Privacy Policy

Effective date: 1 May 2025

1. Introduction

GATE Education UG (haftungsbeschränkt) (“we”, “us”, or “our”) operates OpKart (“the Service”). This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the Service. We are committed to complying with the General Data Protection Regulation (GDPR) and applicable German data protection law.

2. Data Controller

The data controller responsible for your personal data is:

GATE Education UG (haftungsbeschränkt)
App 505, Jülicher Str. 16, 13357 Berlin, Germany
Email: arvi@opkart.co

3. Data We Collect

We collect the following categories of personal data:

Account data: Name, email address, and hashed password when you register an account.
Workspace data: Your brand or workspace name, connected Shopify domain, and configuration preferences.
Product data: Product titles, descriptions, attributes, URLs, and associated content imported from your store or entered manually.
Usage data: Pages visited, features used, analysis runs, timestamps, and interaction logs for service improvement and usage quota management.
Payment data: Billing information is handled by our payment processors (Stripe, Razorpay). We do not store card numbers or full payment credentials. We receive payment confirmation metadata (transaction IDs, plan type, billing status).
Technical data: IP addresses, browser type, device information, and cookies collected automatically when you use the Service.

4. How We Use Your Data

We use your personal data to:

Provide, operate, and maintain the Service;
Manage your account and authenticate your identity;
Process payments and manage subscription billing;
Connect to your Shopify store and import product data;
Run AI visibility analyses and generate content suggestions;
Track and enforce usage quotas per plan;
Send transactional communications (e.g. account confirmations, billing notices);
Improve and debug the Service through aggregated usage analytics;
Comply with legal obligations.

5. Legal Basis for Processing (GDPR)

We process your personal data on the following legal bases under Article 6 GDPR:

Contract performance (Art. 6(1)(b)): processing necessary to provide the Service you have subscribed to;
Legitimate interests (Art. 6(1)(f)): service security, fraud prevention, and product improvement;
Legal obligation (Art. 6(1)(c)): compliance with applicable law, including tax and accounting requirements;
Consent (Art. 6(1)(a)): where you have explicitly opted in, e.g. for marketing emails.

6. Third-Party Services and Processors

We share data with trusted third-party service providers who process it on our behalf:

Supabase (PostgreSQL) — database hosting for all account and product data;
Stripe — payment processing and subscription management. Stripe Privacy Policy;
Razorpay — alternative payment processing. Razorpay Privacy Policy;
OpenRouter / OpenAI / Google / Perplexity — AI inference providers for visibility analysis. Product content may be sent to these services to generate analysis results;
Shopify — store integration to import product data. Your Shopify store credentials are stored encrypted.

All processors are contractually bound to protect your data and use it only as instructed by us.

7. Cookies and Tracking

We use an HTTP-only session cookie (“sf_session”) to authenticate your login session. This cookie is strictly necessary for the Service to function and is not used for advertising. We do not currently use third-party analytics cookies or tracking pixels. If this changes, we will update this policy and request consent where required.

8. Data Retention

We retain your personal data for as long as your account remains active or as necessary to provide the Service. If you delete your account, we will delete or anonymise your personal data within 30 days, except where retention is required by applicable law (e.g. tax records, which we may retain for up to 10 years in accordance with German commercial law).

9. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

Right of access — to obtain a copy of the personal data we hold about you;
Right to rectification — to correct inaccurate or incomplete data;
Right to erasure — to request deletion of your data (“right to be forgotten”);
Right to restriction — to limit how we process your data in certain circumstances;
Right to data portability — to receive your data in a structured, machine-readable format;
Right to object — to object to processing based on legitimate interests;
Right to withdraw consent — where processing is based on consent, to withdraw it at any time.

To exercise any of these rights, contact us at arvi@opkart.co. You also have the right to lodge a complaint with a supervisory authority — in Germany, this is the relevant state data protection authority (Datenschutzbeauftragter).

10. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, or disclosure. These include encrypted connections (TLS/HTTPS), HTTP-only session cookies, hashed password storage, and restricted database access. No method of transmission over the internet is 100% secure; we cannot guarantee absolute security.

11. International Data Transfers

Some of our service providers (including AI providers) may process your data outside the European Economic Area (EEA). Where this occurs, we ensure appropriate safeguards are in place, such as the EU Standard Contractual Clauses or adequacy decisions, in accordance with Chapter V of the GDPR.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email or a prominent notice in the Service. The effective date at the top of this page will reflect the latest version.

13. Contact

For privacy-related enquiries, to exercise your rights, or to lodge a complaint, please contact:

GATE Education UG (haftungsbeschränkt)
App 505, Jülicher Str. 16, 13357 Berlin, Germany
Email: arvi@opkart.co