Privacy Policy
Last Updated: May 16, 2026
1. Data Controller
The data controller responsible for processing your personal data is:NekoPulse
Contact: [email protected]
Operating from: C/ Juan XXIII, Parla, Madrid, Spain (European Union)As a service operating within the EU, this policy complies with the General Data Protection Regulation (GDPR — Regulation 2016/679).
2. What Data We Collect and Why
We collect only the data strictly necessary to provide our service. We do not collect personal data from your end-users.
| Data | Purpose | Retention | |
|---|---|---|---|
Name and email address | Account creation, report delivery, service communications | Duration of contract + 12 months | |
Billing information | Payment processing via Stripe (we do not store card details) | As required by applicable tax law (typically 5 years) | |
| Business performance metrics (revenue, churn, retention, AOV, orders) sourced from your Shopify and/or Stripe accounts via read-only API, Google Analytics 4 (optional, if connected), or provided directly via CSV upload | Generating your weekly Signal Briefing reports | Duration of active subscription | Generating your weekly Signal Briefing reports | Duration of active subscription | |
| Website usage data (session cookies) | Essential site functionality | Session duration |
3. Legal Basis for Processing
We process your data under the following legal bases as defined by Article 6 of the GDPR:- Performance of a contract (Art. 6.1.b) — the primary basis. Processing your account data and business metrics is necessary to deliver the service you have subscribed to.- Compliance with a legal obligation (Art. 6.1.c) — applies to billing data retained for tax and accounting purposes.- Legitimate interests (Art. 6.1.f) — applies to essential website cookies and basic security logging. These interests do not override your rights.We do not process your data based on consent or for automated decision-making that produces legal or similarly significant effects.
4. Recipients — Who We Share Data With
We do not sell, rent, or trade your data. We share data only with the following processors, under contractual data processing agreements, and solely to the extent necessary to operate the service:- Stripe, Inc. — payment processing and subscription management. Stripe is certified under the EU-US Data Privacy Framework.
Privacy policy: stripe.com/privacy- Shopify Inc. — e-commerce data source. We connect viaread-only API using credentials you provide. Data processedsolely to generate your weekly report.
Privacy policy: shopify.com/legal/privacy- Google LLC (Google Analytics 4) (optional — only applies if you connect GA4) — we connect to GA4 via read-only API on your behalf, using credentials you provide. Google acts as a sub-processor under your existing Google agreement, not ours. If GA4 is not connected, no data is exchanged with Google Analytics.
Privacy policy: policies.google.com/privacy- Make.com (Celonis SE) — automation infrastructure used to run the data pipeline. Data processed within EU servers.
Privacy policy: make.com/en/privacy-notice- Google LLC (Google Drive and Gmail) — report storage and delivery.
Privacy policy: policies.google.com/privacyNo other third parties receive your data.
5. International Data Transfers
Our primary operations and data processing infrastructure are located within the European Union. Where data is transferred to the United States (Stripe, Google), such transfers are covered by the EU Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework.
6. Your Rights Under GDPR
As a data subject under GDPR, you have the following rights, which you may exercise at any time by contacting us at [email protected]:- Right of access (Art. 15) — request a copy of the personal data we hold about you.- Right to rectification (Art. 16) — request correction of inaccurate or incomplete data.- Right to erasure (Art. 17) — request deletion of your data, subject to legal retention obligations.- Right to restriction of processing (Art. 18) — request that we limit how we use your data in certain circumstances.- Right to data portability (Art. 20) — receive your data in a structured, machine-readable format.- Right to object (Art. 21) — object to processing based on legitimate interests.We will respond to all requests within 30 days. If you believe your rights have not been respected, you have the right to lodge a complaint with the Spanish Data Protection Authority (AEPD): aepd.es
7a. Data Security
We implement the following measures to protect your data:- All API connections use OAuth 2.0 or read-only API key authentication.- Data in transit is encrypted via TLS 1.2 or higher.- Business metric data is processed to generate reports and is not retained beyond the active subscription period.- Access to client data is restricted to automated pipeline processes only — no human operator reads your business metrics as part of normal operations.In the event of a personal data breach that poses a risk to your rights, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, as required by Art. 33-34 GDPR.
7b. API Credential Storage and Retention
When you connect your Shopify, Stripe, or Google Analytics 4 account, your API credentials are handled as follows:- Your keys are encrypted in transit via TLS 1.2+ from the moment of submission.- They are stored in a secured, EU-based encrypted data store (Make.com) for the duration of your active subscription, as they are required to execute your weekly automated pipeline.- No NekoPulse personnel can access your credentials during normal operations. The credential-to-report lifecycle is fully automated.- Upon subscription cancellation, your credentials and associated business data are permanently deleted within 30 days.- You may request immediate deletion at any time by contacting [email protected]. We will confirm deletion within 7 business days.- This retention model is the minimum necessary to deliver the weekly service you have subscribed to, and is covered under the legal basis of performance of contract (Art. 6.1.b GDPR).
8. Cookies
We use essential cookies for website functionality and Google Analytics 4 (GA4) to understand how users interact with our site. GA4 uses cookies to collect anonymous data such as page views and session duration.You may manage or disable analytical cookies at any time through your browser settings without affecting core service functionality.
9. Changes to This Policy
We may update this policy to reflect changes in our service or applicable law. We will notify active subscribers by email at least 14 days before material changes take effect. The current version is always available at Privacy Policy.
10. Contact
For any questions about this policy or to exercise your rights:📧 [email protected]
Response time: within 30 days of receiving your request