Your data, your control.

When you create an Account or register for the Service, we collect:

• Full name
• Email address
• Company or business name
• Password (stored in hashed form)
• Phone number (if provided)
• Billing and payment information (processed by our third-party payment processor)
• Account preferences and settings
• Authorized User information (names and email addresses of individuals you invite)

As defined in the Terms of Service (Section 1), "Customer Data" includes any data, content, or information that you or your Authorized Users provide, upload, transmit, or authorize the Company to access or retrieve via integrations, including without limitation:

• Marketplace transactional data: orders, product listings, inventory levels, pricing, promotions, advertising metrics, returns, refunds, fees, and messages metadata (where applicable)
• Account identifiers for Third-Party Platforms
• Associated metadata
• Any personal data contained within the above categories (e.g., buyer names, email addresses, shipping addresses, or other personal data present in marketplace transactional data)

Important: You are responsible for ensuring that you have all rights, consents, and permissions necessary to provide Customer Data to us and to authorize our use of it as described in the Terms of Service and this Policy (Terms of Service, Section 7.3). You must not provide highly sensitive personal data such as government identification numbers, full payment card data, biometric data, or protected health information unless we have expressly agreed in writing (Terms of Service, Section 7.4).

When you access or use the Service, we automatically collect:

• IP address and approximate geolocation
• Browser type, version, and language preferences
• Device type, operating system, and screen resolution
• Referring URL and exit pages
• Pages viewed, features used, and clickstream data within the Service
• Session duration, timestamps, and frequency of access
• API call logs (endpoints accessed, request parameters, response codes)
• Error logs and performance data

When you contact us or we contact you, we collect:

• Email correspondence and support ticket contents
• Feedback, suggestions, and ideas you submit
• Records of your communications with our support team
• Opt-in/opt-out preferences for marketing communications

We use cookies, web beacons, pixels, and similar tracking technologies to collect Technical and Usage Data. These include:

• Essential cookies: Required for the Service to function (e.g., session authentication, security tokens, CSRF protection)
• Functional cookies: Remember your preferences, settings, and customizations
• Analytics cookies: Help us understand usage patterns, popular features, and Service performance
• Marketing cookies: Used to deliver relevant communications and measure campaign effectiveness (if applicable)

You can manage cookie preferences through your browser settings. Disabling essential cookies may impair Service functionality. Where required by applicable law, we will present a cookie consent banner or consent tool upon your first visit to the Service, allowing you to accept or decline non-essential cookies. You may withdraw your cookie consent at any time through the consent tool or your browser settings. Changes to your cookie preferences will take effect on a prospective basis.

We take reasonable steps to ensure that the Personal Data we process is accurate and up to date. However, the accuracy of Customer Data depends on the information you and your Authorized Users provide, upload, or authorize us to access from Third-Party Platforms.

You represent and warrant that: (a) all Personal Data you provide or authorize us to access has been lawfully collected in compliance with the PDPA and all other applicable data protection laws; (b) you have obtained all necessary consents, provided all required notices, and established a lawful basis for the collection, use, and disclosure of any Personal Data of third parties (including buyers, end customers, and marketplace users) contained within Customer Data; (c) you will not upload, transmit, or authorize the Company to access any Personal Data that you do not have the legal right to use and share; and (d) you will promptly update or correct any inaccurate or outdated Personal Data (Terms of Service, Section 7.3). The Company is not responsible for verifying the accuracy, lawfulness, or completeness of Personal Data provided by you or retrieved from Third-Party Platforms, and disclaims all liability arising from your failure to comply with these obligations.

• Creating, maintaining, and authenticating your Account
• Connecting to Third-Party Platforms and ingesting Customer Data (Terms of Service, Section 4.1)
• Computing analytics such as profit or net revenue estimates, including estimated fees, discounts, returns, and advertising costs
• Generating Recommendations and suggested actions (Terms of Service, Section 4.1)
• Initiating Execution actions on Third-Party Platforms where enabled and authorized by you (Terms of Service, Sections 4.1 and 9)
• Processing payments and managing Subscriptions
• Providing customer support and responding to inquiries

Lawful Basis: Performance of a contract (PDPA Section 24(3)); consent where required.

