Privacy Policy

Effective: [EFFECTIVE_DATE]

Template notice — review before relying on: This document is a starting template generated for shelfpix. Placeholders in [BRACKETS] must be filled in, and the whole document should be reviewed by qualified legal counsel before publication. Because shelfpix operates in a B2B retail context where photos may incidentally include employees or customers, pay particular attention to applicable workplace-privacy and consumer-privacy obligations, and consider whether a Data Processing Addendum is needed for enterprise customers.

shelfpix (“we,” “us,” or the “Service”), operated by [LEGAL_ENTITY_NAME], takes your privacy seriously. This Policy describes what information we collect, how we use it, who we share it with, and the rights you have over it.

1. Information We Collect

Account information. When you create an account, we collect your email address, name, password (stored as a salted hash via AWS Cognito), and the retail organization or team you belong to.

Photos and analyses. When you upload photos of retail shelves and displays, we store the photo files in AWS S3 and process them through our AI vision pipeline to identify items, assess stock levels, read price tags and SKU labels, and generate consumer-appeal scores. The structured outputs of those analyses are stored alongside your photos in our database.

Payment information. Subscription billing is handled by Stripe. We do not store your full credit-card number; we only retain a Stripe customer identifier, the last four digits, the brand of the card, and the billing email on file.

Usage and device information. We collect log data including IP address, device type, operating system, app version, timestamps of requests, and which features you interact with. This is used to operate, debug, and improve the Service.

2. How We Use Your Information

To provide and operate the Service — account management, photo processing, shelf-condition scoring, alerts, and collection comparison;
To bill you for paid subscriptions and respond to payment-related inquiries;
To send you transactional email (account confirmations, password resets, billing receipts, security alerts, configurable shelf-alerts);
To improve the Service in aggregate — e.g. measuring which features are used, identifying bugs;
To comply with legal obligations and protect against fraud or abuse.

We do not sell your personal information, and we do not share it with advertisers.

3. Subprocessors & Third-Party Services

We use the following third-party services to operate shelfpix. By using the Service, you acknowledge that your data is processed by these providers under their own privacy terms.

Amazon Web Services (AWS) — hosting infrastructure (US regions), identity (Cognito), photo storage (S3), database (Aurora), email delivery (SES);
Anthropic, via AWS Bedrock — Claude vision and text models that perform the item-identification, stock-level, and appeal-scoring passes on your photos and their derived metadata. Photos and analyses are transmitted to Claude solely to produce the Service’s output and are subject to AWS Bedrock’s data-handling terms (in particular, customer content is not used to train foundation models);
Stripe — payment processing and subscription billing;
[ANALYTICS_PROVIDER_IF_ANY] — product analytics (if applicable; remove this line if you do not use a third-party analytics provider).

4. AI Processing & Photo Content

Photos taken in retail environments may incidentally contain personal information — faces of employees, customers, or visitors; visible name tags; license plates in storefront windows. Our AI pipeline focuses on identifying the products on shelves and is not designed to identify or recognize individuals, but our system necessarily processes the full image during analysis. You (the user uploading the photo) are responsible for:

Avoiding photos that intentionally capture identifiable individuals;
Ensuring that any incidental capture complies with applicable workplace-photography, employee-notification, and consumer-privacy laws in the jurisdictions where you operate;
Providing any disclosures to your employees and customers that those laws may require.

Scoring output produced by AI is informational only and should not be used as the sole basis for individual employee performance assessments — see our Terms of Service for the full disclaimer.

5. Data Retention

Account data: retained while your account is active. After you request account deletion, account data is removed within 30 days, except where retention is required by law;
Photos and analyses: retained until you delete the item, delete the collection, or close your account. Backups may persist for up to 90 days after deletion;
Billing records: retained for up to 7 years to satisfy United States tax-record requirements;
Server logs: retained for up to 90 days, then deleted or aggregated.

6. Your Rights

You have the right to:

Access the personal information we hold about you;
Request correction of inaccurate data;
Request deletion of your account and associated data;
Export your collections and analyses in a portable format;
Opt out of any non-essential email communications.

California residents (CCPA): you also have the right to know what categories of personal information we collect, the right to deletion, and the right to opt out of the “sale” of personal information (we do not sell personal information).

European Economic Area residents (GDPR): you also have the rights to portability, restriction of processing, and to lodge a complaint with your supervisory authority.

To exercise any of these rights, email [PRIVACY_EMAIL]. We will respond within 30 days.

7. Cookies & Tracking

The shelfpix website uses essential cookies and local storage to keep you signed in, remember your preferences, and operate basic features. We do not use third-party advertising cookies. Disabling essential cookies will break the Service.

8. Children

shelfpix is a B2B service intended for retail-operations professionals and is not designed for or directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, contact us at [PRIVACY_EMAIL] and we will delete it.

9. International Data Transfers

Our infrastructure is hosted in the United States (AWS US regions). If you access the Service from outside the United States, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer.

10. Security

We use industry-standard safeguards including TLS encryption in transit, encryption at rest for S3 and database storage, role-based access controls, and audit logging. No system is perfectly secure; we cannot guarantee absolute security and we encourage you to use a strong, unique password.

11. Changes to This Policy

We may update this Policy from time to time. If we make material changes, we will notify active users by email and update the “Effective” date above.

12. Contact

Privacy requests: [PRIVACY_EMAIL]. General support: [SUPPORT_EMAIL].