Privacy Policy

Last updated: May 18, 2026

This Privacy Policy explains how Clevly collects, uses, and protects the personal and business data of merchants who install and use the Clevly app. We are committed to transparency and to processing your data lawfully and only to the extent necessary to provide the Service.

1. Who We Are

Clevly is an AI-powered analytics platform for ecommerce merchants, operated by:

Alejandro Chocarro del Rio
NIF: 73027012B
Calle Eduardo Dato 10, 3ª A, Zaragoza, Spain
Email: support@clevly.ai
www.clevly.ai

As the operator of the Service, Alejandro Chocarro del Rio acts as the data controller for the personal and business data processed through Clevly, within the meaning of the EU General Data Protection Regulation (GDPR).

2. Scope of This Policy

This Privacy Policy applies to merchants and their authorized team members who install or use Clevly through the Shopify App Store. It covers all personal and business data collected, processed, or stored by Clevly in connection with the Service.

This policy does not cover the personal data of your end customers (i.e., the individuals who purchase from your store). Clevly does not collect, store, or process individual customer records. All store analytics are derived from aggregated metrics only.

3. Data We Collect

3.1 Account and Profile Data

When you install Clevly and complete onboarding, we collect:

Your name and contact email address
Your Shopify store name and store domain
Business vertical(s) and a brief description of your business
Operations profile: warehouse type (own / 3PL / dropshipping), customer geography (local / regional / global), whether you sell on marketplaces and which ones, whether you import goods and from where
Accounting configuration: which platform you use (Holded, QuickBooks, Xero, Google Sheets, or manual upload), your declared cash balance, and supplier payment terms
Manual expense figures (rent, salaries, accounting fees, software costs) — only if you select manual or spreadsheet-based accounting
Business goals: target gross margin, revenue target, and ROAS target
Marketing communications consent (opt-in checkbox during onboarding)

After onboarding, you can additionally configure in Settings: your business age, number of employees, and alert thresholds for key metrics.

3.2 Business and Operational Data (via Integrations)

When you connect third-party platforms, we access and store aggregated business data:

From Shopify: daily totals for revenue, orders, refunds, average order value, and new vs. returning customer counts; product-level data (title, price, units sold, revenue, stock levels); no individual customer records are accessed or stored
From advertising platforms (Meta, Google Ads, TikTok Ads, Amazon Ads): campaign names, spend, impressions, clicks, ROAS, and conversion metrics
From accounting platforms (Holded, QuickBooks, Xero): revenue, expenses, and P&L data
From email marketing platforms (Klaviyo, Mailchimp): automation performance and revenue attribution
From Google Analytics 4: session counts and traffic source data
From Google Sheets: if you connect a spreadsheet for accounting import, we read only the data you explicitly provide in that document

We store OAuth access tokens and refresh tokens for each integration you connect. These tokens allow us to retrieve your data on an ongoing basis. They are stored securely in our database with access controls enforced at the row level.

3.3 AI Interaction Data

When you use Clevly's AI features, we process the following data through Anthropic's Claude AI models:

Your store name and business profile (vertical, age, expenses, goals, cash balance)
Aggregated performance metrics from the last 7 days (revenue, orders, refunds, ad spend, ROAS)
Product and campaign performance data (names, units, revenue, margins)
The content of your messages in the AI chat assistant
Financial context for scenario analyses (EBITDA, margins, burn rate, runway, P&L history)

AI interaction data is processed in real time and is not used to train AI models. Conversation history in the floating chat assistant is session-based and is not persisted to our database. Scenario analysis conversations are stored persistently so you can revisit them.

3.4 Data We Do Not Collect

We do not collect, store, or process: IP addresses (used only in ephemeral memory for rate-limiting, never written to our database); device identifiers or fingerprints; individual customer names, emails, addresses, or payment information from your store; cookie-based or pixel-based tracking on Clevly's own pages; any data from platforms you have not actively connected.

4. Legal Basis for Processing (GDPR)

We process your data on the following legal bases under Article 6 of the GDPR:

Performance of a contract (Art. 6(1)(b)): The primary basis for processing your account data, business profile, integration data, and AI interaction data is the performance of our contract with you — i.e., providing the Clevly Service as described in our Terms of Service.
Legitimate interests (Art. 6(1)(f)): We process certain data to operate and improve the Service, ensure security and prevent abuse, enforce our Terms of Service, and maintain audit records of GDPR compliance requests. We have assessed that these interests are not overridden by your rights.
Consent (Art. 6(1)(a)): Where you have opted in to receive marketing communications (indicated during onboarding), we will process your email address for that purpose. You may withdraw this consent at any time by contacting support@clevly.ai.

