Privacy Policy

Privacy Policy Last updated: 12 November 2025Auma | AI Marketing ("Auma", "we", "us") is a Shopify app that automates multi-channel marketing for Shopify merchants. This Privacy Policy explains what data we collect through the app, how we use it, how we protect it, and the choices you have.1. Information We Collect Through Shopify When you install our app, Shopify provides us with an access token that lets us interact with your store according to the scopes you approve. We only use the data necessary to deliver the app's features:

  • Store details: shop domain, primary contact email, plan type.
  • Products & collections: titles, descriptions, media URLs, inventory data (read_products, write_products, read_inventory, write_inventory).
  • Content and images: blog posts, pages, files, and other media assets (read_content, write_files).
  • Metaobjects and custom data: definitions and records that support your marketing templates (write_metaobject_definitions, write_metaobjects).
  • Customers and orders: names, emails, order history, fulfillment status (write_customers, write_orders, write_fulfillments, read_/write_assigned|merchant_managed|third_party_fulfillment_orders).
  • Draft orders: to create campaign-driven carts when you ask us to (write_draft_orders).
  • Session data: OAuth tokens and embedded-app session details needed to authenticate each request.

We collect this information automatically via Shopify's Admin API when you authorize the scopes above. We do not collect payment-card numbers or merchant banking details.2. Information We Collect Through Instagram When you connect your Instagram Business account to enable Instagram posting features, we collect:

  • Instagram authentication tokens: Access tokens obtained through Facebook's OAuth flow to publish posts on your behalf.
  • Instagram Business Account details: Your Instagram Business Account ID and username.
  • Token expiration data: Timestamps to track when your access token will expire (typically 60 days) and prompt you to refresh.
  • Posting history: Records of when posts were published, post types (photo/carousel), and Instagram post IDs for tracking purposes.

This data is collected only when you explicitly authorize our app to connect with your Instagram Business account through Facebook's OAuth authorization flow. You can disconnect your Instagram account at any time through the app settings.3. Other Information We Collect

  • App usage data: timestamps of logins, settings you change, campaign approvals, cron toggles, webhook statuses, and Instagram connection status.
  • Support interactions: the email address and any information you provide when you contact us for help.
  • Log data: request logs (IP address, user agent, error messages) retained briefly for troubleshooting and security monitoring.

We do not place tracking pixels or cookies outside of what Shopify requires for embedded apps.4. How We Use the Data We process store data only to deliver the app's functionality:

  • Generate email, site, push, and Instagram campaign drafts from your products, collections, and media.
  • Publish approved Instagram posts (single photos or carousels) directly to your connected Instagram Business account.
  • Populate marketing templates with brand settings, tones, and schedules you configure.
  • Sync data to Make.com webhooks and other services you connect.
  • Keep fulfillment data aligned when campaigns create orders or draft orders.
  • Provide you with dashboards, analytics, audit trails, and campaign history.
  • Monitor Instagram token expiration and notify you when reauthentication is needed.
  • Troubleshoot errors, improve reliability, and secure the app.

We never sell your data or use it for unrelated advertising. Any analytics we run are aggregated and anonymized.5. Sharing and Disclosure We share store data only with:

  • Shopify: as required to operate within the Shopify ecosystem.
  • Facebook/Instagram: when you enable Instagram posting, we transmit post content (images, captions) to Instagram's Graph API to publish on your behalf. This data is processed according to Facebook's Data Policy.
  • Make.com (formerly Integromat): if you enable webhook delivery, payloads may contain product, schedule, and marketing data.
  • Service providers: trusted infrastructure vendors (e.g., Fly.io, database hosting, email support tools) who are bound by contractual confidentiality and security obligations.
  • Legal requirements: if we receive a lawful request, we may disclose data where permitted by Shopify's terms and applicable law.

We do not allow third parties to use your data for their own purposes.6. Data Retention

  • Marketing content, schedules, and configuration records are kept while you maintain an active subscription, so you can view history and re-use assets.
  • Instagram access tokens are stored securely while your Instagram account remains connected and are automatically removed when you disconnect.
  • Session tokens and logs are retained for up to 30 days or until you uninstall the app, whichever comes first.
  • After uninstall, we automatically revoke tokens (including Instagram tokens) and remove store-specific data within 30 days, unless you request earlier deletion.
  • You can request deletion or export at any time by contacting us (see Section 9).

7. Security We use industry-standard safeguards, including:

  • Encrypted connections (HTTPS/TLS) for all data in transit, including communications with Shopify, Facebook/Instagram, and Make.com.
  • Secured PostgreSQL storage with role-based access control and encryption at rest.
  • Instagram access tokens are stored securely and never logged or exposed in plain text.
  • Principle of least privilege for team and system access.
  • OAuth 2.0 authentication for Instagram connections with automatic token refresh management.
  • Continuous monitoring and alerting for suspicious activity.
  • Regular dependency patching and penetration testing as part of our SDLC.

No method is 100% secure, but we continuously work to protect your information.8. Your Choices and Rights

  • Access & correction: you can review and update campaign settings inside the app at any time.
  • Instagram connection management: you can connect, disconnect, or refresh your Instagram access token directly from the app settings.
  • Delete data: uninstalling the app revokes access; email us to request expedited deletion.
  • Restrict processing: toggle campaign channels (including Instagram) or disable cron jobs directly in the dashboard.
  • Data portability: contact us for an export of campaign assets or configuration data.

For end-customer (shopper) data, you must submit requests through Shopify's privacy tools. We assist the merchant of record in fulfilling those requests.9. Contact Information For privacy inquiries or data requests, email us at:hello@aiauma.comAuma | AI Marketing10. Changes to This Policy We may update this policy to reflect new features or legal requirements. Updates will be posted within the app and on our website with an updated "Last updated" date. If changes materially alter your rights, we will provide advance notice via email or in-app notification. By installing or continuing to use Auma | AI Marketing, you acknowledge that you have read and understood this Privacy Policy.