Privacy policy

1. Who this policy is for

This policy distinguishes between three groups so you can find the parts that apply to you:

• Merchants — businesses that sign up for Miivo, connect one or more third-party platforms (for example, an ecommerce store, ad account, or analytics account), and use our dashboard.
• Merchant users — the individual employees or collaborators a merchant grants access to their Miivo workspace.
• Merchants’ end customers (buyers)— shoppers, subscribers, or leads who interact with a merchant’s storefront, ad campaigns, or other channels that a merchant has connected to Miivo. Miivo does not market to, or communicate directly with, end customers. Information we receive about end customers is processed only on the merchant’s behalf.

2. Information we collect through connected platforms

When a merchant connects a third-party platform (for example, Shopify, other ecommerce platforms, ad networks, or analytics providers), we use the platform’s official API with the minimum permissions/scopes needed to produce analytics for that merchant. Depending on the platform connected, the data we retrieve falls into these categories:

• Account & connection metadata — identifiers, store or account domain, timezone, currency, and OAuth tokens (encrypted at rest).
• Orders & transactions — order identifiers and timestamps, financial status, source/channel, payment-method names, monetary totals (subtotal, discounts, tax, shipping, total), line items, refunds, cancellations, and fulfillments.
• Catalog & inventory — product and variant identifiers, titles, categories, prices, stock levels, and inventory-tracking state.
• Aggregated customer references — platform-assigned customer identifiers and aggregate signals such as total order counts or new-vs-returning flags. We request only the fields needed to produce aggregate analytics.

What we do not collect from connected platforms. Except where a specific feature explicitly requires it and the merchant has enabled that feature, we do not query, import, or store end customers’ names, email addresses, phone numbers, billing or shipping addresses, IP addresses, or payment-card details. Where we offer a feature that needs any such field, it is disclosed in-app before the merchant enables it, and the data is used only for that feature.

A current, integration-by-integration description of the exact API scopes we request and the data fields we read is maintained in our in-app integration settings and in our Trust Center (Section 9).

3. Information we collect directly from merchants and merchant users

• Account information: name, email address, and authentication credentials used to sign in to Miivo.
• Organization & billing information: business name, business address, tax identifiers where required, and billing records. Payment card details are handled exclusively by our payment processor (Stripe) — we never see or store full card numbers.
• Integration connection metadata: the connected platform’s store or account identifier, OAuth access token (encrypted at rest), granted scopes, and install/uninstall/disconnect timestamps.
• User-generated content: prompts, messages, settings, campaign configurations, and any content you submit to the Service.
• Support correspondence: messages you send to support@miivo.ai and any attachments.
• Automated logs: IP address, browser and device metadata, referring URL, pages viewed, feature interactions, timestamps, and error/diagnostic data generated when you use the Service.

4. Information we collect directly from merchants’ end customers

Miivo does not operate a storefront-facing experience and does not drop cookies, pixels, or tracking technologies on a merchant’s buyer-facing pages. We do not collect information directly from end customers. All end-customer-related data we process comes indirectly through the platforms a merchant has connected, as described in Section 2.

5. How we use the information we collect

We use the information we collect to:

• Provide, operate, authenticate, and maintain the Service, including computing analytics, dashboards, and reports for the merchant.
• Generate AI-assisted insights, summaries, and recommendations at the merchant’s request, using the sub-processors listed in Section 6.
• Debug, monitor, and secure the Service, detect abuse, and investigate incidents.
• Communicate with merchants about their account, service changes, security advisories, and support requests.
• Bill for the Service and keep financial records required by law.
• Comply with legal obligations and enforce our terms.

We do not sell merchant or end-customer personal information. We do not use end- customer data for advertising, retargeting, or to build cross-merchant profiles. We do not use merchant data to train general-purpose AI models. Prompts and data sent to third-party AI providers are used solely to return a response to the merchant’s request (see Section 6).

