Platform
For BrandsFor Agencies
Solutions
E-commerce ManagerPPC SpecialistEmail MarketerMerch & PlanningManagementAgency Teams
ServicesPricing7-Day Free TrialSign in

Privacy Policy

About This Policy

Automatik ("ATMK," "we," "us," or "our") is an AI-powered analytics platform available at tryautomatik.com and on the Shopify App Store. We connect Shopify, Meta Ads, Google Ads, and Klaviyo so that direct-to-consumer (DTC) brands and agencies can track MER, blended CAC, ROAS, LTV, profit & loss, and cohort performance in real time, delivered through a natural-language AI interface with minimal dashboards, no spreadsheets, or data team required.

This Privacy Policy explains how we collect, use, share, and protect personal information, and outlines your rights under the GDPR, CCPA/CPRA, and PIPEDA.

Questions? Contact us at contact@tryautomatik.com

1. Who We Are & Our Role

Automatik acts in different legal capacities depending on the data involved:

Merchant customer data processed on our platform (Shopify orders, ad-spend, Klaviyo metrics): We act as the Data Processor / Service Provider. The merchant is the Data Controller / Business.

Data collected directly from platform users (account info, billing, usage logs): We act as the Data Controller / Business and determine the purposes and means of processing.

2. What We Collect & Why

We collect the minimum data necessary to deliver our services:

Identifiers — Name, email, IP address, account ID, Shopify store URL. Used for account creation, authentication, and access.

Commercial Information — Shopify order history, subscription tier, billing records. Used for service delivery, billing, and analytics.

Ad & Marketing Data — Meta Ads and Google Ads spend, ROAS, CAC (read-only API). Used for AI-powered insights and MER / blended performance.

Email Platform Data — Klaviyo subscriber metrics, campaign performance (read-only). Used for cross-channel analytics, LTV, and cohort analysis.

Internet / Electronic Activity — Pages viewed, features used, session data, browser type. Used for platform improvement and security monitoring.

Geolocation (General) — Country / region inferred from IP address. Used for compliance routing and regional features.

Professional / Employment — Business name, role, website URL. Used for account onboarding.

Sensitive — Financial — Billing details tokenised via Stripe (no raw card data stored). Used for payment processing only.

3. Lawful Basis for Processing (GDPR)

For users in the EEA or UK, we rely on the following legal bases under Article 6 GDPR:

  • Account registration & management — Contract (Art. 6(1)(b))
  • Platform analytics & AI insight generation — Legitimate Interests (Art. 6(1)(f))
  • Billing & payment processing — Contract (Art. 6(1)(b))
  • Marketing & product communications — Consent (Art. 6(1)(a))
  • Security monitoring & fraud prevention — Legitimate Interests (Art. 6(1)(f))
  • Legal & regulatory obligations — Legal Obligation (Art. 6(1)(c))

4. How We Use Your Data

  • Deliver the Automatik platform — unifying Shopify, Meta Ads, Google Ads, and Klaviyo data to generate AI-powered insights and recommendations.
  • Compute and display MER, blended CAC, ROAS, LTV, profit & loss, and cohort analysis in real time.
  • Respond to natural-language queries about your store with instant AI answers.
  • Manage your account, process payments, and provide customer support.
  • Improve platform performance and AI model accuracy using aggregated or de-identified data wherever possible.
  • Send transactional emails (onboarding, billing) and, where consented, product updates or marketing communications.
  • Comply with legal obligations and protect the security and integrity of our platform.

We do not sell your personal information. We do not use merchant customer data for our own commercial benefit beyond service delivery.

5. Data Sharing & Sub-Processors

We share personal information only with the following categories of recipients, and only as necessary to deliver our services:

  • Cloud Infrastructure — AWS (Amazon Web Services), for hosting, storage, and compute.
  • Payment Processing — Stripe, for billing and subscription management.
  • E-Commerce Integration — Shopify Partner API, for order and store data access (read-only).
  • Ad Platform APIs — Meta and Google, for ad-spend data retrieval (read-only).
  • Email Platform API — Klaviyo, for email metric retrieval (read-only).
  • Analytics & Monitoring — Internal tooling, for platform reliability and security.

All sub-processors are bound by Data Processing Agreements (DPAs) or equivalent contractual safeguards that prohibit them from using data for any purpose other than providing services to Automatik.

