Skip to main content

Legal

Privacy Policy

Version 4.0 · Last updated 2026-07-14

1. Introduction

This Privacy Policy describes how Omniconvert SRL (“Omniconvert”, “we”, “us”, or “our”) collects, uses, discloses, and protects personal data in connection with the website and audit service operated at https://ecommercebenchmark.ai (the “Service”).

We have prepared this Policy to satisfy the information requirements of Articles 13 and 14 of Regulation (EU) 2016/679 (the “GDPR”) and to provide the disclosures required by the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act (collectively, the “CCPA”). Where additional rights or disclosures are required by other applicable laws, they apply in addition to (and not in substitution for) those described below.

You can use the Service anonymously: running an audit does not require an account. If you choose to create an account, to provide an email address (lead capture), or to accept analytics or marketing cookies, the additional processing described in this Policy will apply.

Accounts. You may create an account by signing in with Google, by registering an email address and password, by requesting a one-time sign-in link (“magic link”), or via Omniconvert single sign-on. The personal data associated with an account is described in §3.1.3.

2. Data Controller

The controller of personal data in connection with the Service is:

Omniconvert SRL — a private limited liability company organised under the laws of Romania, having its registered office at Strada Vasile Vasilievici Stroescu 14, 021374 Bucharest, Romania.

Contact for any privacy matter (including domain-removal requests for the public leaderboard): support@omniconvert.com. Mark leaderboard removals with “Leaderboard removal” in the subject line so they're routed to the operations queue (5-business-day SLA).

3. Personal Data We Process

We minimise the personal data we collect. The categories below reflect the totality of personal data we process in connection with the Service.

3.1 Data you provide to us directly

3.1.1 Audit submissions (no account required)

  • The Shopify storefront domain you submit for audit. A domain (e.g. examplestore.com) is not by itself personal data, but where the submitter chooses to audit their own store, the combination of domain + IP + timestamp can be associated with an identified or identifiable person.
  • Optional industry-category and country-of-operation filters you select.

3.1.2 Lead-capture submissions

  • Your email address, when you choose to provide it via the audit-results page or any other lead-capture surface.
  • The audit context (domain, score, module identifier) at the time of submission, associated with your email for the purpose of delivering the requested report by email.
  • Timestamp of the submission.

3.1.3 Account registration and sign-in

If you create an account, we process:

  • Your email address — the identifier for your account, and the address to which we send verification, sign-in and password-reset messages.
  • Your name and profile image, where you sign in with Google or Omniconvert SSO and that provider supplies them.
  • A password hash, where you register with an email address and password. We store a one-way bcrypt hash; we never store your password in a form we can read.
  • Sign-in provider tokens and identifiers, where you link a Google or Omniconvert SSO account, so that we can authenticate you on subsequent visits.
  • Session records, so you stay signed in between page loads.
  • Sign-in security events — including the email address used in a failed or denied sign-in attempt. We retain these to detect and investigate credential-stuffing and unauthorised access attempts. See §9 for retention.
  • Your store domain, where you associate one with your account.

3.1.4 Purchases

Where you buy credits, payment is taken on a hosted checkout page operated by our payment provider (Stripe). Your card details are entered on that page and never reach our servers — we do not receive or store them. We do process:

  • A record of the transaction — what was bought, how many credits, when, and its status — linked to your account.
  • Your billing email address, and any billing details you give the payment provider that it returns to us for invoicing.
  • Invoices and accounting records, which we are required by Romanian accounting and tax law to keep for ten years. That obligation overrides a request to delete the invoice itself (see §9 and §10.1).

3.2 Data we collect automatically

  • Technical metadata: IP address, user-agent string, screen size, referrer URL, accept-language header. Used for the operation, security, and rate-limiting of the Service, and (with consent) for anonymised analytics.
  • Server access logs: request method, path, response status, response duration. Retained for 7 days.
  • Audit results we generate: per-domain scores and module breakdowns that we compute from public data, cached for 7 days to avoid redundant work.
  • Cookies and similar technologies: see our Cookie Policy.
  • Error and performance telemetry (Sentry): when an application error or significant performance event occurs, pseudonymised technical traces (route, status code, stack trace, browser/OS labels) are sent to Sentry. We do not enable Sentry session replay — both replaysSessionSampleRate and replaysOnErrorSampleRate are configured at zero — and sensitive request headers (including authorisation and cookie headers) are stripped before transmission.

