Privacy Policy

1. What information do we collect?

In Short: We collect personal information that you provide to us, and some information automatically when you use our Services.

Personal information you disclose to us

We collect personal information that you voluntarily provide when you register on the Services, express an interest in obtaining information about us or our products, or otherwise contact us. The personal information we collect may include:

• Names and email addresses
• Business name and Shopify store URL
• Brand profile settings (category, price positioning, subscription platform)
• Contact preferences and job titles
• Billing history (processed via Shopify Billing API — we do not store payment card data directly)
• Usage data (features used, pages visited, actions taken within the platform)

Sensitive information. We do not process sensitive personal information.

Information automatically collected

In Short: Some information — such as your IP address and browser characteristics — is collected automatically when you visit our Services.

We automatically collect certain technical information when you visit, use, or navigate the Services. This does not reveal your specific identity but may include device and usage information such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, and information about how and when you use our Services.

Specific automatically collected data includes:

• Log and usage data. Service-related diagnostic, usage, and performance information our servers collect when you access or use our Services, including IP address, device information, browser type, settings, and information about your activity in the Services.
• Location data. We collect approximate location data based on your IP address (country/region level only). We do not collect precise GPS location.

We use Plausible Analytics, a cookieless, privacy-first analytics tool. Plausible does not use cookies and does not collect personal data that can be used to identify individual visitors. No consent is required for Plausible.

End-customer data we process on your behalf

When you connect your Shopify store and subscription platforms (Recharge, Loop Subscriptions, Skio), we access data about your end-customers solely to provide the Eternly analytics service. This data includes:

• Customer order history (order dates, products, order values)
• Customer identifiers (Shopify Customer ID — not names or email addresses by default)
• Subscription events (activations, pauses, cancellations, charges, cancel reasons)
• Aggregate cohort and segment data derived from the above

We are a Data Processor for this end-customer data. See Section 2 for the full explanation of our data roles.

2. Our two data roles — Controller and Processor

In Short: Eternly acts as a Data Controller for merchant account data, and as a Data Processor for your end-customers' data. This distinction governs how we handle data and defines your rights and ours.

This section is specific to Eternly's architecture and is fundamental to understanding how we handle data under the GDPR.

2a. Where we are a Data Controller

For personal information you provide when creating and managing your Eternly account — your name, email address, billing information, brand profile, and usage data — Eternly is the Data Controller. This means we determine the purposes and means of processing this data, and we are directly responsible to you as a data subject.

Your rights under GDPR (Section 12) and CCPA (Section 14) apply in full to this data.

2b. Where we are a Data Processor

When you connect your Shopify store and subscription platforms, you instruct us to access and process data about your end-customers on your behalf. In this context:

• You (the merchant) are the Data Controller
• We (Eternly) are the Data Processor
• We process this data only on your documented instructions, solely to provide the Eternly analytics service
• We do not use end-customer data for our own purposes, for advertising, or to train general AI models
• We do not share end-customer data with any party except where required to provide the service (e.g. sending aggregated, anonymised data to Anthropic to generate recommendations)

As a merchant connecting your store to Eternly, you are responsible for ensuring you have the appropriate lawful basis under GDPR to share your end-customers' data with us as a processor.

Our Data Processing Agreement (DPA), which governs our obligations as your data processor, is available at eternly.app/legal/dpa. By installing and using the Eternly app, you agree to the terms of the DPA.

2c. Shopify GDPR mandatory webhooks

As a Shopify app, Eternly implements and responds to all three Shopify mandatory GDPR webhooks. When triggered by a merchant:

• customers/data_request — We return all data held relating to the specified end-customer for the relevant store within 30 days.
• customers/redact — We permanently delete all data relating to the specified end-customer from our systems within 30 days.
• shop/redact — When a merchant uninstalls Eternly, we delete all data associated with that merchant's store within 30 days, except billing records which we retain for legal and tax compliance purposes.

Merchants may direct requests related to these webhooks to hello@anchersenco.com.

3. How do we process your information?

In Short: We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law.