5. How We Use Your Data

We use the data we collect exclusively for the following purposes:

To provide and operate the Clevly Service: generating dashboards, alerts, AI summaries, scenario analyses, and recommendations
To process your data through AI models to produce insights tailored to your business
To manage your account, subscription, and billing
To manage team member access if you use multi-seat features
To respond to your support requests
To send you service-related communications (e.g. subscription confirmation, changes to these policies)
To send you marketing communications, if and only if you have given your explicit consent
To maintain records of GDPR compliance requests for legal audit purposes
To detect and prevent abuse, fraud, or violations of our Terms of Service

We do not use your data to train AI models, sell it to third parties, or use it for any purpose unrelated to providing the Service to you.

6. Third Parties We Share Data With

We do not sell your data. We share data only with the following categories of processors and partners, strictly as necessary to provide the Service:

6.1 Anthropic (Claude AI)

We send your store name, business profile, aggregated performance metrics, and chat messages to Anthropic's API to generate AI-powered insights, summaries, and chat responses. Anthropic processes this data as a data processor on our behalf. Anthropic is based in the United States; data transfers are governed by Standard Contractual Clauses (SCCs).

6.2 Supabase (Database and Authentication)

All merchant data — including your profile, integration tokens, daily snapshots, alerts, and scenario analyses — is stored in Supabase's managed PostgreSQL database. Supabase also manages authentication. Data access is protected by row-level security (each merchant can only access their own data). Supabase provides a Data Processing Addendum with SCCs.

6.3 Vercel (Hosting and Infrastructure)

The Clevly application is hosted on Vercel's serverless infrastructure. Request logs may be processed by Vercel transiently; no personal data is persistently stored at the infrastructure layer beyond what is in our database. Vercel is based in the United States.

6.4 Shopify

Clevly is distributed through the Shopify App Store. When you install Clevly, Shopify grants us an OAuth token to access your store data within the scopes you authorize. Shopify may also send us GDPR-related webhooks (data requests, erasure requests, shop redaction). Shopify is based in Canada and the United States.

6.5 Optional Integration Partners

When you connect additional platforms, we exchange data with those services on your behalf and subject to your authorization:

Advertising: Meta (Facebook/Instagram Ads), Google Ads, TikTok Ads, Amazon Ads
Accounting: Holded, QuickBooks, Xero
Email marketing: Klaviyo, Mailchimp
Analytics: Google Analytics 4
Data import: Google Sheets

Each of these integrations is optional and is only connected if you choose to do so. Their respective privacy policies govern how they handle your data on their platforms. Clevly reads data from these platforms; we do not write or transmit your data back to them.

7. International Data Transfers

Some of the third parties listed above are based outside the European Economic Area (EEA), primarily in the United States. Where we transfer personal data to countries that do not have an EU adequacy decision, we rely on Standard Contractual Clauses (SCCs) as the legal mechanism for transfer, in accordance with Article 46 of the GDPR. Specifically:

Anthropic (USA): Claude API calls involving your business data. Covered by Anthropic's SCCs.
Supabase (USA or EU, depending on region configuration): All stored data. Covered by Supabase's Data Processing Addendum and SCCs.
Vercel (USA): Application hosting. Covered by Vercel's DPA.
Shopify (Canada/USA): OAuth and webhook interactions. Canada has EU adequacy status.

You may request a copy of the applicable transfer mechanisms by contacting us at support@clevly.ai.

8. Data Retention

We retain your data for as long as your account is active and as necessary to provide the Service. Specifically:

Account and profile data: retained for the duration of your subscription
Daily business snapshots, alerts, and scenario analyses: retained for the duration of your subscription
Team member data: retained until the invitation is revoked or the team member is removed
GDPR request audit logs: retained for a minimum of 5 years for legal compliance purposes

When you uninstall Clevly from your Shopify store, your OAuth token is immediately invalidated. Your data is preserved for up to 48 hours to allow reinstallation without loss of history. After 48 hours, Shopify sends us a shop redaction request pursuant to GDPR requirements, and all of your data is permanently and irreversibly deleted from our systems, including your profile, snapshots, alerts, scenarios, integration records, and your authentication account.

