| Audit submissions (URL, timestamps, metadata) | Until you delete the audit or your account |
| Raw crawl bodies | Not retained as long-term snapshot storage today; processed transiently to compute the audit |
| Scores and findings | Same as audit submissions (so the report you bought remains accessible) |
| Billing records | 7 years (tax/accounting legal obligation) |
| Support correspondence | 3 years |
| Web analytics (GA4) | Up to 14 months (GA4 retention setting); aggregate reports retained indefinitely. Umami: aggregate counts only, no per-user retention |
| Application logs | 30 days |
| Hosting/edge logs (Vercel, Cloudflare) | Per their providers' policies, generally 30–90 days |
| Rate-limit counters | Rolling 24 hours |
Deletion requests are processed within 30 days subject to legal retention obligations (e.g., tax records).
10. Your Rights
Depending on your jurisdiction you may have the following rights:
10.1 EU / EEA / UK (GDPR / UK GDPR)
- Access — get a copy of personal data we hold about you.
- Rectification — correct inaccurate data.
- Erasure ("right to be forgotten") — delete data we no longer need.
- Restriction — limit our processing in specified circumstances.
- Portability — receive your data in a machine-readable format.
- Objection — object to processing based on legitimate interests, including for direct marketing (we will stop).
- Withdraw consent — for processing based on consent.
- Complaint — lodge a complaint with our lead supervisory authority, Romania's ANSPDCP (
dataprotection.ro), or with the supervisory authority in your own EU country of residence. Full list: edpb.europa.eu/about-edpb/about-edpb/members_en.
10.2 California, USA (CCPA / CPRA)
- Right to know — what personal information we collect, why, and with whom we share.
- Right to delete — request deletion.
- Right to correct — request correction of inaccurate information.
- Right to opt out of "sale" or "sharing" — N/A; we do not sell or share for cross-context behavioral advertising.
- Right to limit use of sensitive personal information — N/A; we do not process sensitive personal information beyond what is necessary to provide the Service.
- Right to non-discrimination for exercising rights.
10.3 Other US states (Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and others as enacted)
You may have rights similar to those above. Contact privacy@aicommerceaudit.com.
10.4 How to exercise rights
Email privacy@aicommerceaudit.com from the address associated with your Account, or submit a request from your dashboard. We will respond within 30 days (extendable by 60 days for complex requests; we will inform you of any extension). We may need to verify your identity before actioning requests.
You may authorize an agent to make requests on your behalf, subject to verification.
11. Security
We implement administrative, technical, and physical safeguards designed to protect personal data, including:
- Encryption in transit (TLS) and at rest (subprocessor-managed where applicable);
- Role-based access controls and least-privilege access to production data;
- Audit logging of administrative access;
- Secret rotation and
gitleaks-style scanning on commits; - SSRF guards, hostname-level rate limits, and Turnstile on public endpoints;
- Vendor due-diligence on subprocessors before onboarding.
Our crawler is rate-limited to one in-flight request per hostname, identifies itself with AiCommerceAuditBot/1.0 (+https://aicommerceaudit.com/bot), honors robots.txt, rejects redirects to private, link-local, loopback, and cloud metadata IP ranges, and strips cookies and authorization headers on cross-origin redirects. The full crawler policy is published at aicommerceaudit.com/bots.
No system is perfectly secure. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority without undue delay (within 72 hours where required by GDPR Art. 33).
12. Children
The Service is not directed to children under 16 (or the equivalent minimum age in your jurisdiction). We do not knowingly collect personal data from children. If you believe we have collected data from a child, contact privacy@aicommerceaudit.com and we will delete it.
13. Changes to This Policy
We may update this Policy. For material changes affecting your rights, we will notify you by email or in-product banner at least 30 days before the effective date. The "Last updated" date at the top of this Policy reflects the most recent revision. Past versions are available on request.
14. Contact
| Topic | Contact |
|---|---|
| General | hi@aicommerceaudit.com |
| Privacy, data subject requests | privacy@aicommerceaudit.com |
| Data protection contact | Vlad Duma, vlad@aicommerceaudit.com |
| Bot complaints / takedowns | hi@aicommerceaudit.com (see /bots) |
| Postal | DUMA DIGITAL SOLUTIONS S.R.L., Strada Verzișori nr. 6, ap. Boxa 118, Sector 4, 030167 București, Romania — VAT RO51430401, Registrul Comerțului J2025017453003 |
| Lead supervisory authority | ANSPDCP, Romania — dataprotection.ro |