Privacy Policy
Last updated: July 1, 2026
1. Who we are & our two roles
Ecommerce Ops handles personal data in two distinct capacities:
- As a controller — for the account and billing information of the merchants who use our service (our direct customers).
- As a processor — for the order and customer data that a merchant's connected sales channels (e.g. Shopify) send to us so we can run fulfillment on the merchant's behalf. For that data, the merchant is the controller and we act only on their documented instructions.
Controller contact: Ecommerce Ops, Inc., 6177 N Lincoln Ave, Suite 190, Chicago, IL 60659, [email protected].
2. Data we collect
Account data (we are controller)
- Owner and staff names, email addresses, business name.
- Passwords — stored securely using strong, industry-standard cryptographic hashing; we never see the plaintext.
- Support correspondence and account/audit logs.
Billing data
- Subscription plan, status, and trial dates.
- Payments are handled by Stripe. Card details are entered on Stripe and are not stored on our systems; we retain only a Stripe customer/subscription identifier.
Merchant order & customer data (we are processor)
- Order details, line items, and fulfillment/tracking information ingested from connected channels.
- End-customer personal data contained in those orders — typically name, shipping address, email, and order contents.
- This data reaches us upon the customer's authorization via the merchant's connected platforms (e.g. Shopify, eBay, Amazon).
Technical data
- Server logs, IP address, and timestamps for security and diagnostics.
- A strictly necessary, first-party session cookie to keep you logged in. We do not use analytics, advertising, or tracking cookies, and there is no cross-site tracking.
Third-party services on our public pages. Our sign-up page uses Cloudflare Turnstile for bot protection (security, not advertising). Our marketing pages load web fonts from Google Fonts, which means Google may receive your IP address when fonts load; no cookies are set by this. A "Schedule a demo" link takes you to Calendly, a third party governed by its own privacy policy.
3. How and why we use data
- To provide the service — sync orders, run pick/pack/ship, returns, and refunds.
- To operate accounts, seats, and billing.
- To secure the service, prevent abuse, and meet legal obligations.
- To provide support you request.
4. Legal bases (GDPR / UK GDPR)
Where the GDPR or UK GDPR applies, we rely on:
- Performance of a contract — to deliver the service you signed up for.
- Legitimate interests — to secure, maintain, and improve the service (balanced against your rights).
- Legal obligation — where we must retain or disclose data by law.
- Consent — where required (e.g. non-essential cookies), which you may withdraw at any time.
For merchant order/customer data we process on a merchant's behalf, the legal basis is the merchant's, under our data-processing terms.
5. Sub-processors
We rely on the following providers, under contractual data-protection terms:
- Stripe — subscription billing and payments.
- Cloudflare — CDN, DNS, security, and bot protection (Turnstile).
- Resend — delivery of transactional email (password resets, activation links, and automated alerts).
- Microsoft 365 — business email and support correspondence.
- Self-hosted infrastructure — the Service currently runs on our own managed infrastructure rather than a third-party cloud host; if that changes, the new provider will be listed here.
Connected sales channels you authorize (e.g. Shopify, eBay, Amazon) are sources of the data we process for you; your use of them is governed by their own terms and privacy policies. We are not affiliated with them.
6. Data retention
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements.
- Account and billing data: We retain this information for the duration of your active subscription. Following account termination, we retain this data for 90 days to allow for account recovery, after which it is securely deleted or anonymized, unless a longer retention period is required by law.
- Merchant order/customer data: As a processor, we retain this data strictly according to your instructions. Upon termination of our services, we will delete or return this data in accordance with our Data Processing Agreement. We honor all channel-initiated erasure requests (e.g., Shopify's customer redaction webhooks) promptly.
7. Security
- Passwords and access tokens are protected using industry-standard encryption and cryptographic hashing techniques at rest and in transit.
- Per-tenant data isolation.
- Access controls and audit logging.
No system is perfectly secure, but we take reasonable and appropriate measures to protect personal data.
8. International transfers
We process personal data in the United States and currently serve U.S.-based customers; we do not transfer personal data outside the United States. Should we begin serving customers in the EEA or UK, we will put an appropriate transfer mechanism (such as the Standard Contractual Clauses) in place and update this policy.
9. Your rights
Subject to applicable law, you may request to access, correct, delete, restrict, or port your personal data, and object to certain processing. Where we rely on consent, you may withdraw it. You also have the right to lodge a complaint with your data-protection supervisory authority.
To exercise these rights, contact [email protected]. If your data was provided to us by a merchant (as their customer), please direct your request to that merchant, who is the controller; we will assist them as their processor.
10. U.S. state privacy rights (California and others)
If you are a resident of California or another U.S. state with a comprehensive privacy law, you may have rights to know about, access, correct, and delete personal information, and not to be discriminated against for exercising them.
We do not "sell" personal information and do not "share" it for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA. When we handle personal information a merchant provides about their customers, we act as a "service provider" and use it only to perform the service under our contract, not for our own purposes. To exercise your rights, contact [email protected]. To protect your privacy, we will require reasonable verification of your identity before processing any data access or deletion request.
11. Aggregated data, analytics & machine learning
We may create aggregated and de-identified data — which cannot reasonably be used to identify any individual — and use it to operate, secure, analyze, and improve the service, including developing analytical and machine-learning features such as demand forecasting and shipping/routing optimization. We do not use personal data to train models in a way that would expose one customer's data to another, and we do not sell personal data.
12. Children
The service is for businesses and is not directed to children, and we do not knowingly collect children's personal data.
13. Changes
We may update this policy; material changes will be posted here with a new effective date.
14. Contact
Ecommerce Ops, Inc. — [email protected] — 6177 N Lincoln Ave, Suite 190, Chicago, IL 60659.