As described in the Terms of Service (Sections 5.5, 6.2, 6.3, 6.4, and 8), we use Customer Data to:

• Transmit data to Third-Party AI Service Providers (such as OpenAI, Anthropic, Google, or similar services) to generate Recommendations, perform analytics, process natural language queries, and deliver AI-powered features
• Create, train, validate, improve, and operate machine learning models, algorithms, and AI systems used in or for the Service
• Train, fine-tune, evaluate, and improve AI and machine learning models that power or may be incorporated into the Service, including generalized models
• Produce De-identified Data and Aggregated Data for model training purposes

Opt-Out: You may opt out of identifiable Customer Data being used for model training (but not De-identified or Aggregated Data) by notifying us in writing at support@dataglasslabs.com. Opt-out applies prospectively from the date of receipt and does not affect training already completed prior to your opt-out request. Opting out may limit certain AI-powered features, reduce the accuracy or personalization of Recommendations, and cause the Service to rely more heavily on rules-based or non-trained components (Terms of Service, Section 6.4).

Lawful Basis: Legitimate interest (PDPA Section 24(5)) in improving the Service. Where the PDPA or the Personal Data Protection Committee requires explicit consent for the use of identifiable data in AI model training, we will obtain such consent before processing. An opt-out mechanism is available as described in the Terms of Service (Section 6.4).

We may de-identify and/or aggregate Customer Data so that the resulting data does not and cannot reasonably identify you, your store, or any individual. We own all right, title, and interest in De-identified Data and Aggregated Data and may use such data for any lawful purpose, including (Terms of Service, Section 6.3):

• Operating, improving, and developing the Service
• Training, fine-tuning, and validating AI and machine learning models
• Industry benchmarking, analytics products, and research
• Commercial purposes, including sale or licensing to third parties, provided the data does not identify you

• Detecting and preventing fraud, abuse, unauthorized access, and security incidents (Terms of Service, Section 6.2)
• Monitoring for violations of the Acceptable Use policy (Terms of Service, Section 10)
• Enforcing the Terms of Service and this Policy
• Complying with applicable law, court orders, regulatory requirements, and lawful requests from government authorities

Lawful Basis: Legitimate interest (PDPA Section 24(5)); legal obligation (PDPA Section 24(6)).

• Sending transactional and operational communications (account verification, billing notices, security alerts, Service updates, maintenance notices) (Terms of Service, Section 21.1)
• Sending promotional or marketing communications about our products and services (with opt-out) (Terms of Service, Section 21.3)
• Responding to support requests and feedback

Lawful Basis: Performance of a contract; legitimate interest; consent for marketing communications.

• Analyzing usage patterns to improve Service functionality and user experience
• Benchmarking, product research, and business intelligence activities (Terms of Service, Section 6.2)
• Debugging, testing, and quality assurance
• Developing new features, products, and services

Lawful Basis: Legitimate interest (PDPA Section 24(5)).

As described in the Terms of Service (Section 5.5), the Service integrates with and may transmit Customer Data (including personal data contained therein) to Third-Party AI Service Providers, including but not limited to OpenAI, Anthropic, Google, and similar services, for the purpose of generating Recommendations, performing analytics, processing natural language queries, and delivering AI-powered features. Customer Data transmitted to these providers is subject to those providers' own terms of service, data processing agreements, and privacy policies. We use commercially reasonable efforts to:

• Select Third-Party AI Service Providers that maintain appropriate data protection and security standards
• Opt out of model training by Third-Party AI Service Providers where such options exist
• Enter into appropriate data protection agreements with such providers

We may change, add, or remove Third-Party AI Service Providers at any time without prior notice, provided that we continue to maintain appropriate data protection agreements with such providers (Terms of Service, Section 5.5).

We use third-party subprocessors to operate the Service (Terms of Service, Section 7.7), including but not limited to:

• Cloud infrastructure and hosting providers
• Content delivery networks (CDNs)
• Analytics and observability services
• Email delivery providers
• Payment processors
• AI/ML service providers
• Customer support tools

We remain responsible for our subprocessors' compliance with applicable data processing obligations with respect to Customer Data. We will enter into appropriate written agreements with each subprocessor imposing data protection obligations no less protective than those set forth in the Terms of Service. A list of material subprocessors is available upon written request to support@dataglasslabs.com (Terms of Service, Section 7.7).

When you connect Third-Party Platforms (such as external marketplaces, advertising systems, and payment providers), data is exchanged between the Service and those platforms within the permission scope you approve. Where Execution is enabled, we perform actions on those platforms on your behalf within the authorized scope (Terms of Service, Section 5.2).

