Privacy Policy
Last updated: 14 May 2026
This Privacy Policy explains how Neon Platypus ("we", "us", "our") collects, uses, stores, and shares personal data when you use ShopMage AI and related services (the "Service"). We are committed to protecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Data Controller
Neon Platypus is the data controller for personal data processed through the Service.
Contact: privacy@neonplatypus.dev
2. Data We Collect
| Category | Data | Purpose | Legal Basis |
|---|---|---|---|
| Account data | Site URL, email address, license key | Account creation, authentication, communication | Contract performance |
| Billing data | Stripe customer ID, subscription status, payment history | Payment processing, subscription management | Contract performance |
| Usage data | API requests, credit consumption, feature usage, timestamps | Service delivery, abuse prevention, analytics | Legitimate interest |
| Technical data | IP address (hashed), WordPress version, WooCommerce version, PHP version, plugin version | Compatibility, debugging, security | Legitimate interest |
| Content data | Product titles, descriptions, images submitted for processing | AI processing, service delivery | Contract performance |
| Feedback data | Support messages, feedback submissions, screenshots | Support, product improvement | Legitimate interest |
| Consent records | Consent timestamps, IP hash, terms version accepted | Legal compliance, audit trail | Legal obligation |
3. How We Use Your Data
We use personal data to:
- Provide, maintain, and improve the Service;
- Process payments and manage subscriptions;
- Communicate with you about your account, updates, or support requests;
- Detect, prevent, and address fraud, abuse, and security issues;
- Comply with legal obligations;
- Develop and improve our AI models and algorithms (using aggregated and anonymised data);
- Enforce our Terms of Service and Acceptable Use Policy.
4. Data Sharing and Third Parties
We share personal data with the following categories of third parties, solely as necessary to provide the Service:
| Category of Recipient | Purpose | Data Shared | Location |
|---|---|---|---|
| Cloud infrastructure provider | Hosting, database, storage | All service data | US |
| Payment processor | Subscription billing | Email, billing info, payment details | US/EU |
| AI processing providers | Text generation, vision processing, image enhancement | Product text and images submitted for processing | US |
The specific sub-processors used in each category may change over time without prior notice. We do not sell your personal data. We may disclose data if required by law, regulation, legal process, or governmental request.
5. International Data Transfers
Your data is processed in the United States. For transfers outside the UK, we rely on appropriate safeguards including Standard Contractual Clauses (SCCs) and adequacy decisions where applicable. By using the Service, you acknowledge and consent to the transfer of your data to the US.
6. Data Retention
- Account data: retained for the duration of your account plus 12 months after deletion/termination.
- Billing data: retained for 7 years for tax and legal compliance.
- Usage logs: retained for 90 days, then aggregated/anonymised.
- Content data: processed in real-time and not stored beyond the processing request, except where cached temporarily (up to 24 hours) for delivery.
- Consent records: retained for 7 years for audit purposes.
7. Your Rights (UK GDPR)
Under UK data protection law, you have the following rights:
- Access: request a copy of the personal data we hold about you;
- Rectification: request correction of inaccurate data;
- Erasure: request deletion of your data (subject to legal retention requirements);
- Restriction: request restriction of processing in certain circumstances;
- Portability: receive your data in a structured, machine-readable format;
- Objection: object to processing based on legitimate interest;
- Withdraw consent: where processing is based on consent, withdraw at any time.
To exercise any of these rights, contact us at privacy@neonplatypus.dev. We will respond within 30 days.
8. Data Security
We implement appropriate technical and organisational measures to protect personal data, including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256);
- Access controls and least-privilege IAM policies;
- Regular security monitoring and logging;
- Hashing of IP addresses before storage;
- Secrets managed via a dedicated secrets manager (never in code or logs).
No system is perfectly secure. We cannot guarantee absolute security and accept no liability for breaches beyond our reasonable control.
9. Children
The Service is not directed to individuals under 18. We do not knowingly collect personal data from children. If we learn we have collected data from a child under 18, we will delete it promptly.
10. Cookies
Our use of cookies is described in our Cookie Policy.
11. Changes to This Policy
We may update this Privacy Policy at any time. Material changes will be notified via email or in-product notice. Your continued use of the Service after changes take effect constitutes acceptance.
12. Complaints
If you are not satisfied with our response to a privacy concern, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's Office
Website: ico.org.uk
Helpline: 0303 123 1113
13. Contact
For privacy-related inquiries:
Neon Platypus
Email: privacy@neonplatypus.dev