6. International Data Transfers

Automatik is operated from Canada (British Columbia) and uses infrastructure providers in the United States. When personal data is transferred outside the EEA or UK, we rely on:

  • Standard Contractual Clauses (SCCs) — our primary mechanism for EEA/UK-to-Canada and EEA/UK-to-US transfers.
  • Adequacy decisions — where the European Commission has recognised a country's data protection as adequate.
  • Comparable protection — for PIPEDA-governed transfers, recipients must provide protection consistent with Canadian privacy law.

7. Data Retention

We retain personal information only for as long as necessary for the purposes described in this policy, or as required by law. Upon account closure, data is deleted or anonymised securely. Breach logs are retained for a minimum of 24 months in accordance with PIPEDA obligations.

8. Your Privacy Rights

Depending on where you are located, the following rights may apply to you. The frameworks under which each right applies are noted in brackets.

  • Access — Request a copy of personal data we hold about you. (GDPR, CCPA, PIPEDA)
  • Rectification / Correction — Correct inaccurate or incomplete data. (GDPR, CCPA, PIPEDA)
  • Erasure / Deletion — Request deletion of your personal data. (GDPR, CCPA)
  • Restriction — Limit how we process your data in certain cases. (GDPR)
  • Portability — Receive your data in a machine-readable format. (GDPR)
  • Objection — Object to processing based on legitimate interests. (GDPR)
  • Withdraw Consent — Opt out of consent-based processing at any time. (GDPR, CCPA, PIPEDA)
  • Opt-Out of Sale / Sharing — We do not sell data; this is preserved by policy. (CCPA)
  • Limit Sensitive Data Use — Restrict use of sensitive personal information. (CCPA)
  • Non-Discrimination — No penalty for exercising your rights. (CCPA)

How to Submit a Request

  1. Submit — Email contact@tryautomatik.com.
  2. Acknowledge — We confirm receipt within 2–10 business days.
  3. Verify — We confirm your identity before fulfilling the request.
  4. Fulfil — GDPR: 30 days · CCPA: 45 days (extendable) · PIPEDA: 30 days.
  5. Document — All requests are logged with the action taken and completion date.

9. Security Safeguards

  • Encryption at rest (AES-256) and in transit (TLS 1.2+)
  • Role-based access controls (RBAC) and principle of least privilege
  • Quarterly access reviews and full audit logging for all data access and admin actions
  • Annual penetration testing or third-party security audits
  • Incident response plan with defined breach notification timelines
  • Secure, read-only API access to Shopify, Meta Ads, Google Ads, and Klaviyo — we never modify source data

10. Data Breach Notification

  • GDPR — Notify the relevant supervisory authority within 72 hours; notify affected individuals without undue delay if high risk.
  • CCPA / CPRA — Notify the California Attorney General and affected consumers in an expedient manner.
  • PIPEDA — Report to the Office of the Privacy Commissioner of Canada (OPC) for breaches posing real risk of significant harm; notify individuals as soon as feasible.

All breaches are documented internally regardless of severity. Breach logs are retained for a minimum of 24 months.

11. Cookies & Tracking

We use essential cookies and similar technologies to operate the platform (session management, authentication). We may use analytics cookies to understand how the platform is used. We do not use cookies for cross-context behavioural advertising and do not share data with third-party advertising networks for targeting purposes.

12. Children's Privacy

Automatik is a business analytics platform intended solely for commercial use by e-commerce merchants and their teams. We do not knowingly collect personal information from individuals under the age of 18.

13. "Do Not Sell or Share My Personal Information"

Automatik does not sell or share personal information with third parties for cross-context behavioural advertising. This commitment is reflected in all contracts with our third-party service providers and reviewed on an annual basis.

14. Changes to This Policy

We review this Privacy Policy at least annually or upon any significant product or regulatory change. When we make material changes, we will notify you by email or via an in-platform notice prior to the effective date. Continued use of the platform after the effective date constitutes acceptance of the updated policy.

© 2026 Automatik Technology Inc. All rights reserved. · tryautomatik.com

‍

support@tryautomatik.com
Get Started Free
Home
AboutPressCareersPrivacy PolicyLegal
Product
Free AuditFor BrandsFor AgenciesBlog
Support
Help CenterSign In
Sign upFind an agencyForgot password
Automatik Technology Inc. | All rights reserved. 2026.