Solaxis AI
Privacy Policy
1. Introduction and Scope
This Privacy Policy explains how Solaxis AI LLC, a California limited liability company with its principal office at 254 Howes Dr, Los Gatos, CA 95032 ("Solaxis AI," "we," "us," or "our"), collects, uses, shares, and protects personal information in connection with the Solaxis AI platform and related services (the "Service").
Solaxis AI is a multi-tenant software-as-a-service platform that runs AI-managed commerce and marketing operations — including store audits, content generation, creator outreach, conversion-rate optimization, media production, and daily briefings — on behalf of ecommerce merchants and brands. This policy applies to (i) the account holders, merchants, brands, and agencies who use the Service (each, a "Customer," "you," or "your"); (ii) visitors to our public websites; and (iii) the individuals whose personal data we process on a Customer's behalf when a Customer connects a third-party platform to the Service.
Depending on where you and your customers are located, the General Data Protection Regulation ("GDPR"), the United Kingdom GDPR ("UK GDPR"), and the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, "CCPA") may apply to the personal information described in this policy. This Privacy Policy should be read together with our Terms of Service and our Cookie Policy.
2. Who We Are
Solaxis AI LLC is the entity responsible for the Service. For the purposes of GDPR and UK GDPR, our identity and contact details are:
- Entity: Solaxis AI LLC, a California limited liability company.
- Principal office: 254 Howes Dr, Los Gatos, CA 95032, United States.
- Privacy contact: admin@solaxis.ai — our single monitored mailbox for all privacy inquiries and rights requests.
You can reach us at the address or email above to ask questions about this policy or to exercise the privacy rights described in Section 11.
3. Our Two Roles
Because Solaxis AI is a business-to-business platform, we act in two distinct capacities, and your rights and our obligations differ depending on which capacity applies to a given category of data.
3.1 Controller — Your Account and Usage Data
We act as a data controller for the personal information that relates to your relationship with us as a Customer — for example, your account and identity details, your billing and subscription records, and the usage, device, and telemetry data generated as you operate the Service. For this data, we determine the purposes and means of processing, and we are directly responsible to you under applicable privacy laws.
3.2 Processor — End-User Data We Handle for You
We act as a data processor (a "service provider" under the CCPA) for the personal data of your own customers and end users that we ingest from the platforms you connect ("End-User Data"). For this data, you are the controller and we process it only on your documented instructions and as necessary to provide the Service. You are responsible for establishing a lawful basis to collect that data and to engage us to process it. Where required, our processing of End-User Data is governed by a data processing addendum that supplements our Terms of Service.
Throughout this policy, "Merchant Data" means the business and operational data a Customer uploads to, or connects to, the Service (such as catalog, order, campaign, and analytics data), which may itself contain End-User Data.
4. Information We Collect
4.1 Identity and Account Information
When you create an Account, we collect your name, email address, business name, business website, account type (commerce, brand, or agency), and, where applicable, your phone number. We also collect authentication data, including passwords stored as scrypt hashes, multi-factor authentication enrollment and recovery codes, and audit logs of authentication and security events.
4.2 Billing Information
Billing is handled by our payment processors. Direct signups are billed through Stripe; Shopify App Store installs are billed through Shopify Billing / Shopify App Pricing. Solaxis AI does not store full payment card numbers — those are collected and processed by Stripe or Shopify under their own terms. We retain only billing metadata such as a customer identifier, subscription identifier, plan and status, the last four digits and brand of the payment method, and invoice ledger records.
4.3 Usage, Device, and Telemetry Data
As you use the Service, we automatically collect operational data including request and access logs, agent execution events, performance metrics, error reports, IP address, browser and device user-agent, approximate location derived from IP address, and timestamps. We use this data to operate, secure, support, and improve the Service.
4.4 Merchant Data from Connected Platforms
When you authorize a connection, we store the connection credentials and access tokens for the platforms you choose to link — which may include commerce platforms (Shopify, WooCommerce, Etsy, eBay, Amazon, Wix) and marketing and analytics platforms (Meta Ads, Google Analytics 4, TikTok, Instagram, YouTube, Reddit, X, and Klaviyo). We read — and, where you permit and the platform allows, write — your storefront catalog, orders, customer records, fulfillments, theme, campaigns, and performance metrics, only to the extent necessary to deliver the Service. Access tokens and API secrets are encrypted at rest.