We process your personal information for the following purposes:

• To facilitate account creation and authentication. We process your information so you can create and log in to your account and keep your account in working order.
• To provide and improve our Services. We use your data and usage patterns to deliver the analytics platform, generate AI recommendations via Longevity Leon, and improve product features.
• To communicate with you. We may send you service-related notifications, product updates, and — with your consent — marketing and retention insights via email.
• To identify usage trends. We may process information about how you use our Services to better understand usage patterns and improve the platform.
• For security and fraud prevention. We process information to identify and prevent fraud, abuse, and security incidents.
• To comply with legal obligations. We may process your information where required by applicable law, court order, or regulatory body.

4. What legal bases do we rely on to process your information?

In Short: We only process your personal information when we have a valid legal reason to do so under applicable law.

If you are located in the EU, UK, or EEA

The GDPR and UK GDPR require us to explain the valid legal bases we rely on. We rely on the following:

• Contract performance. Account creation, authentication, billing, and service delivery are necessary to fulfil our contract with you.
• Legitimate interests. We may process your information for usage analytics, product improvement, and security where our interests do not outweigh your rights and freedoms.
• Consent. We rely on consent for marketing and promotional communications. You may withdraw consent at any time by clicking “unsubscribe” in any marketing email or contacting hello@anchersenco.com.
• Legal obligations. We process information where necessary to comply with our legal obligations, such as retaining billing records.

If you are located in Canada

We may process your information if you have given us specific express consent for a specific purpose, or in situations where consent can be inferred. You may withdraw consent at any time by contacting us.

5. When and with whom do we share your personal information?

In Short: We share information only with specific sub-processors under contractual data protection obligations. We never sell your data and we do not share it with advertisers.

We may share data in the following limited circumstances:

Sub-processors

We share data with the following sub-processors to deliver our Services. Each is bound by a data processing agreement with us:

We maintain a current list of sub-processors. You may request an up-to-date list at hello@anchersenco.com. We will notify merchants of any new sub-processors before they begin processing data, allowing time to object.

International transfers

Some of our sub-processors are based in the United States. Where we transfer personal data outside the EEA, we ensure an adequate level of protection through Standard Contractual Clauses (SCCs) approved by the European Commission, or the EU-US Data Privacy Framework where applicable.

Business transfers

We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business.

Legal requirements

We may disclose your information where required by law, court order, or to protect the rights, property, or safety of Eternly, our merchants, or others.

We do not sell your personal information, share it for advertising purposes, or disclose it to any party not listed above without your explicit consent.

6. Do we use cookies and other tracking technologies?

In Short: We use strictly necessary cookies to keep the site running, and optional functional cookies to remember your preferences. We do not use advertising or tracking cookies.

We use cookies and similar technologies to maintain security, keep your session active, prevent crashes, and save your preferences.

We do not use advertising cookies, tracking pixels, or behavioural targeting technologies. We do not permit third-party advertisers to use tracking technologies on our Services.

Plausible Analytics is our analytics tool. It is cookieless and does not use cookies or collect personal data to identify individual visitors. No consent is required for Plausible.

Our cookies fall into two categories:

• Strictly necessary: Session authentication tokens (Clerk), security tokens, and consent preference storage. These cannot be disabled as they are required for the Services to function.
• Functional: Cookies that remember your settings and preferences between visits. You may opt out of these via the cookie preference centre accessible from our footer.

Specific information about the cookies we set and how you can manage them is set out in our Cookie Notice.

7. Do we offer artificial intelligence-based products?

In Short: We offer AI-powered recommendations through Longevity Leon, our retention advisor. Data sent to our AI provider is anonymised and aggregated and is never used to train general models.

As part of our Services, we offer AI-powered retention recommendations through Longevity Leon, Eternly's AI retention advisor. This feature is available on Scale and Pro plans.

How it works

Longevity Leon analyses your store's aggregated retention metrics — cohort data, RFM segments, MRR trends, and churn patterns — and generates specific, actionable recommendations. The AI is powered by Anthropic's Claude API.

What data is sent to Anthropic

We send only pre-aggregated statistical data to Anthropic's API — percentage rates, cohort counts, segment totals, and trend data. We do not send individual customer records, names, email addresses, or any personally identifiable information about your end-customers to Anthropic.

How Anthropic uses this data

Anthropic processes this data solely to generate the recommendation output returned to Eternly. Anthropic does not use input data submitted via API to train its general models. You can review Anthropic's privacy and data handling policies at anthropic.com/privacy.

