Privacy Policy

Last updated: February 13, 2026

1. Controller and Contact Information

EcomBrain, a company incorporated in Switzerland ("EcomBrain," "we," "us," or "our"), is the data controller responsible for the processing of your personal data in connection with the EcomBrain platform and services (the "Service").

For any privacy-related inquiries, data subject requests, or concerns:

EcomBrain

Switzerland

privacy@ecombrain.io

This Privacy Policy explains how we collect, use, share, and protect your information in compliance with the EU General Data Protection Regulation ("GDPR"), the Swiss Federal Act on Data Protection ("FADP" / "nDSG"), and other applicable data protection laws.

2. Data We Collect

We collect the following categories of data:

  • Account Data. Name, email address, company name, billing address, and payment information you provide during registration and account management.
  • Commerce Data. Data from third-party platforms you explicitly connect to EcomBrain, including but not limited to: order history, product catalogs, advertising campaign data, email marketing metrics, customer segments, and analytics data from services such as Shopify, Meta Ads, Klaviyo, and Google Analytics.
  • Usage Data. Information about how you interact with the Service, including features accessed, configurations set (trust levels, guardrails), action logs, and session data.
  • Technical Data. IP address, browser type and version, operating system, device identifiers, referring URLs, and timestamps. This data is collected automatically when you access the Service.
  • Communication Data. Records of communications you send to us, including support requests and feedback.

3. Legal Basis for Processing

We process your personal data based on the following legal grounds under GDPR Article 6(1) and the corresponding provisions of the Swiss FADP:

  • Contract Performance (Art. 6(1)(b) GDPR): Processing necessary to provide the Service, manage your account, process payments, and fulfill our contractual obligations
  • Legitimate Interest (Art. 6(1)(f) GDPR): Processing for service improvement, security, fraud prevention, and generating anonymized analytics, where our interests are not overridden by your rights
  • Consent (Art. 6(1)(a) GDPR): Where you have given explicit consent, such as for optional analytics cookies or marketing communications. You may withdraw consent at any time
  • Legal Obligation (Art. 6(1)(c) GDPR): Processing necessary to comply with applicable laws, regulations, or legal proceedings

4. How We Use Your Data

We use your data for the following purposes:

  • Service Delivery: Operating the EcomBrain platform, including data integration, AI analysis, generating insights, and executing autonomous actions
  • AI Processing: Sending your commerce data to AI models for analysis, recommendation generation, and action execution (see Section 5)
  • Account Management: Managing your subscription, processing payments, and providing customer support
  • Service Improvement: Analyzing usage patterns to improve features, performance, and reliability
  • Security: Detecting, preventing, and investigating fraud, abuse, and security incidents
  • Communications: Sending transactional emails, service notifications, and — with your consent — product updates and marketing materials
  • Legal Compliance: Meeting our obligations under applicable laws and responding to lawful requests

We do not sell your personal data. We do not use your data for third-party advertising. Your commerce data is never shared with other customers or merchants.

5. AI Processing and Third-Party AI Providers

EcomBrain uses frontier artificial intelligence models provided by third-party providers to analyze your commerce data, generate insights, and power autonomous actions. This is a core part of how the Service operates.

Current AI Sub-Processors:

  • OpenAI, Inc. (San Francisco, USA) — Language model inference for data analysis and insight generation
  • Anthropic, PBC (San Francisco, USA) — Language model inference for data analysis and insight generation

Data Handling. When your data is processed by third-party AI providers: (a) data is transmitted encrypted in transit; (b) we maintain Data Processing Agreements ("DPAs") with each provider; (c) providers are contractually prohibited from using your data to train their models; (d) data is processed only as needed for the specific inference request and is not persistently stored by the provider beyond the minimum technical requirement.

International Transfers. Processing by AI providers based in the United States involves a transfer of data outside of Switzerland and the EEA. These transfers are protected by Standard Contractual Clauses ("SCCs") approved by the European Commission and the Swiss Federal Data Protection and Information Commissioner, and by confirming adequate safeguards in accordance with the Swiss FADP.

6. Sub-Processors and Data Sharing

In addition to the AI providers listed above, we use the following categories of sub-processors to deliver the Service:

  • Cloud Infrastructure: Swiss-based hosting providers for data storage and computing
  • Payment Processing: For secure payment and subscription management
  • Email Service: For transactional and service-related communications
  • Analytics: Privacy-focused analytics for service improvement (anonymized data only)

We maintain an up-to-date list of sub-processors, available upon request at privacy@ecombrain.io. We will notify you of any material changes to our sub-processor list at least 30 days in advance, giving you the opportunity to object.

We may also disclose your data: (a) to comply with legal obligations, lawful government requests, or court orders; (b) to protect the rights, safety, or property of EcomBrain, our customers, or the public; or (c) in connection with a merger, acquisition, or sale of assets, in which case you will be notified in advance.