Once deletion is triggered by the shop redaction request, data cannot be recovered. If you plan to reinstall Clevly after uninstalling, we recommend doing so within 48 hours of uninstallation.

9. Cookies and Tracking

9.1 Cookies We Use

Clevly uses only the following cookies, which are strictly necessary for the Service to function:

Supabase authentication session cookies: these are set automatically by our authentication library when you sign in. They maintain your session and allow you to remain logged in. They are first-party, HttpOnly, and Secure cookies.

We do not use advertising cookies, analytics cookies, or any third-party tracking cookies on Clevly's own pages.

9.2 No Analytics Tracking

Clevly does not load any analytics, tracking, or session recording scripts (such as Google Analytics, Hotjar, Segment, or PostHog) on its own application pages. We do not track your behavior within the app for advertising or profiling purposes.

9.3 Your Browser Settings

You can configure your browser to refuse or delete cookies. Disabling authentication cookies will prevent you from signing in to the Service. No other functionality is affected by cookie settings.

10. Your Rights Under the GDPR

If you are located in the European Economic Area, you have the following rights regarding your personal data:

Right of access (Art. 15): You may request a copy of the personal data we hold about you.
Right to rectification (Art. 16): You may request correction of inaccurate or incomplete data. Most profile data can be updated directly within the app.
Right to erasure (Art. 17): You may request deletion of your personal data. You can trigger full deletion by uninstalling Clevly from your Shopify store (data is deleted within 48 hours per Section 8). You may also contact us directly.
Right to data portability (Art. 20): You may request your data in a structured, machine-readable format.
Right to restriction of processing (Art. 18): You may request that we restrict how we use your data in certain circumstances.
Right to object (Art. 21): You may object to processing based on our legitimate interests. We will comply unless we can demonstrate compelling legitimate grounds.
Right to withdraw consent: Where processing is based on consent (e.g. marketing communications), you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at support@clevly.ai. We will respond within 30 days. We may ask you to verify your identity before processing your request. There is no charge for exercising your rights.

You also have the right to lodge a complaint with the Spanish Data Protection Authority (Agencia Española de Protección de Datos — AEPD) at www.aepd.es, or with the supervisory authority in your country of residence.

11. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you additional rights regarding your personal information.

We do not sell your personal information. We do not share your personal information with third parties for cross-context behavioral advertising.

As a California resident, you have the right to:

Know what personal information we collect, use, disclose, and share
Request deletion of your personal information (subject to certain exceptions)
Correct inaccurate personal information
Opt out of the sale or sharing of personal information (not applicable — we do not sell or share data for advertising)
Non-discrimination for exercising your privacy rights

To exercise your California privacy rights, contact us at support@clevly.ai. We will respond within 45 days as required by California law.

12. Data Security

We implement appropriate technical and organizational measures to protect your data against unauthorized access, loss, alteration, or disclosure:

All data is transmitted over encrypted connections (HTTPS/TLS)
Our database enforces row-level security: each merchant can only access their own data
Authentication is managed by Supabase, which enforces secure session handling
Security headers (HSTS, CSP, X-Content-Type-Options) are enforced on all application responses
API endpoints are rate-limited to prevent abuse

Despite these measures, no system is completely secure. We cannot guarantee absolute security of your data. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority as required by the GDPR (within 72 hours of becoming aware of the breach).

13. Children's Data

The Service is intended exclusively for use by businesses and individuals aged 18 or over. We do not knowingly collect personal data from anyone under the age of 18. If we become aware that we have inadvertently collected data from a minor, we will delete it promptly.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through a prominent notice within the Service at least 30 days before the changes take effect. The date of the latest revision is shown at the top of this document. Your continued use of the Service after the effective date of a revised policy constitutes your acknowledgement of the changes.

15. Contact and Data Protection Enquiries

For any questions, requests, or concerns relating to this Privacy Policy or the processing of your personal data, please contact us:

Alejandro Chocarro del Rio
Email: support@clevly.ai
Address: Calle Eduardo Dato 10, 3ª A, Zaragoza, Spain
www.clevly.ai

We aim to respond to all privacy-related enquiries within 30 days.