4.5 End-User Data Processed for Merchants
To deliver audits, attribution, conversion-rate optimization, and creator-performance features, we process End-User Data drawn from your connected platforms — for example, order history, contact details (such as email and shipping address where the source platform permits), purchase and conversion events, and aggregated funnel signals. We process this data as your processor and not for our own purposes.
4.6 Cookies and the Conversion Pixel
We use a first-party analytics identifier, _opal_cid, with a lifetime of 90 days, to measure conversion attribution. We honor browser Do Not Track ("DNT") signals. A full description of the cookies and similar technologies we use is set out in our Cookie Policy.
4.7 Communications
When you contact us for support, respond to a survey, or otherwise communicate with us, we collect the contents of those communications and the metadata associated with them.
5. How and Why We Use Information
We use the information described above to:
- Provide and maintain the Service — run audits, generate content, dispatch outreach, score creators, compute attribution, produce media and daily briefings, and render dashboards.
- Administer billing and accounts — charge subscription fees through Stripe or Shopify Billing, issue invoices and receipts, and manage renewals and cancellations.
- Communicate with you — send transactional messages (such as login codes, billing notices, and security alerts) and product updates. You may opt out of non-essential product updates at any time.
- Secure the Service and prevent abuse — detect and block fraud, abuse, brute-force attempts, and violations of our Acceptable Use Policy.
- Provide support — investigate and resolve issues you report.
- Comply with legal obligations — meet our tax, accounting, and regulatory duties, respond to lawful requests, and enforce our agreements.
- Improve the Service — analyze aggregated usage and performance to maintain reliability and develop new features, subject to the AI commitment in Section 7.
6. Legal Bases for Processing
Where the GDPR or UK GDPR applies, we rely on the following legal bases under Article 6 for processing the personal information for which we act as a controller:
- Performance of a contract — to create and administer your Account, deliver the Service, and process billing.
- Legitimate interests — to secure the Service, prevent fraud and abuse, provide support, and improve and develop our products, where those interests are not overridden by your rights and freedoms.
- Consent — for optional cookies and similar technologies and for certain marketing communications, which you may withdraw at any time.
- Legal obligation — to comply with applicable law, including tax, accounting, and lawful-request requirements.
For End-User Data, the lawful basis is established by you as the controller; we process that data on your behalf and on your instructions.
7. AI Processing
The Service uses third-party artificial-intelligence providers — Anthropic (Claude) and OpenAI — to perform reasoning, content generation, transcription, and related inference tasks. We submit only the data necessary to perform the requested operation, and we call these providers under their respective no-training and zero-retention commitments for API traffic.
We do NOT train AI models on your data. We do not train, fine-tune, or otherwise improve any artificial-intelligence model using Customer, Merchant, or End-User Data, and our AI sub-processors are contractually committed not to use data submitted through their APIs to train their models.
8. Sub-Processors
We engage a limited set of trusted sub-processors to help us deliver the Service. Each is bound by a contract that requires it to protect the data we share and to process it only for the purposes we specify. Our current sub-processors are:
- Stripe — payment processing and subscription billing.
- Anthropic — AI inference (Claude) for reasoning, content generation, and decision support.
- OpenAI — AI inference for transcription, embeddings, and selected generation tasks.
- Resend — delivery of transactional email.
- Railway — cloud hosting infrastructure (United States data centers).
In addition, the third-party commerce and marketing platforms you connect — including Shopify, WooCommerce, Etsy, eBay, Amazon, Wix, Meta Ads, Google Analytics 4, TikTok, Instagram, YouTube, Reddit, X, and Klaviyo — act as sources of, and recipients of, the data we exchange on your behalf when you authorize those connections. Their handling of your data is governed by their own privacy terms.
9. How We Share and Disclose Information
We do not sell personal information, and we do not use End-User Data to advertise to your customers. We disclose information only in the following circumstances:
- Sub-processors — with the providers listed in Section 8, under contract and only as needed to deliver the Service.
- Platforms you authorize — with the third-party platforms you direct us to act on (for example, to publish content or apply changes through your connected platform tokens).
