Privacy Policy
Last updated: 2026-04-29
This Privacy Policy explains how RODEAPPS SRL (Romania, EU/EEA), operator of the Praxora brand and the Praxora Ads service (collectively, "Praxora", "we", "us"), handles personal data collected through:
- The marketing site at praxora.io (the "Site")
- The Praxora Ads Shopify app accessible at shopify.praxora.io (the "App")
- Email communications we send (e.g., the daily briefing, waitlist confirmations)
We are the data controller for the personal data described in this policy unless otherwise noted. This policy is structured to comply with the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), and the Brazilian Lei Geral de Proteção de Dados (LGPD).
If you have questions or want to exercise any rights described below, contact privacy@praxora.io.
1. Who we are
| Item | Detail |
|---|---|
| Legal name | RODEAPPS SRL |
| Registered office | 3-5 Câmpul Pânii Street, 5th floor, Cluj-Napoca, Romania |
| Cluj Trade Register | J12/1945/2011 |
| Tax identification (CUI) | RO28911249 |
| Trading name | Praxora |
| Privacy contact | privacy@praxora.io |
| Site | https://praxora.io |
| App | https://shopify.praxora.io |
| EU representative (Art. 27 GDPR) | Not separately appointed — we are EU-established. |
2. What we collect, why, and the legal basis
We collect different categories of personal data depending on how you interact with us. We collect only what we need; we do not collect special-category (sensitive) personal data.
2.1 If you visit the Site
| Data | Purpose | Legal basis (GDPR) |
|---|---|---|
| IP address | Rate-limit abuse of the waitlist endpoint; serve the site via Cloudflare | Legitimate interest (security) |
| Browser, device, referrer, UTM parameters | Aggregate analytics via Cloudflare Web Analytics (cookieless) | Legitimate interest |
| Email address (if you submit the waitlist form) | Notify you when Praxora opens; product launch communications | Consent |
| Monthly ad spend / platforms used (optional fields) | Cohort selection signal | Consent |
The Site does not set tracking or advertising cookies. Cloudflare Web Analytics is cookieless.
2.2 If you install and use the App
| Data | Purpose | Legal basis (GDPR) |
|---|---|---|
| Shopify shop domain, owner email, locale, timezone, currency | Identify your account; localize the daily briefing | Contract (provision of the Service) |
| Shopify orders, products, customers, analytics (per scopes you grant) | Provide the unified dashboard and AI insights | Contract |
| OAuth tokens for connected ad platforms (Meta, TikTok) — encrypted | Pull ad performance data on your behalf | Contract |
| Ad campaign, ad set, ad performance metrics | Generate dashboard, insights, and daily briefings | Contract |
| Briefing email address (if different from Shopify owner email) | Deliver the daily briefing | Contract |
| Plan tier, billing status (via Shopify) | Gate paid features | Contract |
| Audit logs of in-app actions, including Pro tier autonomous actions | Provide the audit log feature; respond to support requests | Contract; legitimate interest |
| Support emails or feedback | Provide support; improve the product | Legitimate interest |
| Creative assets uploaded to Content Studio (Pro tier) | Reformat and publish on your behalf | Contract |
Payment information. Praxora does not see, collect, or store your full payment instrument. Billing for paid tiers runs through Shopify's Billing API; Shopify (and its payment processors) handle the card or bank-account details. We only receive plan-tier and billing-status signals.
We do not store individual end-customer personal data from your Shopify store beyond what's needed for the dashboard. We keep only merchant-level summary metrics — totals, ratios, and time-bucketed counts — derived from your orders; we do not retain individual order or customer records on our infrastructure beyond the moment those summaries are computed. We treat Shopify customer-data webhooks (mandatory for App Store apps) as data-deletion signals.
2.3 Cookies and similar technologies
The Site uses no third-party tracking cookies. The App uses Shopify session cookies (set by Shopify, not by us) for embedded-app authentication. We do not place advertising or marketing cookies on either surface.
2.4 AI processing
Some Service features use a third-party large-language-model API to generate summaries, insights, and briefings. We send only the data needed for the specific request — typically aggregated, merchant-level metrics, never individual customer-identifying data. The AI provider we use is bound by a data processing agreement and an explicit no-training, no-retention contractual commitment (prompts and outputs are not retained or used to train any model). We may change AI providers; the same contractual protections apply to any successor.
3. How we share data
We share personal data only with the sub-processors listed in our Sub-processor list, each of whom is bound by a data processing agreement and the EU Standard Contractual Clauses where applicable.
