legal

privacy policy

last updated: April 26, 2026

We at Amboras take the protection of your personal data very seriously. This privacy policy explains how we collect, use, and protect your information when you use our AI-powered Shopify store builder platform.

1. Controller and Data Protection Officer

The controller responsible for data processing is:

Amboras Inc.
1111B S Governors Ave
STE 84587
Dover, DE 19904, United States
Email: contact@amboras.com

2. Data We Collect

2.1 Account Information

When you create an account, we collect: name, email address, password (encrypted), company name, and billing information.

2.2 Store Data

We collect information about your Shopify stores, including store content, themes, customizations, and API credentials (encrypted).

2.3 Usage Data

We automatically collect information about how you use our platform, including IP address, browser type, device information, pages visited, and features used.

2.4 AI Interaction Data

We collect your prompts, commands, and interactions with our AI system to provide and improve our services.

3. How We Use Your Data

We use your personal data for the following purposes:

  • To provide and maintain our AI-powered store building services
  • To process your payments and manage your subscription
  • To communicate with you about your account and our services
  • To improve and personalize your experience
  • To train and improve our AI models
  • To detect and prevent fraud and abuse
  • To comply with legal obligations
  • To send you marketing communications (with your consent)

4. Legal Basis for Processing

We process your personal data based on:

  • Contract performance: To provide our services to you
  • Legitimate interests: To improve our services and prevent fraud
  • Legal obligations: To comply with laws and regulations
  • Consent: For marketing communications and certain data processing activities

5. Data Sharing and Disclosure

We may share your data with:

Sub-Processors

We work with the following third parties to operate the service. Each is bound by a written data-processing agreement and may only process your personal data on our documented instructions:

  • Hosting & infrastructure: Fly.io (application hosting), Vercel (frontend hosting), Supabase (managed PostgreSQL, authentication), GitHub (source-code storage for per-store forks).
  • Product analytics: PostHog — we use PostHog on amboras.com to measure feature usage, diagnose bugs, and improve the product. See Section 9 for details.
  • Payments: Stripe (subscription billing, payment methods, invoices). We never receive or store your full card number.
  • Transactional email: Resend (account, billing, and support emails).
  • AI processing: Anthropic (Claude models), OpenAI (speech-to-text via Whisper). These providers do not use your prompts or content to train their own models.
  • Customer support: Intercom (in-app chat), Slack (internal support routing).
  • Error monitoring: Sentry and Datadog (crash reports and request-level performance data).

We may add or replace sub-processors as the service evolves. If a change materially expands how your data is processed, we will update this policy per Section 13.

Shopify

We integrate with Shopify's APIs to provide our services. Your Shopify data is subject to Shopify's privacy policy.

Legal Requirements

We may disclose your data if required by law or to protect our rights and safety.

6. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption of data in transit and at rest
  • Regular security assessments and audits
  • Access controls and authentication mechanisms
  • Employee training on data protection
  • Incident response procedures

7. Data Retention

We retain your personal data for as long as necessary to provide our services and comply with legal obligations. Account data is retained for the duration of your subscription plus 90 days. Usage data is retained for up to 2 years. You can request deletion of your data at any time.

8. Your Privacy Rights

8.1 California Residents (CCPA/CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months
  • Right to Delete: Request deletion of your personal information, subject to certain exceptions
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Opt-Out: Opt out of the sale or sharing of your personal information
  • Right to Limit: Limit the use and disclosure of sensitive personal information
  • Right to Non-Discrimination: Exercise your privacy rights without discriminatory treatment
  • Right to Data Portability: Receive your personal data in a portable, machine-readable format

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.

To exercise these rights, contact us at contact@amboras.com or use our Do Not Sell or Share My Personal Information form.

8.2 Other U.S. State Privacy Rights

Residents of Virginia, Colorado, Connecticut, Utah, and other states with comprehensive privacy laws have similar rights to access, delete, correct, and opt out of certain data processing activities. Contact us to exercise these rights.

8.3 All Users

Regardless of location, you may:

  • Access and update your account information through your account settings
  • Opt out of marketing communications by clicking “unsubscribe” in our emails
  • Request data deletion by contacting us at contact@amboras.com

8.4 Verification Process

To protect your privacy, we will verify your identity before processing rights requests. We may ask for additional information to confirm your identity. We will respond to verified requests within 45 days (or as required by applicable law).

9. Cookies, Analytics, and Tracking

9.1 Cookies on amboras.com

We use a small number of first-party cookies and equivalent browser-storage technologies strictly to operate the service:

  • Authentication cookies: keep you signed in and protect against session hijacking. Strictly necessary — the site will not function without them.
  • Consent-state cookies: remember your choices in our cookie banner so we don't show it on every visit.
  • Product-analytics cookies: PostHog uses a first-party cookie to measure usage (see 9.2). Set only after you consent where consent is required.

