Privacy Policy

This Privacy Policy explains what data Darwiny ("Darwiny", "we") collects about you and about visitors to your storefront, how we use it, and the choices you have.

Data controller

The data controller for the purposes of GDPR is Darwiny, Flæsketorvet 68, 1. sal, 1711 Copenhagen, Denmark. Contact: support@darwiny.ai.

1. Data we collect

From merchants (you)

• Account info: email, authentication tokens, profile data.
• Billing info: handled by Stripe; we store only the customer and subscription identifiers, not card data.
• Store metadata: domain, product URLs, product titles, and images.
• Usage data: pages visited in the dashboard, feature interactions, error reports.

From your storefront visitors

• A first-party cookie (_dg_vid) containing a random visitor UUID.
• Which variation was shown, and anonymous counters: impressions, add-to-cart, checkout, purchase.
• Order totals and the darwiny_variation_id note_attribute on the order — for revenue attribution via the merchant-configured Shopify webhook.

2. Data we do not collect

From your storefront visitors we do not collect names, email addresses, shipping addresses, payment details, or any other PII. We do not fingerprint devices and do not share visitor data with advertising networks.

3. How we use data

• Operate and improve the Service.
• Bill you for paid plans and prevent fraud.
• Send transactional emails (OTP codes, install instructions, billing receipts).
• Debug and monitor the system (error reports via Sentry).
• Aggregated product analytics (PostHog) with inputs masked by default.

4. Subprocessors

• Supabase — auth and database hosting (EU region)
• Stripe — payments and subscription billing
• Resend — transactional email
• Vercel — application hosting
• Azure — worker hosting
• Sentry — error monitoring
• PostHog — product analytics (EU region)

5. Data retention

Experiment, store, and account data are retained for the life of your account. When you delete your account by emailing support@darwiny.ai we remove your data within 30 days, except where retention is required by law (e.g. invoicing records).

6. Cookies

The loader sets one first-party functional cookie on your storefront (_dg_vid) to keep a visitor on the same variation across visits. It is not used for cross-site tracking. The dashboard uses functional cookies for authentication and session state. We respect Shopify's Customer Privacy API: if a visitor has not consented on a store that enforces consent, the loader does not set the cookie.

7. Your rights

Depending on where you live you may have rights to access, correct, port, or delete your personal data, object to processing, and withdraw consent. EU/UK residents have additional rights under GDPR/UK-GDPR. California residents have rights under the CCPA. To exercise any right, email support@darwiny.ai.

8. International transfers

We primarily host data in the EU. Some subprocessors (Stripe, Resend, Sentry) may process data outside the EU under Standard Contractual Clauses or equivalent safeguards.

9. Security

We use industry-standard controls: TLS for data in transit, encrypted storage at rest, row-level security for per-account data isolation, and scoped access tokens. Despite these measures no system is perfectly secure; you use the Service at your own risk.

10. Changes

We may update this policy. Material changes will be announced by email at least 14 days before they take effect.

11. Contact

Privacy questions: support@darwiny.ai.