Opt-out

If you do not wish to use the AI recommendations feature, you may simply not use it. It does not run automatically without your interaction.

8. How do we handle your social logins?

In Short: If you choose to log in via a social media account, we may receive limited profile information from that provider.

Our authentication provider (Clerk) may offer the option to register and log in using third-party social media accounts such as Google. Where you choose to do this, we will receive certain profile information from your social media provider — typically your name and email address.

We will use this information only for the purposes described in this Privacy Notice. We do not control, and are not responsible for, other uses of your personal information by your social media provider. We recommend reviewing their privacy notices.

9. How long do we keep your information?

In Short: We keep your information for as long as necessary to fulfil the purposes outlined in this Privacy Notice, subject to legal retention obligations.

When you delete your account, we initiate deletion of your data within 30 days. Billing records are retained for 7 years as required by Danish and EU law — this is a legal obligation that overrides account deletion for financial records only.

10. How do we keep your information safe?

In Short: We aim to protect your personal information through a system of organisational and technical security measures.

We have implemented appropriate technical and organisational security measures including:

• Encryption in transit (TLS 1.2 or higher) for all data
• Encryption at rest for all database storage via Neon Postgres
• Access controls — data access is restricted to authorised personnel on a need-to-know basis
• Authentication via Clerk, with multi-factor authentication available
• Regular security reviews of infrastructure and dependencies
• Incident response procedures

In the event of a personal data breach, we will notify affected parties and the relevant supervisory authority (Datatilsynet in Denmark) within 72 hours as required by GDPR Article 33, where the breach is likely to result in a risk to the rights and freedoms of individuals.

SOC 2 Type II. We do not currently hold SOC 2 Type II certification. We are committed to pursuing this as the business scales. If you have specific enterprise security requirements, please contact us at hello@anchersenco.com.

Despite our safeguards, no electronic transmission over the internet or information storage technology can be guaranteed to be 100% secure. Transmission of personal information to and from our Services is at your own risk. You should only access the Services within a secure environment.

11. Do we collect information from minors?

In Short: We do not knowingly collect data from or market to children under 18 years of age.

Eternly is a B2B service designed for businesses and business operators. We do not knowingly collect, solicit data from, or market to children under 18 years of age. By using the Services, you represent that you are at least 18 years of age.

If we learn that personal information from users under 18 has been collected, we will deactivate the account and take reasonable steps to promptly delete such data. If you become aware of any data we may have collected from children under 18, please contact us at hello@anchersenco.com.

12. What are your privacy rights?

In Short: Depending on your location, you have rights that give you greater access to and control over your personal information.

EU, EEA, and UK residents

Under the GDPR and UK GDPR, you have the following rights:

• Right of access. Request a copy of the personal data we hold about you.
• Right to rectification. Ask us to correct inaccurate or incomplete data.
• Right to erasure. Ask us to delete your personal data, subject to legal retention obligations.
• Right to restriction. Ask us to pause processing in certain circumstances.
• Right to data portability. Request a machine-readable copy of data you have provided to us.
• Right to object. Object to processing based on legitimate interests. You may always object to processing for direct marketing.
• Right to withdraw consent. Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
• Rights related to automated decision-making. Longevity Leon generates recommendations that are presented to you for your consideration — no automated decision with legal or similarly significant effect is applied to your data without human review.

To exercise these rights, email hello@anchersenco.com. We will respond within 30 days.

If you are not satisfied with our response, you have the right to lodge a complaint with your national supervisory authority. In Denmark: Datatilsynet.

Switzerland residents

You may contact the Federal Data Protection and Information Commissioner (edoeb.admin.ch).

Withdrawing consent

If we are relying on your consent to process your personal information, you have the right to withdraw consent at any time by contacting us or using the unsubscribe link in any marketing email. Withdrawal will not affect the lawfulness of processing carried out before withdrawal.

Account information

You may review, change, or terminate your account at any time by logging in to eternly.app/settings or contacting us. Upon account termination, we will deactivate and delete your account data within 30 days, subject to the retention periods in Section 9.

Cookie preferences

Most web browsers are set to accept cookies by default. You can usually choose to set your browser to remove or reject browser cookies. You can also manage your preferences at any time using the “Cookie settings” link in our footer.

