Privacy Policy
Effective April 16, 2026
The short version: We collect the minimum data we need to run the Service. We never sell your data. We store your account data in the United States via Supabase and Vercel. You can ask us what we hold, correct it, or delete it at any time by emailing info@ecomforward.io.
1. Who we are
ECOMFORWARD LLC (“Ecom Forward,” “we,” “us,” or “our”) operates the Ecom Forward website and application. We are a Delaware limited liability company with a registered office at 8 The Green, Suite A, Dover, DE 19901, United States. We are the data controller for personal data processed about you in connection with our Service, unless noted otherwise in this Policy.
You can reach us at info@ecomforward.io for any privacy-related question.
2. What data we collect
2.1 Data you provide to us
- Account data: email address, name, and authentication details (magic links).
- Company and billing data: company name, billing email, billing address, tax or VAT ID, and (during subscription) payment method details collected and processed by our payment processor, Stripe. We do not store full card numbers.
- Team data: email addresses of people you invite to your team and their assigned roles.
- Support data: any message, attachment, or information you send us when contacting support.
2.2 Data from connected platforms
When you authorize a third-party integration, we collect the data needed to provide the Service. This may include:
- Shopify: store name, domain, OAuth access token (stored encrypted), orders, products, customers (first name, last name, email, addresses as shown on orders), and aggregated sales analytics.
- Meta (Facebook/Instagram) Ads: ad account ID, access token, and campaign-level spend and performance metrics.
- Google Ads: account ID, OAuth refresh token, and campaign-level spend and performance metrics.
- TikTok Ads: advertiser ID, access token, and campaign-level spend and performance metrics.
- Pinterest Ads: ad account ID, OAuth refresh token (stored encrypted), and campaign-level spend and performance metrics.
- Snapchat Ads: ad account ID, organization ID, OAuth refresh token (stored encrypted), and campaign-level spend and performance metrics.
- Klaviyo (email & SMS): account ID, Private API key (stored encrypted), campaign and flow metadata, per-day email and SMS revenue aggregates, and total active subscriber count.
Integrations are optional. You control which platforms you connect, and you can disconnect them at any time from within the Service.
Shopify Admin API data use
Ecom Forward accesses your Shopify store data through the Shopify Admin API under the Shopify API License and Terms of Use. We request the following scopes: read_orders, read_products, write_products, read_inventory, write_publications, and read_shopify_payments_payouts.
Shopify store data we receive (orders, products, inventory levels, customer information embedded in orders, and Shopify Payments payout records) is:
- used only to display your own store analytics, financials, and reports inside your Ecom Forward dashboard;
- not used for advertising, or to train or improve generalized AI/ML models;
- never sold or transferred to any third party;
- not read by any human at Ecom Forward, except (a) with your explicit consent for support, (b) for security investigations, or (c) to comply with legal obligations.
You can revoke Ecom Forward’s access at any time by uninstalling the app from your Shopify admin (Settings → Apps and sales channels). Uninstalling triggers Shopify’s mandatory app/uninstalled webhook, after which we null the stored access token. The corresponding Shopify customers/data_request, customers/redact, and shop/redact webhooks are honored within the windows Shopify specifies.
Google API Services User Data Policy
Ecom Forward’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
In practice, Google user data (your Google Ads account identifiers and campaign performance metrics obtained via the adwords scope) is:
- used only to display your own Google Ads performance inside your Ecom Forward dashboard;
- not used for advertising, or to train or improve generalized AI/ML models;
- never sold or transferred to any third party;
- not read by any human at Ecom Forward, except (a) with your explicit consent for support, (b) for security investigations, or (c) to comply with legal obligations.
The same commitments apply to any other Google API we may integrate with in the future.
Pinterest Marketing API data use
Ecom Forward accesses Pinterest data through the Pinterest Marketing API under the Pinterest Developer Guidelines. We request only read-only scopes (ads:read and user_accounts:read).
Pinterest data we receive (ad account identifiers and campaign performance metrics) is:
- used only to display your own Pinterest Ads performance inside your Ecom Forward dashboard;
- not used for advertising, or to train or improve generalized AI/ML models;
- never sold or transferred to any third party;
- not read by any human at Ecom Forward, except (a) with your explicit consent for support, (b) for security investigations, or (c) to comply with legal obligations.
You can revoke Pinterest access at any time from your Ecom Forward store settings, which deletes the stored refresh token.
Snapchat Marketing API data use
Ecom Forward accesses Snapchat data through the Snapchat Marketing API under Snap’s Developer Terms. We request only the snapchat-marketing-api scope and use it solely for read operations.
Snapchat data we receive (ad account identifiers, organization identifiers, and campaign performance metrics) is:
- used only to display your own Snapchat Ads performance inside your Ecom Forward dashboard;
- not used for advertising, or to train or improve generalized AI/ML models;
- never sold or transferred to any third party;
- not read by any human at Ecom Forward, except (a) with your explicit consent for support, (b) for security investigations, or (c) to comply with legal obligations.
You can revoke Snapchat access at any time from your Ecom Forward store settings, which deletes the stored refresh token.
2.3 Data we collect automatically
- Session and authentication: an essential cookie set by Supabase to keep you signed in.
- Short-lived security cookies: for OAuth flows (e.g. Google Ads connection), cleared immediately after use.
- Technical logs: IP address, browser and device type, request timestamps, and error information, collected by our hosting provider (Vercel) for security, abuse detection, and debugging. These are retained for a short period.
- Usage logs: in-app audit entries of meaningful actions (create, edit, delete) so the account owner can review activity. These are associated with the user who performed the action.
We do not currently use third-party analytics, advertising, or tracking cookies. If we add any in the future, we will update this Policy and, where required, ask for your consent first.
2.4 Data we do not collect
We do not knowingly collect sensitive personal data such as government identifiers, health data, biometric data, or precise location. Please do not upload such data to the Service.
3. How and why we use your data
Under the EU and UK General Data Protection Regulation, we rely on the following legal bases:
| Purpose | Legal basis (GDPR) |
|---|---|
| Creating and maintaining your account; providing the Service | Performance of a contract (Art. 6(1)(b)) |
| Billing, taxes, and accounting | Performance of a contract; legal obligation (Art. 6(1)(b), (c)) |
| Keeping the Service secure and preventing abuse | Legitimate interests (Art. 6(1)(f)) |
| Improving, testing, and debugging the Service | Legitimate interests (Art. 6(1)(f)) |
| Sending transactional emails (magic links, billing confirmations, alerts you subscribed to) | Performance of a contract (Art. 6(1)(b)) |
| Responding to legal requests and complying with law | Legal obligation (Art. 6(1)(c)) |
| Optional marketing communications | Consent (Art. 6(1)(a)) — you can withdraw at any time |
We do not use your data for automated decision-making that produces legal or similarly significant effects on you.
4. Service providers (sub-processors)
We use a small set of trusted service providers to operate the Service. Each has access only to the data they need, is bound by a written agreement to protect it, and (where relevant) has appropriate safeguards for international data transfers.
| Provider | Purpose | Location |
|---|---|---|
| Supabase, Inc. | Database, authentication, file storage | United States |
| Vercel Inc. | Application hosting, request logs | United States |
| Resend, Inc. | Transactional email delivery (magic links, alerts, receipts) | United States |
| Stripe, Inc. | Payment processing, subscription billing | United States |
| Anthropic, PBC | AI-assisted product content (Claude API). We send only the specific text you ask us to generate content from; we do not send personal data. | United States |
Separate from our sub-processors, when you connect a third-party platform (Shopify, Meta, Google, TikTok), you are sharing data directly with that platform under its own terms and privacy policy. We act only as a pipeline to display that data back to you.
5. International data transfers
Ecom Forward is based in the United States, and our infrastructure runs in the United States. If you are in the European Economic Area, the United Kingdom, or another jurisdiction with data export restrictions, your personal data is transferred to and processed in the United States.
We rely on the European Commission’s Standard Contractual Clauses (SCCs) with our U.S. sub-processors as the transfer mechanism, together with supplementary measures including encryption in transit (TLS) and at rest, access controls, and strict purpose limitation. Where a sub-processor participates in the EU-U.S. Data Privacy Framework, we rely on that framework as an additional basis.
You can request a copy of the relevant transfer safeguards by contacting us.
6. How long we keep your data
We keep data only as long as we need it:
- Account and Service data: for as long as your account is active, and then up to 30 days after account closure unless a longer period is required by law or to resolve a dispute.
- Billing records: for the period required by applicable tax and accounting law (typically 7 years in the United States).
- Security and debugging logs: typically 30 days, occasionally longer where needed to investigate a specific incident.
- Soft-deleted items in trash: purged automatically after the retention window you set in your account (default 30 days).
- Support conversations: up to 3 years, then deleted unless you ask us to delete sooner.
When data reaches the end of its retention period we delete it, or anonymize it such that it can no longer be associated with you.
7. Your rights
If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights:
- Access: ask for a copy of the personal data we hold about you.
- Rectification: ask us to correct inaccurate or incomplete data.
- Erasure: ask us to delete your personal data where there is no good reason for us to keep it.
- Restriction: ask us to limit how we use your data.
- Portability: receive your data in a structured, machine-readable format.
- Objection: object to processing we do on the basis of legitimate interests.
- Withdraw consent: where we process based on consent, withdraw it at any time without affecting the lawfulness of earlier processing.
- Lodge a complaint: with your local data protection authority. We would appreciate the chance to address your concern first.
To exercise any of these rights, email info@ecomforward.io. We will respond within 30 days and may ask you to verify your identity first.
8. Additional rights for California residents
If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) gives you the right to know what categories of personal information we collect, use, and disclose; the right to request deletion; the right to correct; the right to opt out of any sale or sharing of personal information; and the right not to be discriminated against for exercising your rights.
We do not sell personal information and we do not share personal information for cross-context behavioral advertising, as those terms are defined under the CCPA. To exercise your California rights, email info@ecomforward.io.
9. Security
We use industry-standard measures to protect your data: TLS encryption in transit, encryption at rest for our database, row-level security so each account’s data is isolated, scoped OAuth tokens, password-less authentication via magic links, strict access controls on our side, and audit logging. No system is perfectly secure; if we become aware of a data breach affecting your personal data we will notify you and the relevant authorities as required by law.
10. Children’s data
The Service is intended for business users and is not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe a child has given us personal data, contact us and we will delete it.
11. Marketing communications
We send transactional emails about your account (magic links, billing, alerts you subscribed to) as part of the Service. We will only send you marketing or product-update emails if you have opted in, and you can unsubscribe at any time using the link in the email.
12. Changes to this Policy
We may update this Policy from time to time. If we make a material change, we will notify you by email or through the Service at least 15 days before it takes effect, unless a shorter period is required by law. The “Effective” date above shows when the current version was published.
13. Contact us
Questions, requests, or complaints about this Policy or our use of your data can be sent to:
ECOMFORWARD LLC
8 The Green, Suite A, Dover, DE 19901, United States
info@ecomforward.io