6. Sub-processors and third parties

We share information with the following categories of service providers that process data on our behalf under contractual confidentiality and data-protection obligations:

• Cloud infrastructure & hosting — for application hosting, databases, caching, and job queues.
• Authentication — identity and session management for merchant users.
• Payments — Stripe, to process subscription billing.
• AI model providers — OpenAI, Anthropic (Claude), Google (Gemini), and other large-language-model providers we use to generate insights you request. These providers process prompts and inputs we send them and return a response; under our contracts with them, your inputs and outputs are not used to train their public models.
• Analytics & error monitoring — to measure product usage and diagnose errors.
• Email delivery — to send transactional and support emails.

We may also disclose information when required by law, to protect rights or safety, or in connection with a merger, acquisition, or asset sale (in which case the acquirer will be bound by a privacy policy at least as protective as this one).

7. How long we retain data

• Active integrations: data pulled from connected platforms and generated by the Service is retained for as long as the Miivo account and the relevant integration remain active.
• After uninstall, disconnect, or account deletion: we delete or irreversibly anonymize merchant-scoped data within 30 days. Uninstall/disconnect webhooks from connected platforms deactivate the integration immediately and stop further data collection.
• Platform-mandated data-subject requests: where a connected platform forwards data-subject requests (for example, access, redaction, or shop-level deletion notifications), we honor them within the timelines that platform requires and within the timelines required by applicable law.
• Backups: residual copies in encrypted backups are purged on our standard backup rotation (no longer than 90 days after the primary deletion).
• Legal and financial records: billing and tax records are retained for the periods required by applicable Canadian, U.S., and other tax and accounting law.

A merchant can request earlier deletion at any time by emailing support@miivo.ai. We will action verified requests within 30 days.

8. International transfers

Miivo is established in Canada. Our servers and sub-processors are primarily located in Canada and the United States. If you access the Service from the European Economic Area, the United Kingdom, Switzerland, or another jurisdiction with cross-border transfer rules, your information will be transferred outside that jurisdiction. We rely on the European Commission’s adequacy decision for Canada (PIPEDA) and, where adequacy does not apply, on Standard Contractual Clauses or equivalent safeguards with our sub-processors. A copy of the transfer mechanism applicable to a given sub-processor is available on request.

9. Security

Miivo maintains a SOC 2 Type II information security program. Our controls are independently audited against the AICPA Trust Services Criteria for both design and operating effectiveness over a defined observation period. You can review our current compliance status, active controls, and sub-processors at our Trust Center: d4d3eca175.scrut.io. A copy of our SOC 2 report is available to merchants under NDA through the Trust Center, or on request at support@miivo.ai.

In addition to our SOC 2 program, we implement administrative, technical, and physical safeguards designed to protect information, including TLS in transit, encryption of OAuth tokens and secrets at rest, role-based access controls, least- privilege access reviews, audit logging, vulnerability management, and regular review of our sub-processors. No system is 100% secure; if we become aware of a security incident that affects your information, we will notify you and applicable regulators as required by law.

10. Your rights

Depending on where you live, you may have the right to access, correct, delete, restrict, or port the personal information we hold about you, to object to certain processing, and to withdraw consent. Canadian residents have rights under PIPEDA and applicable provincial privacy laws; residents of the EEA and UK have rights under the GDPR/UK GDPR; California residents have rights under the CCPA/CPRA; and similar rights apply in other U.S. states and jurisdictions.

To exercise a right, email us at support@miivo.ai. We may need to verify your identity before responding. We will respond within the timelines required by applicable law (typically 30 days, extendable where permitted). You also have the right to lodge a complaint with your local supervisory authority — in Canada, the Office of the Privacy Commissioner of Canada (priv.gc.ca).

If you are a merchant’s end customer and want to exercise rights over your personal data held by that merchant, please contact the merchant directly; we act as a processor/service provider on the merchant’s behalf for that data.

11. Cookies and similar technologies

We use strictly necessary cookies to authenticate merchant users and maintain sessions, and limited analytics cookies to understand aggregate usage of the Service. We do not use advertising or cross-site tracking cookies. You can manage cookies in your browser; disabling strictly necessary cookies may prevent you from signing in.

12. Children’s privacy

The Service is intended for businesses and is not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us at support@miivo.ai and we will delete it.

13. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by updating the “Last Updated” date above and, where required, by email or in-app notice. Continued use of the Service after an update constitutes acceptance of the revised policy.

14. Contact us

Questions, requests, or complaints about this Privacy Policy or our privacy practices: