StoreVane is an AI-assisted commerce operations tool. It helps organize research, store setup, ad planning, connector previews, and profit tracking. It does not run ads, place orders, issue refunds, or change external accounts automatically. This policy explains what personal data we handle, why, the legal basis for it, and which third-party services are involved.
Who Operates This Service
This service is operated by the operator of StoreVane, based in Sweden, who is the data controller for the purposes of the EU General Data Protection Regulation (GDPR) and the Swedish Data Protection Act. For privacy questions or to exercise your data rights, contact us at hello@storevane.com. We aim to respond within 30 days.
Data We Store
Workspace data can be stored in your browser's local storage and, when you sign in, in Supabase under your user account. Workspace data may include niche ideas, product candidates, brand copy, checklist notes, ad drafts, daily performance numbers, connector status, and AI run history. If you create an account, we also store the account identifiers Supabase needs for authentication, such as your email address. If you subscribe to a paid plan, we and our payment processor Stripe also store billing and subscription identifiers (your email, plan, subscription status, and Stripe customer/subscription IDs). We do not see or store your full card number — Stripe handles card data directly.
When you connect a store, we also store order-level data synced from it: order IDs, order dates, amounts and currency, and traffic-source facts for each order (UTM tags, the referring domain, and the landing page). This powers the attribution and profit analytics in the dashboard.
To show repeat-purchase analytics (lifetime value and cohorts), each order is also tagged with a scrambled customer key. The key is produced by a one-way cryptographic function (HMAC-SHA256) with a secret held only on our servers — it lets us recognize that two orders came from the same customer without knowing who that customer is. We never store your customers' names, email addresses, or postal addresses. Honest note: under the GDPR, a scrambled-but-linkable key like this still counts as personal data (pseudonymized data), which is why it is covered by this policy rather than waved away.
Data About Your Store's Customers
For the synced order data and scrambled customer keys described above, the personal data belongs to your store's customers, not to you. For that data, you (the store operator) are the data controller, and this service acts as your processor: we store and process it only on your instructions, to provide the analytics you signed up for, and for no other purpose. Deleting your account deletes this data along with everything else.
Connector Credentials
When you connect an external platform (Shopify, Meta, TikTok, Google Analytics, Stripe, or PayPal), the API keys or tokens you provide are encrypted using AES-256-GCM and stored in a per-user credential vault, isolated by row-level security so that only your account can access them. The encryption keys are held server-side, are never exposed to the browser, and support rotation. Your credentials are used strictly read-only — to fetch data from your connected platforms when you request a preview, when you open an analytics panel, and (on plans with scheduled sync) in background syncs. Order history builds up gradually across these syncs, going back at most 12 months. They are never used to change anything in your external accounts, are never shared with other users, and can be updated or removed at any time from the Connections screen.
AI And External Services
When you run an AI assistant, selected workspace context is sent to OpenAI's API so it can generate recommendations and proposed dashboard changes. Under OpenAI's API terms, data submitted via the API is not used to train their models. Please do not enter the personal data of your own customers (names, addresses, emails) into AI input fields — this tool is for product, brand, and performance context, not customer records. Live stats previews may call third-party APIs you configure, such as Shopify, Meta and other ad platforms, analytics, and payment providers. These providers process the data you send them under their own terms and privacy policies.
Legal Bases For Processing
Under the GDPR, we process personal data on the following legal bases:
- Providing the dashboard, storing your workspaces, and running AI — performance of our contract with you (Art. 6(1)(b)).
- Billing and subscription management — performance of our contract with you (Art. 6(1)(b)).
- Keeping accounting records of payments — compliance with a legal obligation under Swedish accounting law (Art. 6(1)(c)).
- Cookieless analytics and performance measurement — our legitimate interest in operating and improving the service (Art. 6(1)(f)).
- Error monitoring and security — our legitimate interest in keeping the service stable and secure (Art. 6(1)(f)).
- Storing your encrypted connector credentials — performance of our contract, to deliver the live stats you request (Art. 6(1)(b)).
- Syncing and analyzing order data from your connected store, including the pseudonymized end-customer analytics — performance of our contract with you (Art. 6(1)(b)) for the order and attribution analytics; for the scrambled customer keys, the legitimate interest in providing repeat-purchase analytics (Art. 6(1)(f)), with HMAC-SHA256 pseudonymization under a server-side secret as the safeguard — no directly identifying customer data is ever stored.
Cookies And Tracking
We do not use advertising, profiling, or cross-site tracking cookies, and we do not show a cookie consent banner because we do not set any non-essential cookies. We use only: strictly necessary storage for sign-in/session and your theme preference; cookieless analytics (Vercel Analytics and Speed Insights) that measure usage without tracking you across sites; and Sentry error monitoring (without session replay). Under the EU ePrivacy rules these are either strictly necessary to run the service you requested or cookieless, so they do not require consent.
Analytics And Error Monitoring
We use Vercel Analytics and Vercel Speed Insights to measure page views and performance, and Sentry to capture errors so we can fix them. These tools collect technical information such as the page visited, approximate location, device and browser type, performance timings, and, when an error occurs, diagnostic details about the request. They run only in production. We do not sell this data or use it for advertising.
Third-Party Sub-Processors
We rely on these providers to operate the service: Vercel (hosting, cookieless analytics, performance monitoring), Supabase (authentication and database), OpenAI (AI generation), Sentry (error monitoring), Stripe (payment processing), and Resend (email delivery of anomaly-alert digests — processing your account email address and the alert content, when you enable alerts). Each processes personal data on our behalf under a data processing agreement. Platforms you connect yourself, such as Shopify and Meta, are not our subprocessors — they are data sources you choose to connect, and they process your data under their own terms.
International Data Transfers
Some of our processors are located outside the European Economic Area (notably in the United States). Where data is transferred internationally, it is protected by appropriate safeguards — Standard Contractual Clauses and/or EU-US Data Privacy Framework certification — as offered by each provider:
- Vercel — hosting and cookieless analytics (US and EU edge); SCCs / Data Privacy Framework.
- Supabase — authentication and database (EU region); EU hosting / SCCs.
- OpenAI — AI generation (US); SCCs / Data Privacy Framework.
- Sentry — error monitoring (US); SCCs / Data Privacy Framework.
- Stripe — payments (US); SCCs / Data Privacy Framework.
- Resend — email delivery of alert digests (US); SCCs / Data Privacy Framework.
Data Retention
Workspace and account data are retained for the life of your account and deleted within 30 days of account deletion. This includes the synced order data and scrambled customer keys: those rows are tied to your account in the database and are deleted automatically with it. Billing and invoice records are retained for approximately seven years to meet Swedish accounting-law obligations. Local browser data persists until you clear it or reset the workspace. Error data (Sentry) and analytics data (Vercel) are retained for those providers' default periods. To request deletion of your account or any of this data, contact us at hello@storevane.com.
Your Rights And Control
AI changes and live stats imports are previewed before they are applied. You can use local browser storage without signing in, sign out of Supabase, reset local workspace data, export your workspace data in-app at any time, or remove stored connector credentials. Under the GDPR you also have the rights of access, rectification, erasure, restriction, portability, and objection to certain processing. To exercise any of them, contact us at hello@storevane.com; we respond within 30 days. You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) at imy.se.
Children
This service is intended for business operators and is not directed at children under 16. We do not knowingly collect personal data from children.
Changes To This Policy
As the product evolves, this policy may change. The “Last updated” date above reflects the most recent revision. Material changes will be reflected on this page.
No Profit Guarantee
The dashboard is for organization and decision support only. Ecommerce and dropshipping involve financial, legal, supplier, platform, refund, chargeback, and customer-support risks.