Skip to content

Privacy Policy

Last updated: March 2026

1. Information We Collect

When you create an account, we collect your name, email address, and payment information (processed securely through Stripe). When you add a site for verification, we collect your domain name and perform automated scans of publicly available information about that domain.

We also collect:

  • IP addresses for rate limiting and abuse prevention (retained temporarily in memory, not stored long-term)
  • Analytics data via self-hosted Umami (page views, browser type, referrer — cookieless, no personal profiles built)
  • Domain data sent to Google Safe Browsing API to check for malware/phishing flags during scans

2. How We Use Your Information

We use your information to:

  • Provide and maintain the AI-Signed trust verification service
  • Process payments and manage your subscription
  • Perform trust scans on your registered domains
  • Generate and display trust badges and scores
  • Send service-related communications

3. Public Information

Trust scores, badge levels, and verification status for active sites are publicly accessible through our verification pages and API. This is a core feature of the service — trust badges are designed to be visible to website visitors and AI agents.

4. Data Sharing

We do not sell your personal information. We share data only with the following third parties:

  • Stripe for payment processing
  • Google (Safe Browsing API — domain names only, no personal data)
  • SMTP email provider for transactional emails

We use self-hosted Umami analytics — all analytics data stays on our servers and is never shared with third parties.

We may disclose information if required by law. Aggregated, anonymized data may be used for service improvement.

5. Cookies and Tracking

We use functional cookies (authentication session tokens) required for login.

We use self-hosted Umami analytics which is cookieless — it does not set cookies or track users across sites. Analytics only loads after you accept the cookie/analytics consent banner.

We do not use advertising cookies or third-party tracking pixels.

6. Data Security

We use industry-standard security measures including encrypted connections (HTTPS), secure password hashing, and secure payment processing through Stripe. API keys are generated with cryptographically secure random values and are stored as cryptographic hashes.

7. Data Retention

  • Account data is retained while your account is active.
  • Scan history is retained for up to 12 months for historical tracking; older scans are automatically purged.
  • Data is deleted within 30 days of account cancellation or deletion request.
  • Rate limiting IP data is stored in process memory only and cleared on server restart.

8. Lawful Basis for Processing (GDPR)

We process your personal data under the following legal bases:

  • Contract performance: account management, scanning, badge generation
  • Legitimate interest: security (rate limiting, abuse prevention), service improvement (analytics)
  • Consent: analytics tracking (via consent banner)
  • Legal obligation: compliance with applicable laws

9. Your Rights (GDPR)

If you are in the European Economic Area, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Erase your data ("right to be forgotten")
  • Restrict processing
  • Data portability (export your data)
  • Object to processing based on legitimate interest
  • Withdraw consent at any time
  • Lodge a complaint with your local data protection authority

Contact [email protected] to exercise these rights. We will respond within 30 days.

10. Your Rights (CCPA)

If you are a California resident, you have the following rights:

  • Right to know what personal information we collect and how it's used
  • Right to delete your personal information
  • Right to opt-out of the sale of personal information — we do not sell your personal information
  • Right to non-discrimination for exercising your privacy rights

Contact [email protected] to exercise these rights.

11. Automated Decision-Making

Trust scores are calculated algorithmically based on automated scans. These scores affect your badge display and public trust profile. You may request a review of any automated decision by contacting us. Trust scores can always be re-scanned to reflect changes you make to your site.

12. International Data Transfers

Your data is processed on servers located in the United States. If you are located outside the US, your data will be transferred to and processed in the US. We ensure appropriate safeguards are in place in accordance with applicable data protection laws.

13. Children's Privacy

AI-Signed is not directed to individuals under 18. We do not knowingly collect personal information from children. If we become aware that a child under 18 has provided personal information, we will delete it promptly.

14. Shopify App Data

If you install AI-Signed through the Shopify App Store, we collect and process the following additional information:

  • Your Shopify store domain and primary domain for trust scanning
  • Shopify session tokens for authentication (stored securely in our database)
  • Billing status related to your Shopify app subscription

We do not access, collect, or store any of your customer data, order data, or product data. The only Shopify API scope we request is read_themes, used solely to enable the trust badge theme extension on your storefront. When you uninstall the app, we mark your installation as inactive and remove your session data. You can request full deletion of your data at any time.

15. Account Deletion and Data Export

You can delete your account at any time from the Billing page in your dashboard, or by contacting us at [email protected]. Account deletion will cancel any active subscription and permanently remove all your data within 30 days. You can export all your data in JSON format from the API before deletion.

16. Contact

For privacy-related inquiries, please contact us at [email protected].

For GDPR inquiries, you may also contact your local supervisory authority.