Privacy Policy

This Privacy Policy explains how OneShopLab("we", "our", or "us") collects, uses, shares, and protects personal data when you use the website at https://oneshoplab.comand the OneShopLab application (collectively, the "Service"). It applies to users in the European Economic Area (EEA), the United Kingdom, and worldwide. By using the Service, you acknowledge that you have read this Privacy Policy.

For the purposes of the EU General Data Protection Regulation ("GDPR") and equivalent local laws, OneShopLab is the data controller for the personal data described below.

1. Data We Collect

1.1 Account data

When you sign up, we collect your email address, your display name (optional), and a hashed password (we never store your password in clear). You may alternatively sign in with Google via OAuth 2.0; in that case Google shares with us the email address, display name, profile picture URL, and a Google account identifier under the standard OpenID profile scope, and we link them to your OneShopLab account. You can stop using Google sign-in at any time by setting an OneShopLab password and revoking the OneShopLab application from your Google account permissions.

1.2 Billing data

When you subscribe or purchase a credit pack, you provide payment information directly to Stripe, Inc., our payment processor. We do not see or store your full card number. We do receive from Stripe a customer identifier, the last four digits of your card, the card brand, the country of issue, your billing address, and the status of your subscription and invoices.

1.3 Storefront and product data

When you connect a store, we collect publicly accessible data from that store (product titles, descriptions, prices, images, tags, vendor, type, URLs), and we may also store the access token or API key you provide for authenticated platforms. We use this data exclusively to perform audits and AI-powered optimisations on your behalf.

1.4 Generated content

We store the prompts you enter, the parameters you choose, and the AI-generated outputs (titles, descriptions, tags, images), together with timestamps and the model used. This is necessary to display history, allow re-runs, and operate the Service.

1.5 Usage and technical data

We collect technical information about your use of the Service: IP address, browser type and version, operating system, device type, language, the pages you visit, the actions you perform (e.g. starting an audit, generating content), timestamps, and referrer URLs. We collect this data through server logs, edge logs, and minimal in-app instrumentation.

1.6 Communications

When you contact us by email or through a support form, we retain your message and our reply, along with any information you choose to share.

1.7 Cookies and similar technologies

We use a small set of cookies and equivalent local-storage values that are strictly necessary to operate the Service, namely: an authentication cookie that keeps you signed in, a CSRF token, a locale cookie that remembers your preferred language, a theme cookie that remembers your light/dark choice, and an anonymous-audit token that lets first-time visitors run a public audit without creating an account.

We do notuse third-party advertising cookies or analytics that track you across other websites. With your prior consent only, we use a privacy-configured analytics cookie for aggregate audience measurement (see Section 1.8); you can refuse it from the cookie banner with no impact on the Service. Stripe sets its own cookies on payment pages, governed by Stripe's own policy. Google reCAPTCHA sets its own cookies where enabled (see Section 1.9 below).

1.8 Analytics (consent-based)

With your prior consent, we use Google Analytics 4 (provided by Google LLC) to measure aggregate usage of the Service — for example which pages and languages attract visitors and how many of them create an account. The analytics cookie is not set unless you accept it in the cookie banner; you can refuse it, or change your mind later by clearing the consent stored in your browser, with no impact on the Service. We configure Google Analytics with IP anonymisation enabled and Google advertising and cross-site signals disabled, so the data serves aggregate audience measurement only and is not used for advertising. This processing is governed by the Google Privacy Policy.

1.9 Anti-bot verification (reCAPTCHA)

Our signup page and the public free-audit page are protected by Google reCAPTCHA v2("I'm not a robot" checkbox). When you interact with the checkbox, your browser sends environmental and behavioural data to Google (e.g. mouse movements, IP address, browser/device fingerprint, referrer, and reCAPTCHA cookies set ongoogle.com). Google uses this data to determine whether you are a human and to combat spam and abuse on its and our services. We receive only a binary verification token which we forward to Google for confirmation; we do not see the underlying signals. This processing is governed by the Google Privacy Policy and Google Terms of Service.

2. How We Use Your Data

We use the categories above to:

• Operate, maintain, and secure the Service;
• Authenticate you, manage your account, and provide customer support;
• Run audits and AI generations you request, and store the outputs for your access;
• Bill you for subscriptions and credit packs, prevent fraud, and meet our tax and accounting obligations;
• Send you transactional notifications (e.g. receipts, password resets, important Service updates);
• Improve the Service through aggregated, de-identified usage metrics;
• Measure aggregate audience with privacy-configured analytics, only where you have given your consent;
• Comply with legal obligations and respond to lawful requests from public authorities.

