Legal

Privacy Policy

Last updated: 13 May 2026

1. Who we are

Companion is a weekly AI-powered digest service for Shopify store owners, operated by José Miguel Pires Fernandes, based in Lisbon, Portugal. When this policy refers to "Companion", "we", "us" or "our", it means this service and its operator.

Contact: jose.miguel.pires.fernandes@gmail.com

2. What data we collect

Store data (via Shopify OAuth)

When you connect your Shopify store, we request read-only access to:

• Orders — revenue, order count, average order value
• Products — top-selling items and revenue by product
• Customers — new vs returning customer counts (no personal customer data stored)
• Analytics — sessions and conversion rates (where available)
• Store info — store name, owner email, currency, timezone

We never access or store your customers' personal information, payment details, or addresses.

Account data

• Your name and email address (from your Shopify account)
• Subscription plan and billing status (managed by Stripe)
• Digest history — weekly performance scores and summaries

Technical data

• IP address and browser type (server logs, retained 30 days)
• Cookies — session and preference cookies only (see Section 7)

3. How we use your data

• To generate your weekly performance digest email
• To compare this week's metrics against previous weeks
• To manage your subscription and send billing receipts
• To improve the quality of AI-generated insights (anonymised, aggregate only)
• To contact you about service updates or issues

We never use your store data for advertising, sell it to third parties, or share it with anyone except the processors listed in Section 5.

4. Legal basis (GDPR)

We process your data under the following legal bases:

• Contract performance — processing your store data to deliver the weekly digest you subscribed to
• Legitimate interest — improving service quality using anonymised aggregate data
• Legal obligation — retaining billing records as required by Portuguese tax law

5. Who we share data with

We use the following third-party processors:

• Anthropic — AI model provider that generates your digest insights. Store metrics are sent to their API and not retained after processing. Privacy policy →
• Supabase — Database hosting (EU region). Stores your account and digest history. Privacy policy →
• Stripe — Payment processing. We never see or store your card details. Privacy policy →
• Resend — Email delivery for your weekly digest. Privacy policy →
• Vercel — Application hosting (EU region where possible). Privacy policy →

6. Data retention

• Store metrics snapshots: retained for 12 months to enable year-over-year comparisons
• Digest history: retained for 24 months
• Account data: retained until you delete your account, then deleted within 30 days
• Billing records: retained for 7 years as required by Portuguese law

7. Cookies

We use only essential cookies required for the service to function:

• shopify_state — a temporary security token used during the Shopify OAuth flow. Expires after 10 minutes.
• Session cookies — to keep you logged in during your visit. Deleted when you close your browser.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies. We do not use Google Analytics.

8. Your rights

Under GDPR, you have the right to:

• Access — request a copy of all data we hold about you
• Rectification — correct any inaccurate data
• Erasure — request deletion of your data ("right to be forgotten")
• Portability — receive your data in a machine-readable format
• Objection — object to processing based on legitimate interest
• Restriction — request we limit how we use your data

To exercise any of these rights, email us at jose.miguel.pires.fernandes@gmail.com. We will respond within 30 days.

You also have the right to lodge a complaint with the Portuguese data protection authority (CNPD) at cnpd.pt.

9. Security

We protect your data using industry-standard measures: HTTPS encryption in transit, encrypted storage at rest, access controls limited to the operator, and regular security reviews. Shopify API tokens are stored encrypted in our database.

In the event of a data breach affecting your personal data, we will notify you within 72 hours as required by GDPR.

10. Changes to this policy

We may update this policy from time to time. We will notify you by email at least 14 days before any material changes take effect. Continued use of the service after that date constitutes acceptance of the updated policy.