We do not:
- Sell or rent personal data to third parties
- Use Merchant Data to train any public AI model
- Share Merchant Data with anyone for advertising or marketing purposes outside what's needed to operate the Service
We may share personal data:
- With Shopify (the App is hosted in their admin and bound by their Partner Program Agreement)
- With Meta and TikTok via authenticated API calls on your behalf, only at your direction
- If required by valid legal process (court order, regulator request) — we will, where lawful, notify you first
- In connection with a merger, acquisition, or sale of substantially all assets — in which case we will notify you and you can request deletion before transfer
4. Where data is stored and transferred
The App's primary infrastructure is hosted in the EU (Frankfurt, eu-central-1) on Amazon Web Services. Marketing-site infrastructure is hosted on Cloudflare Pages globally.
Some sub-processors process data outside the EU. Where they do, we rely on the EU Commission Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms. The current sub-processor list discloses each one's location.
If you are in the EU, EEA, UK, or Switzerland, your personal data may be transferred to and processed in regions outside your home jurisdiction (notably the US for our AI provider, transactional email delivery, and Cloudflare's global edge). The SCCs apply to those transfers.
5. Data retention
| Data | Retention |
|---|---|
| Waitlist email + segment | Until you unsubscribe, or 6 months after public launch, whichever is sooner |
| Cloudflare Web Analytics aggregate page views | 6 months (Cloudflare default) |
| App account data, ad performance metrics, audit logs | Active for the duration of your subscription; deleted within 30 days of uninstall (subject to Shopify's customer/shop data webhook timing) |
| Encrypted OAuth tokens | Active for the duration of the connection; revoked and deleted on disconnect or uninstall |
| Content Studio uploaded assets (Pro tier) | Active for the duration of your subscription; deleted within 30 days of uninstall |
| Backups | Up to 30 days after the primary record is deleted |
| Support emails | 24 months from last contact, then deleted |
| Billing records (legal retention) | 10 years (Romanian fiscal-record requirement) |
If you uninstall the App, Shopify sends us mandatory webhook notifications to delete shop and customer data. The three Shopify-mandated webhooks — customers/redact (delete data about a specific customer), shop/redact (delete all shop data after uninstall), and customers/data_request (provide a data export for a specific customer on request) — are honored within the timelines required by Shopify (typically 30 days for redaction).
6. Your rights
Depending on where you live, you have some or all of the rights below. To exercise any of them, email privacy@praxora.io with your shop domain or waitlist email and the request type. We respond within 30 days (sometimes sooner). There is no charge.
Under GDPR / UK GDPR (if you are in the EU/EEA/UK)
- Access — request a copy of the personal data we hold about you
- Rectification — correct inaccurate personal data
- Erasure ("right to be forgotten") — delete your personal data, subject to legal retention requirements
- Restriction — limit processing while a dispute is resolved
- Portability — receive your personal data in a structured, machine-readable format
- Objection — object to processing based on legitimate interest
- Withdraw consent — withdraw any consent you previously gave; this does not affect the legality of past processing
- Lodge a complaint — with your local supervisory authority (for Romania-based individuals: ANSPDCP)
Under CCPA / CPRA (if you are a California resident)
- Right to know what personal information is collected, used, shared, or sold
- Right to delete personal information
- Right to correct inaccurate personal information
- Right to opt out of the "sale" or "sharing" of personal information — we do not sell or share personal information for cross-context behavioral advertising, but you have the right to make this election regardless
- Right to limit use of sensitive personal information — we do not collect sensitive PI as defined under CPRA
- Right to non-discrimination for exercising any of the above
Under LGPD (if you are in Brazil)
The same access, rectification, erasure, portability, objection, and complaint rights as under GDPR. Complaints can be filed with the ANPD.
7. Security
We protect personal data with reasonable technical and organizational measures, including:
- TLS 1.2+ for all data in transit
- AES-256 encryption at rest for OAuth tokens and other sensitive fields
- Token scopes limited to the minimum permissions for the merchant's tier
- Disconnect actions revoke our access on the third-party platform side, not just locally
- Audit logging of administrative actions
- Restricted access to production systems on a need-to-know basis
No system is perfectly secure. If we ever experience a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority and (where required) affected individuals as required by GDPR Art. 33–34.
8. Children
The Service is intended for adults operating Shopify businesses. To use the Service you must be at least 18 years old (see the Terms of Service for the full eligibility requirement). We do not knowingly collect personal data from anyone under 18. If you believe we have collected such data, contact privacy@praxora.io and we will delete it.
9. Automated decision-making
The Pro tier includes Director, which makes autonomous budget-allocation decisions based on rolling-window performance metrics. These are operational decisions about your ad-spend, not decisions about you as an individual; they do not produce legal effects on you within the meaning of GDPR Art. 22. The decisions are constrained by guardrails you set and can be paused at any time via the kill switch.
10. Changes to this policy
We may update this policy. The "Last updated" date at the top reflects the most recent revision. Material changes will be communicated to active Merchants via email or in-app notice at least 30 days before they take effect.
11. Contact
For all privacy questions, requests, or complaints:
- Email: privacy@praxora.io
- Postal: RODEAPPS SRL, 3-5 Câmpul Pânii Street, 5th floor, Cluj-Napoca, Romania