3. Legal Bases (GDPR)

We rely on the following legal bases under Article 6 GDPR to process your personal data:

• Performance of a contract — to provide the Service you have asked us to deliver (account, audits, generations, billing).
• Legitimate interests — to secure the Service, prevent abuse, debug and improve the product, and operate our business. We balance these against your rights and interests.
• Legal obligation — to comply with tax, accounting, anti-fraud, and other applicable laws.
• Consent — for optional processing that requires it, namely analytics cookies (Section 1.8), and marketing emails if we add them. You may withdraw consent at any time; this does not affect the lawfulness of prior processing.

4. Sub-processors and Recipients

To operate the Service, we share necessary data with carefully selected sub-processors. They process personal data on our instructions and under contracts that include GDPR-compliant safeguards (including Standard Contractual Clauses where the processor is outside the EEA).

We share with these processors only the minimum data necessary for the stated purpose. AI providers receive your prompts and the relevant Input Content for the duration of the generation and may retain it for limited periods to detect abuse, as described in their own policies. We do not sell personal data, and we do not share it with third parties for their independent marketing purposes.

5. International Transfers

Some of our sub-processors are located outside the EEA. When transferring personal data internationally, we rely on appropriate safeguards under Articles 44-49 GDPR, including the European Commission's Standard Contractual Clauses, on adequacy decisions where they apply, and on additional technical and organisational measures (encryption in transit and at rest, minimisation of identifiers in prompts).

6. Data Retention

We keep personal data only as long as necessary for the purposes described above and to comply with legal obligations:

• Account data: as long as your account is active. After deletion, residual records may persist in backups for up to 90 days.
• Storefront, prompts, and generated content: as long as the corresponding project exists in your account, or until you delete it.
• Billing records: up to 10 years, as required by French commercial and tax law.
• Server and security logs: typically 30-90 days, longer if retained for security incident investigation.
• Anonymous audit data: associated with an anonymous cookie token; retained until expiry of that token (currently 90 days).
• Analytics data: collected only with your consent and retained for the period configured in our Google Analytics 4 property (by default up to 14 months for user-level records), then automatically deleted by Google.

When we no longer need personal data, we delete or anonymise it.

7. Your Rights

Subject to applicable law, you have the right to:

• Access the personal data we hold about you and obtain a copy;
• Rectify inaccurate or incomplete personal data;
• Eraseyour personal data (the "right to be forgotten"), subject to retention obligations;
• Restrict or object to processing in certain situations, including where we rely on legitimate interests;
• Portability — receive your personal data in a structured, machine-readable format, and transmit it to another controller;
• Withdraw consent at any time where processing is based on consent;
• Lodge a complaintwith your supervisory authority. In France, this is the Commission Nationale de l'Informatique et des Libertés (CNIL), www.cnil.fr.

To exercise these rights, email us at contact@oneshoplab.com. We will respond within one month, extendable by two further months for complex requests.

8. Security

We use industry-standard security measures to protect your data, including TLS encryption in transit, encryption at rest for sensitive fields, hashed passwords (bcrypt), strict access controls, sub-processor due diligence, and regular dependency updates. No system is perfectly secure: we encourage you to use a strong unique password, enable two-factor authentication where available, and report any suspected security issue to contact@oneshoplab.com.

9. AI-Specific Disclosures

The Service routes your prompts and selected Input Content to third-party AI providers (currently kie.ai, which proxies to Anthropic, Google, and OpenAI). Those providers process your input to generate the requested output. Per our agreements with these providers and their public policies:

• Your prompts and Input Content are not used to train their general-purpose models without explicit opt-in;
• They may retain prompts and outputs for limited periods (up to 30 days for most providers) for safety and abuse prevention;
• We minimise the personal data sent to AI providers; we do not send account identifiers, billing data, or unrelated user information.

You should avoid pasting sensitive personal data of third parties (e.g. customer names, emails) into prompts unless you have a valid legal basis to do so.

10. Children

The Service is not directed to individuals under 16 years of age, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will take appropriate steps to delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through a notice on the Service before the changes take effect. The "Last updated" date at the top of this page indicates the latest revision.

12. Contact

For any privacy-related question or to exercise your rights, contact us at contact@oneshoplab.com.