Privacy Policy — Tectonic (tectonic.so)
Last updated: 27 October 2025
⸻
Who we are
Tectonic (“we,” “us,” “our”) provides an AI-native growth platform and storefront technology for Shopify brands.
Controller details (for website/app users): Tectonic Technologies Inc, 26 Cathy Lane, Oakland, CA - 94619.
Contact: privacy@tectonic.so
For data we process on behalf of our merchant customers (e.g., their shoppers’ data), we act as a processor (GDPR) and our customer is the controller / data fiduciary. We offer a separate Data Processing Addendum (DPA).
⸻
Scope
This policy covers personal data we process about:
1. Site visitors (tectonic.so and subdomains).
2. Prospects & customers engaging with sales, support, or demos.
3. Users of Tectonic products (e.g., merchant admins).
4. End-customers of our merchants whose data we process to deliver our services (we do so under our customers’ instructions).
⸻
What we collect
A. Data you provide
• Account & contact info: name, business email, phone, role, company.
• Merchant account setup: store URL, Shopify org ID, billing info (handled by our payment processor), usage preferences.
• Support & content: tickets, call recordings (where permitted), feedback, attachments.
B. Data we get automatically
• Device/usage data: IP, user-agent, time zone, pages, product features used, events (clicks, conversions), session diagnostics, performance logs.
• Cookies & similar tech for session auth, preferences, analytics. See [Cookies Notice link].
C. Data from integrations & partners
• Shopify & other platforms (per access scopes granted by the merchant): store metadata, products/collections, orders, carts, customers, discounts, webhooks, app events. Scopes are requested explicitly and must be approved by the merchant in Shopify; apps aren’t granted blanket access. 
Note: Categories and fields depend on the scopes your admin approves during installation and can be limited in app settings.
⸻
How we use data & legal bases
A. For site visitors, prospects, and product users (we are controller)
• Provide and secure the service; create/administer accounts; authenticate sessions.
• Billing and account communications; respond to enquiries; provide support.
• Improve product performance and features; debug and prevent abuse.
• Marketing with consent or where permitted by law (opt-out anytime).
GDPR legal bases: performance of contract, legitimate interests, consent (where required), legal obligation. See GDPR Art. 6 for lawful bases. 
B. For merchant shoppers (we are processor)
• Process personal data strictly under the merchant’s instructions to power storefront speed, personalization, experimentation, analytics, pricing and growth features.
• We don’t use shoppers’ personal data for our own marketing.
C. India (DPDP Act)
We rely on consent or legitimate uses allowed by the Act, honor rights to access/correction/erasure, implement security safeguards, and provide breach intimation as required. We do not conduct behavioral tracking or targeted advertising to children. 
⸻
Do we sell or share personal information?
We do not sell personal information and we do not share it for cross-context behavioral advertising as defined by the California Privacy Rights Act (CPRA). If this changes, we will update this policy and provide a “Do Not Sell or Share” link. See consumer rights introduced via CCPA/CPRA. 
⸻
Data retention
We retain personal data for as long as needed to provide the services, comply with legal obligations, resolve disputes, and enforce agreements. Merchant shoppers’ data retention is governed by the merchant’s settings/instructions (see DPA). When retention is no longer required, data is deleted or anonymized.
⸻
How we disclose information
We may disclose personal data to:
• Service providers/sub-processors (cloud hosting, databases, email/SMS, analytics, support tools, payments) under contracts that require confidentiality and appropriate security. A current list is available here: [Sub-processors page link].
• Integrations at the merchant’s direction (e.g., Shopify, marketing and analytics platforms connected by the merchant).
• Corporate transactions (merger, financing, acquisition); legal compliance (lawful requests), and to protect rights, safety, and security.
⸻
International transfers
We operate with infrastructure and partners in multiple countries. Where required, we use appropriate safeguards for cross-border data transfers, including the European Commission’s Standard Contractual Clauses (SCCs) for transfers under GDPR. 
India (DPDP Act): we comply with any Central Government restrictions on transfers to specified countries/territories. 
⸻
Security
We implement technical and organizational measures designed to protect personal data, including encryption in transit, access controls, audit logging, and vulnerability management. If we become aware of a personal data breach impacting you, we will notify you and regulators as required by applicable laws. 
⸻
Your rights
Your rights depend on where you live. You can make requests by emailing privacy@tectonic.so.
European Economic Area/UK (GDPR)
Subject to exceptions, you have rights to access, rectification, erasure, restriction, objection (including to direct marketing), and portability; and to lodge a complaint with a supervisory authority. Controllers must facilitate rights requests; processors must assist controllers. 
India (Digital Personal Data Protection Act, 2023)
You have rights to access a summary of your personal data and processing activities, to correction/completion/updating and erasure, to grievance redressal, and to nominate another individual to exercise your rights in case of death or incapacity. You may withdraw consent at any time; we will provide easy mechanisms to do so. 
California (CCPA/CPRA)
California residents have rights to know/access, delete, correct, opt-out of sale or sharing, limit use/disclosure of sensitive personal information, and non-discrimination for exercising rights. 
When acting as a processor for a merchant, we will direct shopper requests to that merchant (controller) and assist them in fulfilling requests, where applicable.
⸻
Cookies & similar technologies
We use cookies and similar technologies to:
• keep you signed in; remember preferences; measure site/product usage; improve performance.
Where required, we will obtain consent via our banner and honor your choices. See [Cookies Notice link] for details and controls.
⸻
Children’s privacy
Our services are for businesses, not children. We don’t knowingly collect personal data from children. Under India’s DPDP Act, we do not track, behaviorally monitor, or target advertising toward children; verifiable parental/guardian consent is required for processing a child’s data. 
⸻
Shopify-specific disclosures
When you install our app, you grant specific access scopes in Shopify; we only receive the data necessary for the app to function, and scopes can be reviewed/adjusted by your admin in Shopify. We also follow Shopify’s privacy requirements for apps. 
⸻
Third-party links
Our sites and dashboards may include links or integrations to third-party services. Their privacy practices are governed by their own policies.
⸻
Changes to this policy
We may update this policy to reflect changes in our practices or legal requirements. We will post updates here and revise the “Last updated” date. Material changes will be communicated through the service or by email where appropriate.
⸻
Contact us
Data protection contact: privacy@tectonic.so
Mailing address: [Company Legal Name], [address]
EU/UK representative (if applicable): [Name/Address]
Data Protection Officer (if designated): [Name, email]