13. Controls for Do-Not-Track features

Most web browsers and some mobile operating systems include a Do-Not-Track (“DNT”) feature you can activate to signal your preference not to have data about your online browsing monitored. At this stage, no uniform technology standard for recognising and implementing DNT signals has been finalised. We do not currently respond to DNT browser signals.

Global Privacy Control (GPC). We recognise and honour Global Privacy Control (GPC) signals. If you use a browser or extension that supports GPC, we will treat this as a valid request to opt out of the sale or sharing of your personal information for targeted advertising purposes under applicable state privacy laws, including the CCPA. For more information about GPC, visit globalprivacycontrol.org.

14. Do United States residents have specific privacy rights?

In Short: If you are a US resident, you may have specific rights depending on your state.

Categories of personal information we collect

We have not sold or shared any personal information to third parties for business or commercial purposes in the preceding 12 months. We will not sell or share personal information in the future.

Your rights under US state privacy laws

Depending on the state where you live, you may have some or all of the following rights:

• Right to know whether we are processing your personal data
• Right to access your personal data
• Right to correct inaccuracies in your personal data
• Right to request deletion of your personal data
• Right to obtain a copy of personal data you previously shared with us
• Right to non-discrimination for exercising your rights
• Right to opt out of targeted advertising, the sale of personal data, and profiling — note that we do not engage in any of these activities
• Right to limit use of sensitive personal information — note that we do not collect sensitive personal information

How to exercise your rights

Contact us at hello@anchersenco.com with the subject line “US Privacy Request”.

We will respond within 45 days. If we decline to take action, you may appeal by emailing hello@anchersenco.com.

California “Shine the Light” law. California Civil Code Section 1798.83 permits California residents to request information about categories of personal information (if any) we disclosed to third parties for direct marketing purposes in the preceding year. We do not disclose personal information to third parties for their direct marketing purposes.

15. Do other regions have specific privacy rights?

In Short: You may have additional rights based on the country you reside in.

Australia and New Zealand

We collect and process your personal information under the obligations and conditions set by Australia's Privacy Act 1988 and New Zealand's Privacy Act 2020. This Privacy Notice satisfies the notice requirements defined in both Privacy Acts.

At any time, you may request access to or correction of your personal information by contacting us as described in Section 17. If you believe we are unlawfully processing your personal information, you have the right to submit a complaint to the Office of the Australian Information Commissioner (oaic.gov.au) or the Office of the New Zealand Privacy Commissioner (privacy.org.nz).

Republic of South Africa

At any time, you may request access to or correction of your personal information by contacting us. If you are unsatisfied with how we address a complaint, you may contact the Information Regulator of South Africa: enquiries@inforegulator.org.za.

16. Do we make updates to this notice?

In Short: Yes, we will update this notice as necessary to stay compliant with relevant laws.

We may update this Privacy Notice from time to time. The updated version will be indicated by an updated “Last updated” date at the top of this Privacy Notice.

If we make material changes to this Privacy Notice, we will notify account holders by email at least 14 days before the changes take effect, and post a notice on our website. We encourage you to review this Privacy Notice frequently to stay informed of how we are protecting your information.

17. How can you contact us about this notice?

If you have questions, comments, or requests about this notice, you may contact us at:

For matters relating to our role as a data processor on behalf of merchants, please refer to our Data Processing Agreement at eternly.app/legal/dpa.

For EU and EEA residents, if you believe we are unlawfully processing your personal information, you also have the right to complain to your Member State data protection authority. In Denmark: Datatilsynet, Carl Jacobsens Vej 35, 2500 Valby — dt@datatilsynet.dk — datatilsynet.dk.

18. How can you review, update, or delete the data we collect from you?

Based on the applicable laws of your country or state of residence, you may have the right to request access to the personal information we collect from you, details about how we have processed it, correct inaccuracies, or delete your personal information.

To request to review, update, or delete your personal information:

• Via the dashboard: eternly.app/settings
• Via email: hello@anchersenco.com
• Via post: Address in Section 17 above

We will consider and act upon any request in accordance with applicable data protection laws and respond within 30 days (GDPR) or 45 days (US state laws).