3.3 Data we obtain from third parties and public sources

  • Public web data about audited domains: when an audit runs, our systems fetch publicly available information about the audited storefront (robots.txt, sitemap, llms.txt, on-page metadata, JSON-LD structured data, payment-method indicators, and similar public signals). We do not retrieve protected or login-walled content.
  • Vendor-supplied aggregate data: our Creative, Reviews, and Competitor Synthesis modules consume aggregated data from third-party vendors (see §6 — Subprocessors) that themselves only process publicly accessible content (e.g. Meta Ad Library, Google Ads Transparency Center, publicly displayed customer reviews).

3.4 Special-category data

We do not knowingly or intentionally collect special categories of personal data (Article 9 GDPR) — including racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, health data, or data concerning sexual orientation. We ask that you do not submit such data through the Service.

3.5 Data stored on your device

Some data is stored in your browser rather than on our servers — including, where you use those features, your email address (so we can pre-fill it when you request a report, and match a report back to you when it is ready). A full inventory of cookies and browser storage, including which entries contain an email address, is set out in our Cookie Policy. You can clear this data at any time through your browser.

4. Purposes and Legal Bases of Processing

We process personal data only where one of the legal bases set out in Article 6(1) GDPR applies. The matrix below maps each processing purpose to its legal basis.

Processing purposeLegal basis (GDPR Art. 6)Retention
Operate the audit pipeline (anonymous users)Legitimate interest — Art. 6(1)(f) (offering the Service)See §9 — 7-day cache; results by domain until removal; request records 24 months
Create and operate your account; authenticate youContract — Art. 6(1)(b) (steps taken at your request)Life of the account + 30 days
Record failed/denied sign-in attempts (account security)Legitimate interest — Art. 6(1)(f) (security, fraud prevention)12 months
Send the lead-capture confirmation emailConsent — Art. 6(1)(a)Until unsubscribe / deletion
Manage the business relationship in our CRM (HubSpot) — sales follow-up on audits requested by or for a business contactLegitimate interest — Art. 6(1)(f) (B2B relationship management); consent where the contact came from lead capturePer §9 — CRM record retention
Take payment and supply the credits you purchaseContract — Art. 6(1)(b)Life of the account; invoices per the statutory period below
Issue and retain invoices / accounting recordsLegal obligation — Art. 6(1)(c) (Romanian accounting and tax law)10 years
Rate limiting and abuse preventionLegitimate interest — Art. 6(1)(f) (security)30 days IP-correlated
Public leaderboard of audit scoresLegitimate interest — Art. 6(1)(f) (informational benchmarking — see §7)Until removal request
Cookies and similar analytics technologiesConsent — Art. 6(1)(a) (per banner)Per cookie — see Cookie Policy
Marketing-cookie deployment (where such campaigns are running)Consent — Art. 6(1)(a) (per banner)Per cookie — see Cookie Policy
Error and security telemetry (Sentry)Legitimate interest — Art. 6(1)(f)30 days
Comply with legal obligations (e.g. response to lawful orders)Legal obligation — Art. 6(1)(c)As required by law

You may withdraw any consent at any time, without affecting the lawfulness of processing carried out before withdrawal. To withdraw consent, use the “Cookie preferences” control in the Service footer (for cookies) or contact us at support@omniconvert.com (for all other consents).

4.1 Marketing communications

We will not send you marketing communications (newsletters, product announcements, or commercial offers) by email or SMS unless you have given prior opt-in consent in compliance with the European ePrivacy Directive and applicable member-state implementations (in Romania, Law 506/2004), the UK Privacy and Electronic Communications Regulations 2003, the United States CAN-SPAM Act of 2003, and other applicable laws. The lead-capture confirmation email (a single message containing the audit summary you have explicitly requested) is a transactional communication and is sent on the basis of your explicit request, not as a marketing communication.

Every marketing communication we send (if any) will include a working unsubscribe mechanism.

5. Legitimate Interests

Where we rely on the legitimate-interests legal basis (Article 6(1)(f) GDPR), we have conducted a balancing test taking account of your reasonable expectations, the nature of the processing, and the safeguards we apply. In summary:

  • Anonymous audit operation. Providing an industry-benchmarking tool serves the legitimate interest of Omniconvert and of Shopify merchants seeking visibility into competitive positioning. Processing is limited to short-lived technical metadata and is necessary to operate the Service.
  • Public leaderboard. Publication of aggregate audit results by domain is an industry-recognised form of public benchmarking comparable to similar e-commerce ranking tools. We mitigate impact by (i) restricting publication to objectively computable, non-personal metrics (numeric scores derived from public data), (ii) providing an immediate, no-questions-asked opt-out via support@omniconvert.com, and (iii) honouring opt-outs within five business days.
  • Error and security telemetry. Necessary to detect, investigate, and remediate faults and security incidents. Data is pseudonymised and not used for profiling.

