Privacy Policy
Last updated 25 June 2026
This Privacy Policy explains how Assuro, operated by Ravid Efroni, a sole proprietor registered in Austria (“Assuro”, “we”, “us”), collects, uses, and protects personal data when you use our websites and services (the “Service”).
For personal data we process on behalf of our business customers (for example, data inside their account), our customers are the controller and we act as their processor under our Data Processing Agreement. This Policy focuses on personal data for which we are the controller — such as your account and billing data, and visitors to our site.
1. Data we collect
We collect the following categories of personal data:
- Account data — your name and email address, used to create and secure your account (sign-in is by passwordless email link).
- Organization data — business details you enter, such as company name, establishment country, the EU countries you sell into, and VAT number.
- Catalog and compliance data — product information synced from your connected store or uploaded by you, and the compliance details you record. Product data is generally business data rather than personal data.
- Billing data — your subscription and payment status. Card payments are handled by Stripe; we do not store full card numbers.
- Usage and technical data — basic analytics, device/browser information, and server logs, used to operate, secure, and improve the Service.
We do not access your store’s order or end-customer personal data: our Shopify integration requests product access only.
2. How we use data
We use personal data to:
- provide, maintain, and secure the Service and your account;
- process subscriptions and payments;
- send service-related messages, such as sign-in links, deadline reminders, and notices;
- understand usage and improve the Service;
- comply with legal obligations and enforce our terms.
3. Legal bases (GDPR)
Where the GDPR applies, we rely on these legal bases:
- Performance of a contract — to provide the Service you sign up for and to bill you.
- Legitimate interests — to secure, operate, and improve the Service, and for basic product analytics, balanced against your rights.
- Consent — where required, for example certain analytics or marketing; you can withdraw it at any time.
- Legal obligation — to meet accounting, tax, and other legal requirements.
4. Cookies and analytics
We use a small number of strictly necessary cookies to keep you signed in and to operate the Service. We use a privacy-friendly, EU-hosted product analytics tool (PostHog) to understand how the Service is used; we do not record your screen sessions, and analytics profiles are only linked once you are signed in. You can control non-essential cookies through your browser settings.
5. Sharing and sub-processors
We do not sell your personal data. We share it only with service providers (sub-processors) that help us run the Service, under contracts that require them to protect it and use it only on our instructions. Our key sub-processors are:
- Neon — database hosting (EU region).
- Vercel — application hosting and compute.
- Stripe — payment processing.
- Resend — transactional email delivery.
- Inngest — background job and reminder processing.
- PostHog — product analytics (EU region).
- Shopify — the store platform you connect, as your data source.
We may also disclose data where required by law, to protect our rights or users, or in connection with a business transfer such as a merger or acquisition. The current list of sub-processors that handle customer data is maintained in our Data Processing Agreement.
6. Where data is processed
We host data in the European Union where our providers offer it, including our database (Neon, Frankfurt) and analytics (PostHog, EU). Some providers may process limited data outside the EU; where that happens, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses.
7. Retention
We keep personal data for as long as your account is active and as needed to provide the Service. After you close your account, we delete or anonymize personal data within a reasonable period, except where we must retain certain records (for example, billing records) to meet legal obligations.
8. Security
We take appropriate technical and organizational measures to protect personal data, including encryption in transit, encryption of sensitive integration tokens at rest, access controls, passwordless authentication, and an audit trail of changes. No system is perfectly secure, but we work to protect your data and to respond promptly to incidents.
9. Your rights
Subject to applicable law, you have the right to access, correct, delete, restrict, or object to the processing of your personal data, and to data portability. Where we rely on consent, you can withdraw it at any time. To exercise your rights, email hello@assuro.io. You also have the right to lodge a complaint with your local data protection authority.
10. Children
The Service is intended for businesses and is not directed to children. We do not knowingly collect personal data from anyone under 18.
11. Changes
We may update this Policy from time to time. If we make material changes, we will take reasonable steps to notify you. The “Last updated” date above shows when this Policy was last revised.
12. Contact
The data controller is Ravid Efroni (sole proprietor, Einzelunternehmen), Schönbrunner Straße 211/1/10, 1120 Vienna, Austria. For privacy questions or requests, email hello@assuro.io.