Legal

Privacy Policy

Last updated: 4 May 2026 · Effective date: 1 May 2026 · Version 1.0

The short version: We collect what’s needed to detect operational issues in your store data, and nothing else. We don’t sell or share your data. We’re read-only by default. EU and California residents have the rights below. Email privacy@instirio.com with any question.

1. Scope and controller

This policy describes how Instirio (“Instirio”, “we”, “us”) collects, uses, and protects personal data when you visit our website, use our operations intelligence platform, or otherwise interact with us. Instirio is the data controller for personal data we collect about you under this policy.

For data we process on behalf of our customers (their store events, employee actor data, customer order data we ingest from their connected platforms), we act as a data processor. The customer is the controller. Our Data Processing Addendum (DPA) governs that relationship, request a copy at privacy@instirio.com.

2. Data we collect

From you, directly

  • Account information, name, work email, company name, role, country/region.
  • Authentication credentials, hashed password (we never see your plaintext password) or OAuth tokens for SSO providers you choose.
  • Billing details, for paid plans only. Card data is processed by Stripe; we never see or store full card numbers.
  • Communication content, emails, support tickets, chat messages.

From your connected platforms (Shopify, ShipStation, Stripe, etc.)

When you connect a platform, Instirio ingests order events that may contain personal data about your customers (name, email, shipping address, order details). We use this strictly to detect operational issues for you, never for any other purpose, never resold, never used to train shared ML models.

We are read-only by default and request the minimum scopes each platform supports. We do not write to your store.

Automatically, when you use the site or app

  • Usage data, page views, feature interactions, session duration, referrer.
  • Device data, browser type, operating system, IP address (truncated for analytics), approximate location.
  • Cookies and similar technologies, see Section 9.

3. How we use it

  • To provide, operate, and improve the Instirio platform.
  • To detect operational issues, drift, SLA breaches, and other findings on data you connect.
  • To bill and process payments.
  • To send service-related communications (security alerts, billing notices, important product changes).
  • To send marketing communications, only if you’ve opted in. Unsubscribe any time.
  • To respond to support requests.
  • To comply with legal obligations and enforce our terms.
  • To improve our detection methodology in aggregate, anonymous form (never with identifiable customer data).

What we never do: we never sell your personal data. We never train shared machine-learning models on your customer data without explicit opt-in. We never use your data to compete with you.

  • Contract, to provide the platform you’ve signed up for.
  • Legitimate interests, to operate, secure, improve, and market the service. We balance our interests against your rights.
  • Consent, for marketing emails and non-essential cookies.
  • Legal obligation, to comply with tax, accounting, and other regulatory requirements.

5. Who we share data with

We share personal data only with the following categories of recipients:

  • Sub-processors who help us operate the service, hosting, payment processing, transactional email, customer support tools, error tracking. Current list and roles: security page → sub-processors.
  • Professional advisors, auditors, lawyers, accountants, under confidentiality.
  • Authorities, when legally required and only to the extent required.
  • Successors, if Instirio is acquired or merged, your data may transfer to the successor entity. We’ll notify you and your existing rights remain.

We do not share customer order data ingested from connected platforms with any third party other than the sub-processors listed above.

6. Retention

We retain personal data only as long as needed to deliver the service or as required by law:

  • Account data, for the lifetime of your account, plus 30 days after deletion (to recover from accidental deletion).
  • Connected platform events, per the data retention setting of your plan (Starter: 90 days; Growth: 1 year; Professional: 3 years; Enterprise: custom).
  • Billing records, 7 years (tax compliance).
  • Support communications, 2 years.
  • Marketing data, until you unsubscribe, plus 12 months for suppression-list purposes.

7. International transfers

Instirio is hosted in the United States. If you access the service from outside the US, your data is transferred to and processed in the US. For EU/UK/EEA residents, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission to safeguard such transfers.

Request our SCCs and Transfer Impact Assessment at privacy@instirio.com.

8. Your rights

If you’re in the EU/UK/EEA (under GDPR)

You have the right to: access your data, correct inaccuracies, request erasure, restrict processing, object to processing (including direct marketing), data portability, and withdraw consent at any time.

Exercise any right by emailing privacy@instirio.com. We respond within 30 days.

If you’re a California resident (under CCPA/CPRA)

You have the right to know what personal information we collect, the right to delete, the right to opt out of sale or sharing (we don’t sell), the right to correct, and the right to limit use of sensitive personal information.

To exercise any of these rights, email privacy@instirio.com with the subject line “CCPA request”.

Right to lodge a complaint. EU/UK residents may complain to their national supervisory authority. We’d appreciate the chance to address concerns first, please contact us before escalating.

9. Cookies and similar technologies

We use cookies and similar technologies for the following purposes:

  • Strictly necessary, authentication, session management, CSRF protection. Cannot be disabled.
  • Functional, remember preferences (theme, language). Optional.
  • Analytics, aggregate site usage. Optional. We use a privacy-preserving analytics provider that doesn’t fingerprint visitors.

We do not use third-party advertising cookies. You can manage cookie preferences via the cookie banner on first visit, or in your browser settings any time.

10. Security

We protect your data with technical and organizational measures including encryption in transit (TLS 1.2+) and at rest (AES-256), access controls, audit logging, automated security monitoring, regular vulnerability scanning, and a documented incident response plan.

Full security overview: security page.

11. Minors

Instirio is not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have, contact us and we’ll delete it promptly.

12. Changes to this policy

We may update this policy from time to time. The “last updated” date at the top reflects the latest revision. Material changes will be announced via email or dashboard banner with 30 days’ notice before they take effect.

13. Contact us

Privacy questions, data subject requests, or DPA inquiries:

  • Email: privacy@instirio.com
  • Mail: Instirio, [PLACEHOLDER FOR REGISTERED ADDRESS]
  • EU representative (Article 27 GDPR): [PLACEHOLDER FOR EU REP, NEEDED IF YOU TARGET EU MARKET]
  • UK representative: [PLACEHOLDER FOR UK REP, NEEDED IF YOU TARGET UK MARKET]
Note: This document is a template structured to a defensible standard but is not a substitute for legal review. Have it reviewed by qualified counsel before going live. Placeholders marked [PLACEHOLDER] need real values.