On request, we can provide a more detailed Legitimate Interests Assessment for any processing activity listed above. Contact support@omniconvert.com.

6. Subprocessors and Recipients

We rely on the following third-party service providers (“subprocessors”) to operate the Service. Each acts as a processor or sub-processor for Omniconvert under written contractual terms incorporating the data-protection obligations required by Article 28 GDPR. We maintain on file with Omniconvert legal a record of the data-processing terms and (where applicable) Standard Contractual Clauses or equivalent transfer mechanisms for each subprocessor.

SubprocessorFunctionDataLocation
DigitalOcean LLCManaged MySQL database hostingAudit, account, lead-capture, leaderboard dataEU region
Vercel Inc.Hosting for our staging/preview environment (production is self-hosted on Kubernetes)HTTP request/response, technical metadataEU + US edge nodes
Google LLC (Gemini API)LLM probes for the AI Visibility module and generated commentary (see §11)Audited domain + public web context onlyUS (DPF-certified)
Google LLC (GA4 + GTM)Analytics + tag managementCookie-based, consent-gatedUS (DPF-certified)
Google LLC (Sign-in with Google)Optional identity provider for account sign-inEmail address, name, profile image, OAuth tokensUS (DPF-certified)
HubSpot, Inc.Customer-relationship management — audits requested by or for a business contact are synced to our CRM for sales follow-upEmail address, first/last name, company website, audit contextUS (DPF-certified)
Omniconvert Hub (Omniconvert SRL internal service)Central account, identity, and credit/billing serviceAccount identifier, email address, credit balance and transaction recordsEEA (Romania)
Stripe, Inc. / Stripe Payments Europe Ltd.Payment processing for credit purchases. Card details are entered on Stripe’s own hosted checkout — we never receive or store themBilling email, payment and transaction recordsEEA (Stripe Payments Europe) + US transfer
Sentry (Functional Software Inc.)Error tracking and performance monitoringPseudonymised stack traces and request metadataUS (DPF-certified)
SendGrid (Twilio Inc.)Transactional email (lead-capture confirmation, audit reports, sign-in / verification / password-reset messages)Email address + audit contextUS (DPF-certified)
Meta Platforms Ireland Ltd.Marketing pixel, deployed via our tag manager only where a paid campaign is running and only after you accept marketing cookiesCookie/pixel eventsEEA (Meta Ireland) + US transfer
LinkedIn Ireland Unlimited Co.Marketing Insight Tag, deployed via our tag manager only where a paid campaign is running and only after you accept marketing cookiesCookie/pixel eventsEEA (LinkedIn Ireland) + US transfer
Omniconvert Nexus (Omniconvert SRL internal service)Creative & Ads + Competitor Synthesis module data aggregationPublic ad-library data per audited domainEEA (Romania)
Brandfeel (internal service)Reviews & UGC module data aggregationPublic review-platform data per audited domainEEA
CRO Benchmark (Omniconvert internal service)Auxiliary scoring dataPublic store-audit data per audited domainEEA (Romania)

We do not sell, rent, or trade your personal data to any third party. We do not share personal data with any party other than the subprocessors above except where (i) you direct us to, (ii) we are legally compelled by a court order or equivalent lawful demand, or (iii) we are required to in connection with a corporate transaction (e.g. merger, acquisition, asset sale), in which case any new controller will inherit obligations equivalent to those in this Policy and you will be notified.

7. Public Leaderboard

The Service publishes a public leaderboard at https://ecommercebenchmark.ai/leaderboard listing audited domains alongside numeric scores by industry category and country. The leaderboard is intended as an informational benchmarking tool for the Shopify ecosystem and is indexed by general search engines.

The leaderboard does not display the name, email address, or other personally identifying information of any data subject. It displays only the storefront domain (as a public identifier of the store) and computed scores.

Opt-out. If you operate an audited store and wish to have your domain removed from the leaderboard, email support@omniconvert.com from an email address associated with the domain (e.g. WHOIS contact, postmaster@, or a documented owner address). We will action the removal within five business days and add the domain to a do-not-re-audit list which is honoured by all future audits.

