This Privacy Policy explains how UPCODE SRL ("we", "us", "our"), a company incorporated in Romania, collects, uses, stores, and protects information through our Shopify application (the "App") — Lumi. The App helps Shopify merchants ("Merchants") improve the discoverability of their products on search engines and AI-powered search tools by indexing their product catalogue and generating a dynamic sitemap and llms.txt feed.

We act as Data Controller for data we collect directly from Merchants (shop information, indexed product data, app configuration). We do not collect personal data from the Merchant's customers ("End Users").

By installing or using the App you agree to this policy.

• Shop identity: Shopify store domain and Shopify-provided account identifiers.
• Product data (indexed catalogue): Product titles, descriptions, handles, prices, availability, vendor, product type, tags, and image URLs — fetched from the Shopify Admin API and stored to generate your sitemap and llms.txt feed.
• App settings: Index mode (all products or selected), selected product handles, and auto-indexing preferences.
• Index queue records: Job metadata (status, cursor, products indexed count) used to track ongoing indexing tasks. These contain no personal data.
• App usage data: Aggregate metrics used to operate and improve the service.

• We do not collect any personal data about your customers (End Users).
• We do not collect order data, customer names, emails, addresses, or payment information.
• We do not use cookies for tracking or advertising.
• We do not build advertising profiles or sell any data to third parties.
• We do not use your product data for any purpose other than generating discovery feeds for your store.

• To index your products: Product data fetched from the Shopify Admin API is stored in our database and used to generate your sitemap XML and llms.txt feed.
• To generate discovery feeds: Indexed product data is used to produce the dynamic sitemap and llms.txt feed served at your app proxy URLs.
• To manage indexing jobs: Queue records track which products have been indexed and where to resume pagination.
• To operate the service: App settings and shop identity data are used to deliver features correctly to each store.
• To communicate with Merchants: We may send transactional emails (e.g. service updates). We do not send marketing emails without separate consent.
• To improve the service: Aggregated, anonymized usage statistics may be used to improve the App. Your product data is never used to train models or shared with third parties.

As a company established in Romania, we are subject to the EU General Data Protection Regulation (GDPR). Our legal bases for processing data are:

• Contract performance (Art. 6(1)(b)): Processing Merchant account data and product data is necessary to deliver the indexing and discovery feed service.
• Legitimate interests (Art. 6(1)(f)): Processing aggregate usage statistics to operate and improve the service, balanced against Merchant rights by minimizing data retained.
• Legal obligation (Art. 6(1)(c)): Retention of any records required to comply with applicable law.

Authentication and app installation are managed through Shopify's platform. Product data is fetched from the Shopify Admin API using OAuth access tokens granted during installation. Refer to Shopify's Privacy Policy for their data practices.

Indexed product data, app settings, and queue records are stored in MongoDB Atlas. Data is stored within regions compliant with applicable data residency requirements. MongoDB Atlas does not have access to your data beyond storage and retrieval.

• Indexed product data: Retained while the App is installed. Deleted within 30 days of app uninstall.
• App settings: Retained while the App is installed. Deleted within 30 days of app uninstall.
• Index queue records: Completed and failed jobs automatically expire after 7 days via database TTL.
• Shop identity: Retained while the App is installed. Deleted or anonymized within 30 days of uninstall, except where retention is required by law.

If you are located in the EU/EEA or UK, you have the following rights. Contact us at support@upcode.cc. We will respond within 30 days.

• Right of access (Art. 15): Request a copy of data we hold about your store.
• Right to rectification (Art. 16): Request correction of inaccurate data.
• Right to erasure (Art. 17): Request deletion of your data. The simplest way is to uninstall the App.
• Right to restriction (Art. 18): Request that we restrict processing of your data.
• Right to data portability (Art. 20): Request a machine-readable export of your data.
• Right to object (Art. 21): Object to processing based on legitimate interests.
• Right to lodge a complaint: In Romania, the supervisory authority is the ANSPDCP.

We implement appropriate technical and organizational measures to protect data against unauthorized access, alteration, disclosure, or destruction — including encrypted data transmission (HTTPS/TLS), access controls, and automated data expiry. In the event of a breach likely to result in risk to individuals' rights, we will notify the relevant supervisory authority within 72 hours.

Product data is stored in MongoDB Atlas. Depending on your selected region, data may be stored and processed outside the EEA. Any such transfers are safeguarded by standard contractual clauses (SCCs) or equivalent lawful transfer mechanisms. No product data or shop data is transmitted to OpenAI or any AI provider.

The App is directed at business operators (Shopify merchants) and is not intended for use by children under 16 years of age. We do not knowingly collect personal data from children.

We may update this Privacy Policy from time to time. Material changes will be communicated to Merchants via the App or by email at least 7 days before taking effect. The current version is always available at this URL.

• Company: UPCODE SRL
• Country: Romania
• Email: support@upcode.cc