Privacy Policy

1. Who We Are

ShipXray is operated by Trust Analytica Information Services L.T.D. ("we", "us", "our"). This Privacy Policy explains how we collect, use, store, and share information when you use our shipping intelligence platform at shipxray.com ("the Service").

2. Information We Collect

Account information: When you create an account, we collect your email address, name (if provided), and authentication credentials. If you sign in via Google OAuth, we receive your Google profile information (name, email, profile picture).

Store data via public crawl (Layer 1): When you enter a store URL, we crawl publicly accessible pages to extract product names, prices, categories, shipping policies, and other publicly visible information. No private or authenticated data is accessed.

Store data via platform connection (Layer 2): When you connect your Shopify, WooCommerce, Amazon, or other supported platform, we access data through their authorized APIs using OAuth tokens you grant. This may include: order history and values, fulfillment and shipment records, carrier and tracking information, shipping addresses (postal/zip codes and regions — we do not store full street addresses of your customers), product catalog data including weights and dimensions, warehouse and fulfillment locations, shipping policies and carrier configurations, and store settings and currency.

Usage data: We collect standard analytics data including pages visited, features used, browser type, and IP address for service improvement and security purposes.

3. How We Use Your Information

To provide the Service: We process your data to generate shipping audits, intelligence dashboards, cost analyses, carrier comparisons, health scores, and recommendations.

To create anonymized benchmarks: We aggregate and anonymize data across our user base to create industry benchmarks and market intelligence. This anonymized data cannot be traced back to any individual store or merchant.

To improve our service: We use aggregated data to train and improve our AI estimation models, carrier rate databases, and analysis algorithms.

To communicate with you: We may send you service-related emails (account verification, password resets, important updates). We will not send marketing emails without your consent.

4. Legal Basis for Processing (EEA, UK, and Switzerland)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we process your personal data on the following legal bases under the GDPR and equivalent laws:

Performance of a contract: To provide the Service you signed up for, including running audits on stores and platforms you connect.

Legitimate interests: To secure our infrastructure, prevent abuse, improve our AI estimation models, and publish anonymized benchmarks, balanced against your rights and expectations.

Consent: Where you have explicitly opted in, such as marketing communications or non-essential analytics.

Legal obligation: To comply with applicable laws, court orders, tax requirements, or mandatory platform obligations (including Shopify's mandatory data request and erasure webhooks).

You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

5. Your Rights

General rights (all users): You may access the data we hold about you, correct inaccurate data, request deletion of your account and associated data, disconnect your store integrations at any time (which revokes our API access), export your data in a machine-readable format, and withdraw consent for data processing (which may limit Service functionality).

GDPR (EEA / UK / Switzerland): In addition to the above, you have the right to restrict processing, object to processing (including processing based on legitimate interests), and the right to data portability. You may lodge a complaint with your local supervisory authority if you believe we have infringed applicable data protection laws.

CCPA / CPRA (California): California residents have the right to know what personal information we collect, use, and share; the right to delete personal information; the right to correct inaccurate personal information; the right to opt out of the sale or sharing of personal information (we do not sell or share personal information as defined by the CCPA); the right to limit use of sensitive personal information; and the right to non-discrimination for exercising these rights.

PIPEDA (Canada): Canadian users have the right to access and correct personal information we hold about them, and to file a complaint with the Office of the Privacy Commissioner of Canada.

To exercise any of these rights, contact us at support@shipxray.com. We will respond within 30 days (or the period required by applicable law). We may ask you to verify your identity before fulfilling the request.

6. Cross-Border Data Transfers

ShipXray is operated from Canada, and our primary database and application infrastructure are hosted in the United States. By using the Service, your data may be transferred to, stored in, and processed in the United States, Canada, and other countries where our service providers operate.

EEA, UK, and Swiss users: Where we transfer personal data outside the EEA, UK, or Switzerland to countries that have not received an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum (IDTA) as the legal mechanism for the transfer. Copies are available on request.

Canadian users: We comply with PIPEDA requirements for cross-border transfers and take reasonable steps to ensure that third-party processors maintain comparable levels of protection for your personal information.

7. Data Security and Breach Notification

Your personal data is stored and processed in the United States. We protect it in transit and at rest using industry-standard encryption and access controls. OAuth access tokens for connected platforms are stored encrypted. Access to production systems is restricted to authorized personnel and protected by multi-factor authentication. We review our providers' security posture at least annually.

We do not sell your personal data or raw store data to third parties.

Breach notification: If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify affected users without undue delay. Notifications will describe the nature of the breach, the likely consequences, the measures taken, and the contact point for further information.

No security system is impenetrable. While we take reasonable safeguards, we cannot guarantee the absolute security of data transmitted over the internet.

8. Who We Share Your Data With

To operate the Service we rely on a small number of trusted third-party service providers acting as sub-processors on our behalf. These providers process personal data only under our instructions and are contractually bound to appropriate confidentiality and security obligations. They fall into the following categories:

• Cloud hosting and database infrastructure — providers that host our application and store your data in the United States.
• Public web crawling infrastructure — providers we use to fetch publicly available pages during Layer 1 audits.
• AI analysis services — a provider we use to run natural-language analysis on publicly available store content. No personal data or customer account data is sent for AI model training by these providers.
• Payment processing — a PCI-DSS-compliant provider that handles subscription billing. We do not store full card numbers.
• Transactional email and authentication — providers that deliver account emails and support federated sign-in.
• Platform integrations you opt into — when you connect your Shopify, WooCommerce, Amazon, or other store platform via OAuth, we access data through those platforms' official APIs using tokens you grant.

A current list of named sub-processors is available on request from support@shipxray.com for enterprise customers with a signed agreement.

Anonymized insights: We may publish or share anonymized, aggregated shipping intelligence data that cannot identify individual stores or merchants.

Legal requirements: We may disclose information if required by law, regulation, legal process, or government request.

Business transfers: If ShipXray is involved in a merger, acquisition, financing, or sale of assets, your data may be transferred as part of that transaction. We will notify you before your data becomes subject to a different privacy policy.

9. Data Location

Your personal data is stored and processed in the United States. We use industry-standard encryption for data in transit and at rest, and review our providers' security posture at least annually.

10. Data Retention

We retain your account data and connected store data for as long as your account is active. If you delete your account, we will delete your personal data and raw store data within 30 days. Anonymized and aggregated data (which cannot identify you) may be retained indefinitely for benchmarking and service improvement purposes. OAuth access tokens are deleted immediately upon disconnection of a store integration.

11. Cookies & Tracking

We use essential cookies for authentication and session management. We do not use third-party advertising cookies or cross-site tracking. We may use basic analytics to understand how the Service is used.

12. Shopify Data Handling

When you install ShipXray from the Shopify App Store or via a direct install link, we request access to specific Shopify API scopes required to provide our Service. These include read-only access to: fulfillment records, shipping and carrier data, order data, product catalog, inventory levels, store locations, legal policies, and content pages. We do not request write access to any Shopify data.

We comply with Shopify's mandatory privacy requirements including responding to customer data requests, customer data erasure requests, and shop data erasure requests through Shopify's required webhook endpoints. When we receive a data erasure request, we delete the relevant data within 30 days unless we are legally required to retain it.

Shopify merchant data accessed through our app is used solely for the purposes described in this policy. We do not sell raw Shopify merchant data to third parties. Anonymized and aggregated data derived from Shopify stores may be used for benchmarking and service improvement as described in Section 3.

13. Intellectual Property Takedown (DMCA)

ShipXray respects the intellectual property rights of others. If you believe that content displayed in a public analysis or elsewhere on the Service infringes your copyright or trademark, you may submit a takedown notice to legal@shipxray.com with the following information:

(a) identification of the copyrighted work or trademark claimed to have been infringed; (b) identification of the material claimed to be infringing and its location on the Service (including the specific URL); (c) your contact information (name, address, telephone, email); (d) a statement that you have a good-faith belief that the use is not authorized by the rights owner, its agent, or the law; (e) a statement, under penalty of perjury, that the information in the notice is accurate and that you are authorized to act on behalf of the owner of the right claimed to be infringed; and (f) a physical or electronic signature.

We will review valid notices and remove or disable access to the material in question where appropriate. We may also terminate the accounts of repeat infringers.

14. Children's Privacy

ShipXray is not directed at individuals under 18 years of age. We do not knowingly collect personal information from children.

15. Changes to This Policy

We reserve the right to update, modify, or replace this Privacy Policy at any time, with or without prior notice. Changes become effective immediately upon posting to this page. It is your responsibility to review this policy periodically. The "Last updated" date at the top indicates when the policy was last revised. Continued use of the Service after any changes constitutes your acceptance of the updated policy.

16. Contact Us

For privacy-related questions or requests, contact us at support@shipxray.com. For copyright and trademark takedown notices, use legal@shipxray.com.