We may disclose personal data if required or permitted by applicable law, including:

• To comply with a legal obligation, court order, or lawful government request
• To protect the rights, property, or safety of the Company, our users, or the public
• In connection with an investigation of fraud, security incidents, or violations of the Terms of Service
• To enforce our Terms of Service and this Policy

In the event of a merger, acquisition, corporate reorganization, bankruptcy, or sale of all or substantially all of our assets, personal data may be transferred to the successor entity. We will provide notice where required by applicable law. The successor entity will be bound by the terms of this Policy with respect to personal data transferred (Terms of Service, Section 22.1).

We may disclose, license, or sell De-identified Data and Aggregated Data to third parties for any lawful purpose, including benchmarking, analytics products, research, and commercial purposes, provided that such data does not identify you (Terms of Service, Section 6.3). De-identified Data and Aggregated Data are not considered Confidential Information (Terms of Service, Section 14.3).

We may disclose your personal data to other parties with your prior consent. For example, with your prior written consent, we may identify you as a customer and display your name, logo, or description in marketing materials, website, or investor presentations (Terms of Service, Section 11.3).

During an active Subscription, we retain Customer Data as needed to provide the Service (Terms of Service, Section 6.5).

After cancellation or termination, we may retain Customer Data for up to sixty (60) days, or longer if required by applicable law or for legitimate dispute resolution purposes. After that period, we may delete or de-identify it (Terms of Service, Section 6.5).

De-identified Data and Aggregated Data may be retained indefinitely (Terms of Service, Section 6.5).

Data incorporated into trained AI or machine learning model weights through training conducted in accordance with the Terms of Service (Section 6.4) is not subject to deletion upon account termination. Opt-out of identifiable data use for model training applies prospectively only and does not entitle you to deletion of weights derived from prior training.

• Account and Registration Data: Retained for the duration of your Account and for a reasonable period thereafter for record-keeping and legal compliance
• Technical and Usage Data: Retained for up to twenty-four (24) months for analytics and security purposes, or longer if required for legal compliance
• Communication Data: Retained for the duration of the Account and for a reasonable period thereafter to maintain support records
• Billing and Payment Records: Retained as required by applicable tax and accounting laws

You have the right to request access to the personal data we hold about you and to obtain a copy of such data.

You have the right to request correction of inaccurate or incomplete personal data.

You have the right to request deletion of your personal data in certain circumstances. For the avoidance of doubt, data subject requests do not require the Company to delete De-identified Data or Aggregated Data, or to reverse any model training conducted in accordance with the Terms of Service, Section 6 (Terms of Service, Section 7.9). Notwithstanding a deletion request, the Company may retain Personal Data to the extent necessary to: (a) comply with a legal obligation, court order, or regulatory requirement under applicable law (including tax, accounting, and anti-money laundering laws); (b) establish, exercise, or defend legal claims or disputes; (c) detect, prevent, or investigate fraud, security incidents, or violations of the Terms of Service; or (d) fulfill any other legitimate retention purpose recognized under the PDPA. Any such retained data will be processed solely for the applicable retention purpose and will be subject to appropriate safeguards.

You have the right to request restriction of processing of your personal data in certain circumstances.

You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller, where technically feasible. Export functionality may be subject to plan limits and technical feasibility (Terms of Service, Section 6.6).

You have the right to object to the processing of your personal data based on legitimate interest, including for direct marketing purposes. You may opt out of marketing communications at any time (Terms of Service, Section 21.3).

Where we rely on your consent as the lawful basis for processing, you have the right to withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing conducted prior to withdrawal.

To exercise any of the above rights, please submit a written request to:

We will use commercially reasonable efforts to respond to verified data subject requests within ninety (90) days of receipt. Assistance with data subject requests may be subject to additional fees if the volume or complexity of requests exceeds what is commercially reasonable (Terms of Service, Section 7.9). You are responsible for verifying the identity of data subjects and the validity of their requests before forwarding them to us.

If you are not satisfied with our response, you have the right to lodge a complaint with the Personal Data Protection Committee (PDPC) or any other competent supervisory authority.

The Company may appoint a Data Protection Officer ("DPO") where required by the PDPA, by order of the Personal Data Protection Committee, or as the Company determines appropriate based on the nature and scale of its data processing activities. If a DPO is appointed, we will publish the DPO's contact information on our website and update this Policy accordingly. Until a DPO is formally appointed, all data protection inquiries may be directed to legal@dataglasslabs.com.