You can clear cookies at any time via your browser settings. If you reject non-essential cookies, the product will still work but our ability to diagnose bugs you hit and improve the experience is reduced.

9.2 Product Analytics (PostHog)

We use PostHog to understand how our users navigate the product and to debug issues. Events collected include page views, feature clicks, and session identifiers. PostHog is configured with IP anonymization and a short retention window. We do not use PostHog for cross-site behavioral advertising. PostHog acts as our data processor under a written DPA.

9.3 Advertising Pixels on amboras.com

As of the last-updated date above, we do not run the Meta Pixel, the Facebook Conversions API, the Google Ads pixel, Google Analytics, or any equivalent advertising tracker on amboras.com. We do not build audiences or run retargeting against our own visitors. If we add any such tool in the future, we will update this policy and re-collect consent where required.

9.4 Merchant-Configured Tracking on Storefronts (Meta Pixel, Meta Conversions API, Google Ads)

Amboras provides merchants with tooling to connect their own advertising pixels — including the Meta Pixel, the Meta Conversions API (CAPI), Google Ads conversion tracking, and similar tools — to the storefront we deploy on their behalf. When a merchant enables this:

  • The pixel identifier and server-side access token belong to the merchant's Meta or Google advertising account, not Amboras.
  • We store these credentials encrypted at rest (server-side access tokens are never sent to the browser) and use them only to forward storefront events to Meta or Google on the merchant's instruction.
  • For data collected through these pixels, the merchant is the data controller (or, where applicable, co-controller with Meta or Google). Amboras acts solely as a processor.
  • Data forwarded server-side to Meta CAPI or Google (including IP address, user agent, hashed email where available, and purchase/conversion events) is governed by Meta's Business Tools Terms, Meta's Custom Audiences Terms, and Google Ads Data Processing Terms, respectively.

If you are a visitor to a merchant's storefront (i.e., a shop running on Amboras, not amboras.com itself), this Privacy Policy does not apply to you. Consult that merchant's privacy policy for their tracking disclosures, legal basis, and opt-out options. Merchants are contractually required (see our Terms of Service) to maintain their own privacy policy, obtain valid consent where the law requires it (EU/UK/EEA/Switzerland ePrivacy + GDPR, California CPRA, etc.), and honor opt-out signals such as Global Privacy Control.

9.5 Do Not Track

Our site honors the Global Privacy Control (GPC) signal as a valid opt-out of “sale” or “sharing” under California law. Because the DNT browser header has no common industry meaning, we do not respond to it separately.

10. California-Specific Disclosures (CCPA/CPRA)

10.1 Categories of Personal Information Collected

In the past 12 months, we have collected the following categories of personal information:

  • Identifiers: Name, email address, account credentials, IP address
  • Commercial Information: Subscription plan, payment history, purchase records
  • Internet Activity: Browsing history on our platform, interaction with our services
  • Professional Information: Company name, business contact information
  • Inferences: Preferences and usage patterns derived from your activity

10.2 Business Purposes for Collection

We collect and use personal information for the following business purposes:

  • Providing and improving our SaaS platform services
  • Processing payments and managing subscriptions
  • Customer support and communication
  • Security, fraud prevention, and legal compliance
  • Analytics and service improvement
  • Marketing and promotional communications (with consent)

10.3 Sale and Sharing of Personal Information

We do not sell your personal information and have not sold personal information in the preceding 12 months. We do not share personal information for cross-context behavioral advertising purposes.

10.4 Sensitive Personal Information

We collect account credentials (passwords, which are encrypted) as sensitive personal information solely for authentication and security purposes. We do not use or disclose sensitive personal information for purposes other than those permitted by the CPRA.

10.5 Retention Period

We retain personal information for as long as necessary to fulfill the purposes described in this policy, typically for the duration of your subscription plus 90 days, unless a longer retention period is required by law.

10.6 Authorized Agent Requests

California residents may designate an authorized agent to make privacy requests on their behalf. We require written authorization from you and verification of your identity before processing requests from authorized agents.

11. International Data Transfers

Your data is primarily stored and processed in the United States. If you access our services from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States where our servers and databases are located. By using our services, you consent to such transfers.

12. Children's Privacy

Our services are not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe we have collected information from your child, please contact us immediately at contact@amboras.com, and we will delete such information.

13. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices, services, or legal requirements. We will notify you of material changes by email at least 30 days before the changes take effect and by posting a notice on our website. The updated policy will show a new “Last Updated” date at the bottom of this page.

14. Contact Us

If you have any questions about this privacy policy, want to exercise your privacy rights, or have concerns about our data practices, please contact us at:

Amboras Inc.
Email: contact@amboras.com
Address: 1111B S Governors Ave, STE 84587, Dover, DE 19904, United States

For California residents: If you have questions about your CCPA/CPRA rights, please email us with “California Privacy Rights” in the subject line.