Privacy Policy

1. Who we are

Nimble is operated by Max Ninthara (individual developer, personal entity).

• Contact email: help@nimblevc.com
• Security contact: security@nimblevc.com
• Mailing address: Available on request via help@nimblevc.com

2. Scope

This Privacy Policy covers information collected via:

• The Nimble Shopify app (embedded admin dashboard)
• OAuth token exchange between Shopify and Nimble
• Webhooks sent by Shopify to Nimble
• Interactions you have with the Nimble dashboard

It does not cover:

• Your customers' data (we do not collect it)
• Your Shopify account credentials (these stay with Shopify)
• Third-party services you may use alongside Nimble (see those services' privacy policies)

3. Information we collect

3.1 Information you provide

• Your shop's myshopify.com domain
• Brand context you optionally add (competitors, target audiences, approved claims, prohibited claims, language rules)
• Content feedback (approve / edit / reject on generated pieces)

3.2 Information we collect from Shopify (via your authorization)

• Product information (names, descriptions, handles, prices), OAuth scope read_products
• Existing blog articles and pages, OAuth scope read_content
• Your theme settings, OAuth scope read_themes (read-only; we never modify your theme)
• Files you have in your Shopify Files library, OAuth scope read_files

3.3 Information we create on your behalf (and write back to Shopify)

• Blog articles published to your Shopify blog, OAuth scope write_content
• Images uploaded to your Shopify Files, OAuth scope write_files

3.4 Technical information

• Shopify-provided session tokens (JWT) for authentication
• OAuth access tokens (refreshed automatically, encrypted at rest)
• Request logs (shop domain, endpoint, status code, timestamp), retained 30 days for operational reliability

3.5 Information we do NOT collect

• Customer personal data (names, emails, shipping addresses)
• Order data (line items, totals, payment info)
• Inventory / stock levels
• Analytics data (visitor counts, session recordings, revenue)
• Credit card information (Shopify handles all billing)

4. How we use your information

We use the information above only to:

1. Generate marketing content tailored to your brand (SEO blog articles, social media copy, email content, Pinterest posts, video scripts, strategy briefs)
2. Publish approved content to your Shopify store
3. Display an embedded dashboard in your Shopify admin showing your brand profile, content feed, activity log, and billing status
4. Run automated quality checks on generated content before delivery
5. Support you via the email you have on file with Shopify
6. Comply with legal obligations (tax, record-keeping, lawful requests)

We do not use your data to:

• Train AI models on behalf of third parties
• Build competitive intelligence against you or your peers
• Target your customers with advertising
• Enrich third-party data brokers

5. AI processing

We use Anthropic's Claude models to generate content. When we do:

• Your brand context and product data are sent to Anthropic as prompts
• Anthropic does not train on API inputs by default (per their published API terms; we re-verify periodically)
• Anthropic retains prompts briefly for abuse detection (per their published retention policy)
• We do not use any AI provider that trains on API inputs

If this changes (e.g., we evaluate a different provider), we will update this policy and notify you before any change takes effect.

6. How we share your information

We share data only with service providers that make Nimble work:

We do not:

• Sell your data
• Rent your data
• Share your data with advertisers
• Share your data with other merchants

We may disclose data when required by law (e.g., subpoena, court order) or to protect safety, rights, or property. We will notify you unless legally prohibited.

7. Data security

• Encryption at rest: All data stored in Supabase with AES-256 encryption
• Encryption in transit: HTTPS/TLS on every endpoint
• Row-level security: Enforced on every database table so one merchant can never read another's data
• Token storage: OAuth tokens stored in Supabase Vault; never logged, never sent in headers
• Webhook verification: HMAC signatures verified on every Shopify webhook using timing-safe comparison
• Rate limiting: in place on every endpoint to prevent abuse
• Access controls: Production database access limited to Max Ninthara; every access is audit-logged
• Regular security reviews: Codebase reviewed for common vulnerabilities (OWASP Top 10, credential leakage)

No system is 100% secure. If we discover a breach affecting your data, we will notify you within 72 hours of discovery.

8. Data retention

• While you're a Nimble customer: we retain all data necessary to provide the service
• When you uninstall: we receive Shopify's app/uninstalled webhook and mark your brand as inactive within minutes. OAuth tokens are invalidated.
• On shop/redact webhook (Shopify GDPR endpoint): we delete your stored credentials and brand data within 30 days, per Shopify's GDPR webhook spec.
• Backups: Supabase maintains encrypted backups for 30 days. Backups containing deleted data are purged on the 30-day rolling cycle.
• Operational logs: request logs retained 30 days, then deleted.
• Aggregate non-identifying metrics: counts of content generated and error rates, retained indefinitely and not linkable back to you or your store.

9. Your rights

You have the right to:

• Access the data we hold about you
• Correct inaccurate data
• Delete your data (uninstall triggers this automatically; we honor customers/redact and shop/redact Shopify webhooks)
• Export your data in a machine-readable format
• Object to processing
• Restrict certain processing activities
• Withdraw consent at any time by uninstalling the app

For California residents (CCPA / CPRA)

In addition to the above, you have the right to know the categories of information collected, the purposes, and third parties with whom we share. This document provides that disclosure. We do not sell your information under the CCPA definition of "sell."

For EU / EEA / UK residents (GDPR / UK-GDPR)

Our lawful basis for processing is contract (the app you installed) and, where applicable, legitimate interest (e.g., abuse detection, service reliability). You have the right to lodge a complaint with your national data protection authority.

Exercising your rights: email help@nimblevc.com with "Privacy Request" in the subject. We respond within 30 days.

10. International data transfers

Nimble operates from the United States. When you use the app from outside the US, your data is transferred to the US for processing. We rely on:

• Your consent (captured at OAuth install) for initial transfer
• Standard Contractual Clauses (SCCs) with our processors where applicable

We do not transfer data to countries without adequate protection safeguards.

11. Children

Nimble is a B2B tool for merchants. We do not knowingly collect information from anyone under 18. If you believe a minor has provided information to us, please email help@nimblevc.com and we will delete it.

12. Changes to this policy

We may update this policy. When we do:

• We will update the "Last updated" date at the top
• For material changes (new data collection, new sharing categories, new uses), we will notify active merchants by email at least 30 days before the change takes effect
• Continued use after the effective date constitutes acceptance

13. Contact

For privacy questions, data requests, or to report a concern:

• Email: help@nimblevc.com (general privacy)
• Email: security@nimblevc.com (security issues)
• Response time: within 5 business days for general requests; 72 hours for security incidents

This policy is written in plain English deliberately. If anything is unclear, email us and we'll explain.