- Legal and safety — when required by law, court order, or lawful government request, or where reasonably necessary to enforce our agreements, investigate fraud, or protect the rights, property, or safety of Solaxis AI, our users, or the public.
- Business transfers — in connection with a merger, acquisition, financing, or sale of assets, with at least 30 days' advance notice if your personal information will be transferred and become subject to a materially different privacy policy.
10. International Data Transfers
Solaxis AI is operated from the United States, and your information will be processed in the United States and in other countries where our sub-processors operate. Where we transfer personal data from the European Economic Area, the United Kingdom, or Switzerland to a country that has not been recognized as providing an adequate level of protection, we rely on appropriate safeguards, such as the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum, to protect that data.
11. Your Privacy Rights
11.1 EEA and UK (GDPR)
If you are located in the European Economic Area or the United Kingdom, you have the right to access your personal data; to rectify inaccurate data; to erase data (the "right to be forgotten"); to restrict processing; to data portability; to object to processing carried out on the basis of legitimate interests; and to withdraw consent where processing is based on consent. You also have the right to lodge a complaint with your local supervisory authority. To exercise these rights, contact admin@solaxis.ai.
Where we process End-User Data as a processor on a Customer's behalf, individuals should direct their requests to the relevant Customer (the controller); we will assist that Customer in responding as required by law.
11.2 California (CCPA/CPRA)
If you are a California resident, you have the right to know and access the personal information we collect about you, to request its deletion, to correct inaccurate information, and to opt out of the sale or sharing of personal information. We do not sell or share personal information as those terms are defined under the CCPA. We will not discriminate against you for exercising any of your privacy rights. You may submit a request, including through an authorized agent, by contacting admin@solaxis.ai.
11.3 How We Handle Requests
We will verify your identity before acting on a request and will respond within the timeframes required by applicable law. For data flowing through connected platforms (for example, Shopify-mediated customer data-request and redaction events), we process those requests in accordance with the relevant platform's contractual requirements and the mandated timeframes.
12. Data Retention
We retain account and Merchant Data for as long as your Account is active. After cancellation, we retain that data for approximately 90 days to support reactivation, after which it is permanently deleted, except where a longer retention period is required. We retain billing records and audit logs for longer periods (typically up to seven years) where required by tax, accounting, or compliance obligations.
End-User Data is retained according to your configuration plus the 90-day post-cancellation grace period. Where a connected platform triggers a redaction or deletion event, we initiate the corresponding cascading deletion across our systems.
13. Security
We implement administrative, technical, and organizational safeguards designed to protect personal information, including:
- Encryption at rest — AES-256-GCM encryption for credentials, OAuth tokens, and sensitive fields.
- Encryption in transit — TLS for all API and dashboard traffic.
- Access controls — role-based access controls and per-tenant isolation enforced at the application, database, and queue layers.
- Authentication safeguards — multi-factor authentication (required for elevated roles), HMAC-signed webhooks with constant-time verification, and audit logging of authentication and sensitive actions.
No method of transmission or storage is perfectly secure. In the event of a personal-data breach affecting your information, we will notify you and the applicable regulators within the timeframes required by law.
14. Cookies and Tracking
Our use of cookies, the _opal_cid first-party pixel, and similar technologies, including how we honor Do Not Track, is described in our Cookie Policy.
15. Children's Privacy
The Service is intended for businesses and is not directed to children. We do not knowingly collect personal information from children under the age of 16. Some Customers operate in age-restricted verticals (for example, Opal Collective, a premium smoking-accessories merchant); responsibility for age-gating and for compliance with the laws governing such verticals rests with the Customer. If you believe a child has provided us with personal information, contact us at admin@solaxis.ai and we will delete it.
16. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will communicate them by email and/or an in-dashboard notice at least 30 days before they take effect. The date this policy was last updated is shown above. This Privacy Policy is governed by the laws of the State of California, without regard to its conflict-of-laws principles.
17. How to Contact Us and Exercise Your Rights
For privacy questions, or to exercise any of the rights described in Section 11, contact us at admin@solaxis.ai or write to Solaxis AI LLC, 254 Howes Dr, Los Gatos, CA 95032, United States. For related terms, see our Terms of Service and our Cookie Policy.