8. International Data Transfers

Some of our subprocessors are established outside the European Economic Area, primarily in the United States. Where personal data is transferred to a recipient in a country that has not received an adequacy decision under Article 45 GDPR, we rely on one or more of the following safeguards (Article 46 GDPR):

  • EU-US Data Privacy Framework (DPF). Where the recipient has self-certified under the DPF (or its UK or Swiss extensions), we rely on that certification as the adequacy mechanism. Recipients we believe to be DPF-certified are marked accordingly in §6.
  • Standard Contractual Clauses (SCCs). Where DPF certification is not available or not applicable, we rely on the European Commission's 2021 Standard Contractual Clauses (Decision 2021/914), incorporated into our agreement with the subprocessor, supplemented as appropriate by a transfer-impact assessment.
  • Consent. In a small number of cases (e.g. the transmission of cookie-set data to Meta or LinkedIn ad systems following your explicit acceptance of marketing cookies), the transfer occurs on the basis of your explicit consent under Article 49(1)(a) GDPR.

You may request a copy of the safeguards in place for any specific transfer by contacting support@omniconvert.com.

9. Retention

We retain personal data only for as long as is necessary for the purposes for which it was collected, after which it is deleted or anonymised. The following default retention periods apply:

Data categoryRetention period
Audit cache (the window in which we re-use a recent result instead of re-running an audit)7 days
Audit results by domain — the storefront domain and its computed scores (this is what powers the public leaderboard, and contains no personal data)Until domain removal request, or until a re-run overwrites the score
Audit request records — who asked for an audit (including an email address, where the audit was requested by a signed-in user, by our sales team on a contact’s behalf, or via lead capture)24 months from the request
Account data (email, name, profile image, password hash, linked sign-in provider tokens)For as long as the account exists; deleted within 30 days of account deletion
Session records30 days, or until sign-out
Sign-in security events (including the email address used in a failed or denied sign-in attempt)12 months
CRM records (HubSpot) — business contact and audit contextFor the duration of the business relationship and 24 months thereafter
Purchase and credit-transaction recordsLife of the account + 30 days
Invoices and accounting records10 years (statutory — Romanian accounting law). This obligation overrides a deletion request for the invoice itself.
Lead-capture submissions24 months from submission, then deleted unless the data subject otherwise instructs
IP-correlated rate-limit data30 days
Free-audit device identifier (see Cookie Policy)400 days
Error and security telemetry (Sentry)30 days
Server access logs7 days
Records of consent and consent withdrawal3 years (to evidence compliance with Art. 7(1) GDPR)
Records relating to legal claims or regulatory inquiriesUntil 6 years after the matter is concluded

10. Your Rights

10.1 GDPR rights (EEA / UK)

Where the GDPR or UK GDPR applies to the processing of your personal data, you have the following rights:

  • Right of access — to obtain confirmation of whether we process your personal data, and a copy of that data (Art. 15).
  • Right to rectification — to have inaccurate data corrected and incomplete data completed (Art. 16).
  • Right to erasure (“right to be forgotten”) — to have your data deleted in the circumstances set out in Art. 17.
  • Right to restriction of processing — to limit how we use your data in certain circumstances (Art. 18).
  • Right to data portability — to receive your data in a structured, commonly used, machine-readable format and to transmit it to another controller, where the processing is based on consent or contract and carried out by automated means (Art. 20).
  • Right to object — to object on grounds relating to your particular situation to processing carried out on a legitimate-interest basis (Art. 21), including profiling.
  • Right not to be subject to automated decision-making — see §11 below. We do not carry out automated decision-making with legal or similarly significant effects on data subjects.
  • Right to information about the source of indirectly collected data — where personal data is collected from sources other than you directly (see §3.3), you have the right under Article 14 GDPR to know the source of that data. We will provide this information on request.
  • Right to withdraw consent — at any time and without giving reasons, where processing is based on consent (Art. 7(3)).
  • Right to lodge a complaint — with a supervisory authority, in particular in the member state of your habitual residence, place of work, or place of the alleged infringement.

For Romanian residents, the competent supervisory authority is the Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP), B-dul G-ral Gheorghe Magheru 28-30, Sector 1, 010336 Bucharest, Romania — https://www.dataprotection.ro.

For UK residents, the competent supervisory authority is the Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom — https://ico.org.uk.