7. Data Hosting and Security

Your data is hosted primarily on Swiss infrastructure. We implement technical and organizational measures designed to protect your data, including:

  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Per-tenant data isolation ensuring your data is logically separated from other customers
  • Role-based access controls with least-privilege principles
  • Comprehensive audit logging of all data access and modifications
  • Regular security assessments and vulnerability testing
  • Incident response procedures with notification within 72 hours of becoming aware of a personal data breach, as required by GDPR Article 33

No system is perfectly secure. While we take commercially reasonable precautions, we cannot guarantee absolute security. You are responsible for maintaining the security of your account credentials.

8. International Data Transfers

Your data is primarily stored in Switzerland, which is recognized by the European Commission as providing an adequate level of data protection. Where data is transferred to countries outside Switzerland or the EEA (e.g., to AI sub-processors in the United States), we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data Processing Agreements with contractual commitments regarding data protection
  • Assessment of the data protection laws in the recipient country
  • Supplementary technical measures (encryption, pseudonymization) where necessary

9. Cookies and Tracking Technologies

Essential Cookies. We use strictly necessary cookies for authentication, session management, security, and load balancing. These cookies are required for the Service to function and cannot be disabled.

Analytics Cookies. With your consent, we may use privacy-focused analytics tools to understand how the Service is used and to improve it. Analytics data is anonymized and aggregated. We do not use analytics tools that transfer personal data to third countries without adequate safeguards.

No Advertising Cookies. We do not use advertising, retargeting, or cross-site tracking cookies. We do not participate in ad networks or share browsing data with advertisers.

Cookie Consent. On your first visit, you will be presented with a cookie consent mechanism that allows you to accept or reject non-essential cookies. You can modify your preferences at any time through the Service settings. Essential cookies do not require consent under GDPR Article 5(3) of the ePrivacy Directive, as they are strictly necessary for the service you explicitly requested.

10. Your Rights

Under the GDPR and the Swiss FADP, you have the following rights regarding your personal data:

  • Right of Access (Art. 15 GDPR / Art. 25 FADP): Obtain confirmation of whether we process your personal data, and if so, access to that data and related information
  • Right to Rectification (Art. 16 GDPR / Art. 32 FADP): Request correction of inaccurate or incomplete personal data
  • Right to Erasure (Art. 17 GDPR / Art. 32 FADP): Request deletion of your personal data where there is no compelling reason for continued processing
  • Right to Data Portability (Art. 20 GDPR / Art. 28 FADP): Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller
  • Right to Restrict Processing (Art. 18 GDPR): Request restriction of processing in certain circumstances
  • Right to Object (Art. 21 GDPR): Object to processing based on legitimate interest, including profiling
  • Right Regarding Automated Decision-Making (Art. 22 GDPR / Art. 21 FADP): Not be subject to decisions based solely on automated processing that produce legal effects or similarly significantly affect you. Where autonomous actions are executed by EcomBrain, you retain full control over the scope of automation and may request human review of any automated decision
  • Right to Withdraw Consent (Art. 7(3) GDPR): Withdraw consent at any time, without affecting the lawfulness of processing based on consent before withdrawal

To exercise any of these rights, contact us at privacy@ecombrain.io. We will respond to your request within 30 days. If we need additional time (up to 60 additional days for complex requests), we will inform you within the initial 30-day period.

Right to Lodge a Complaint. If you believe your data protection rights have been violated, you have the right to lodge a complaint with: (a) the Swiss Federal Data Protection and Information Commissioner (FDPIC); or (b) the supervisory authority in your country of residence within the EEA.

11. Third-Party Integrations

When you connect third-party services to EcomBrain (e.g., Shopify, Meta Ads, Klaviyo, Google Analytics), we access data from those services based on the permissions you grant. Each third-party service is governed by its own terms and privacy policy. We encourage you to review them.

We only access data that is necessary for the functionality you have authorized. You can disconnect any integration and revoke data access at any time through your EcomBrain account settings. Upon disconnection, we will cease collecting new data from that integration. Previously collected data is retained in accordance with our data retention policy (Section 12) unless you request deletion.

12. Data Retention

We retain your data only for as long as necessary to fulfill the purposes described in this Policy:

  • Account and Commerce Data: Retained for the duration of your active account, plus 30 days after account deletion to allow for data export
  • Usage and Technical Data: Retained for up to 24 months for service improvement and security purposes, then anonymized or deleted
  • Billing Records: Retained for 10 years as required by Swiss accounting law (Swiss Code of Obligations, Art. 958f)
  • Communication Records: Retained for 24 months after the last communication, unless a longer period is required for legal proceedings
  • Anonymized and Aggregated Data: May be retained indefinitely, as it does not constitute personal data

Upon account deletion, we initiate permanent deletion of your personal and commerce data within 30 days, except where retention is required by applicable law or for the establishment, exercise, or defense of legal claims.

13. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child under 18, we will take steps to delete such data promptly.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. For material changes, we will provide at least 30 days' notice via email to the address associated with your account. The "Last updated" date at the top reflects the most recent revision.

We encourage you to review this Policy periodically. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Policy.

15. Contact

For privacy-related questions, data subject requests, or concerns:

EcomBrain

Switzerland

Privacy inquiries: privacy@ecombrain.io

General legal: legal@ecombrain.io