10.2 CCPA rights (California residents)

If you are a California resident, the CCPA grants you the following rights with respect to the personal information we collect about you:

  • Right to know — the categories of personal information collected, the categories of sources, the business or commercial purpose for collection, the categories of third parties with whom we share, and the specific pieces collected.
  • Right to delete — request deletion of personal information we have collected from you, subject to legal exceptions.
  • Right to correct — request correction of inaccurate personal information.
  • Right to opt-out of sale or sharing — we do not sell personal information for monetary consideration. Where we run paid advertising campaigns, pixel events may be disclosed to Meta and LinkedIn, but only after you explicitly enable marketing cookies; that may constitute “sharing” under the CPRA. You may decline marketing cookies via the consent banner at any time, with effect equivalent to an opt-out of sharing. Disclosures to our CRM (HubSpot) and to the other subprocessors in §6 are made for business purposes under written processor terms and are not a sale or sharing.
  • Right to limit use of sensitive personal information — we do not process sensitive personal information as defined by the CPRA (Cal. Civ. Code §1798.140(ae)), so this right does not arise in practice.
  • Right to non-discrimination — we will not deny or charge differently for the Service in retaliation for exercising any of these rights.

See §10.3 below for how to exercise any of these rights. CCPA requests should use the subject line “CCPA request”; we'll verify them as required by Cal. Civ. Code §1798.130 before responding.

10.3 How to exercise your rights

To exercise any right under either GDPR or CCPA, email support@omniconvert.com from the email address associated with your data, or use the “Cookie preferences” control in the footer to manage cookie consent. We will respond within one month of receiving a verifiable request, extendable by two further months where necessary in light of the complexity and number of requests (Art. 12(3) GDPR); if we extend, we will inform you within the initial one-month period.

We may need to verify your identity before acting on a request. For anonymous-use data, please provide identifying information sufficient to locate the record (e.g. approximate timestamp and audited domain) and reply from an email address you can demonstrate ownership of (where applicable).

Data exported in response to a portability request is provided in a structured, commonly used, machine-readable format (currently JSON; CSV available on request) and is delivered by a secure download link sent to the verified email address associated with the request.

11. Automated Decision-Making, Profiling, and Use of AI

We do not carry out automated decision-making that produces legal effects concerning you or similarly significantly affects you (Article 22 GDPR). Audit scores describe a storefront, not a person: they are informational benchmarks computed from publicly accessible data about a website, and they do not constitute decisions about any individual.

How the score is produced. Most of the audit is computed by deterministic, rule-based checks against publicly accessible data. In addition, we use a large language model (Google Gemini — see §6) to run part of the AI Visibility module and to generate the written commentary that accompanies each section. Model output is used only to describe and explain a storefront's public presence; it is not used to evaluate, rank, or make decisions about any individual.

12. Children

The Service is intended for users acting in a business capacity (e.g. e-commerce operators, marketers, agencies). It is not directed at children.

We do not knowingly process personal data of children under the age applicable in your jurisdiction (16 years in Romania and most EEA member states, lower thresholds may apply where a member state has so legislated under Article 8(1) GDPR; 13 years in the United States under COPPA). If you are below the applicable age, do not use the Service. If you believe we may have inadvertently collected data from a child, contact support@omniconvert.com and we will promptly delete it.

13. Security

We implement appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, having regard to the state of the art, the costs of implementation, and the nature of the processing (Article 32 GDPR). These include, without limitation:

  • TLS encryption for all data in transit; HTTPS with HSTS for all site traffic.
  • Database connections encrypted in transit; encryption at rest at the infrastructure layer.
  • Modern HTTP security headers, including Strict-Transport-Security (with includeSubDomains and preload), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Cross-Origin-Opener-Policy. A Content-Security-Policy is deployed in report-only mode pending stabilisation in production traffic.
  • Principle-of-least-privilege access controls for personnel; secret material handled exclusively via Doppler and equivalent secret-managers, never in source code or chat.
  • Periodic review of subprocessor security posture and contractual data-protection terms.
  • Automated dependency vulnerability scanning on the application codebase; manual review of significant changes.

No method of transmission over the internet or method of electronic storage is fully secure. While we strive to use commercially reasonable means, we cannot guarantee absolute security.

14. Data Breach Notification

In the event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of it (Article 33 GDPR). Where a breach is likely to result in a high risk to your rights and freedoms, we will communicate the breach to you without undue delay (Article 34 GDPR).

15. Changes to This Policy

We may amend this Policy from time to time to reflect changes in the Service, in applicable law, or in industry practice. The “Last updated” date above will be revised on each amendment. Material changes (those that materially expand the scope of processing or reduce your rights) will be highlighted on the Service for at least 30 days before taking effect.

16. Contact

For any question relating to this Policy, to your personal data, or to request domain removal from the public leaderboard, contact support@omniconvert.com. We'll route your message to the appropriate team. Postal address (for matters that require it): Omniconvert SRL — Privacy, Strada Vasile Vasilievici Stroescu 14, 021374 Bucharest, Romania.