Privacy policy

01Who we are
02Information we collect
03How we use it
04Legal bases
05AI and automated processing
06Sharing & subprocessors
07International transfers
08Retention
09Your rights
10Security
11Cookies
12Children
13Changes
14Contact

01Who we are

40rty Ltd. ("40rty", "we", "us") operates the website at 40rty.ai and provides AgentIQ, a Shopify-native application that audits and optimizes product catalogs for AI shopping agents. We are the data controller for personal information collected through our website and the data processor for store data you choose to connect through AgentIQ.

02Information we collect

We collect only what we need to run the service and improve it.

Account information. Name, email, role, company, and authentication identifiers when you sign up or log in.
Shopify store data. When you install AgentIQ, we access product, collection, metafield, and review data through the Shopify API under the scopes you approve. We do not access customer PII, payment data, or order line items unless a feature you explicitly enable requires it.
Usage data. Pages visited, features used, performance metrics, error logs, IP address, browser, device, and approximate location (city / region).
Communications. Messages you send to support, sales, and demo requests.
Marketing. If you submit a form on our website or attend an event, we record the contact details you provide.

03How we use it

To deliver and maintain AgentIQ — auditing your catalog, scoring agent readiness, generating recommendations.
To support you, respond to requests, and send service notices.
To improve product quality, debug issues, and develop new features.
To detect, prevent, and address abuse, fraud, and security incidents.
To meet legal, regulatory, and contractual obligations.
With your consent, to send product updates and marketing you've opted into.

04Legal bases (EU / UK)

For users in the European Economic Area or the United Kingdom, we rely on the following bases under GDPR / UK GDPR:

Contract. To provide AgentIQ to you under our terms of service.
Legitimate interests. To improve our product, secure our systems, and run a sustainable business — balanced against your rights and expectations.
Consent. For marketing communications and non-essential cookies. You can withdraw consent at any time.
Legal obligation. Where required by law (tax, accounting, regulatory requests).

05AI and automated processing

AgentIQ uses machine learning models — some operated by 40rty, some operated by third-party AI providers — to evaluate product listings, generate recommendations, and produce written drafts. We disclose this clearly:

We do not train our models on your catalog data without an explicit opt-in. Customer data is processed to generate outputs for you and is not used to train base models.
We do not sell your data to AI providers, advertisers, or data brokers.
Automated outputs are recommendations, not changes. 40rty does not edit your Shopify product listings automatically. You stay in control of every change that ships.
Right to human review. Where automated processing produces a decision that significantly affects you, you have the right to request human review under Article 22 GDPR and equivalent local laws.
Where we use third-party AI providers as subprocessors, they are contractually bound to comparable confidentiality and security standards. The current list is published at our subprocessor request inbox.

06Sharing & subprocessors

We share personal information only with:

Subprocessors we engage to operate AgentIQ — cloud hosting, error monitoring, customer support tooling, payment processing, AI inference providers, and analytics. All are bound by data processing agreements.
Shopify, when you install AgentIQ. Shopify's own privacy practices govern data on the Shopify platform.
Authorities, when legally compelled and only to the extent required.
An acquirer, in the event of a merger, acquisition, or asset sale — with prior notice and the same privacy commitments.

We do not sell personal information as defined by the California Consumer Privacy Act (CCPA / CPRA), Virginia CDPA, Colorado CPA, or comparable U.S. state privacy laws.

07International transfers

40rty is established in the European Union. We may transfer personal data to subprocessors in the United States, the United Kingdom, and other jurisdictions. Where required, we use Standard Contractual Clauses, the EU–U.S. Data Privacy Framework, the UK International Data Transfer Addendum, or equivalent transfer mechanisms.

08Retention

We retain personal information for as long as your account is active and for a limited period afterward to meet legal, accounting, and dispute-resolution needs. Audit data is retained for 24 months by default. You can request earlier deletion at any time — see "Your rights" below.

09Your rights

Depending on where you live, you have some or all of the following rights:

Access the personal data we hold about you.
Correct inaccurate data.
Delete data (subject to legal retention requirements).
Port your data in a machine-readable format.
Restrict or object to certain processing.
Withdraw consent at any time for processing based on consent.
Opt out of automated decision-making and request human review.
Lodge a complaint with your local data protection authority.

To exercise any right, email contact@40rty.ai. We respond within 30 days.

10Security

We use encryption in transit (TLS 1.3) and at rest (AES-256), role-based access control, audit logging, and regular third-party penetration testing. Our team operates on the principle of least privilege; production access is logged and reviewed. We will notify affected users and regulators of a personal data breach within the timelines required by applicable law.

11Cookies

We use a small set of cookies and similar technologies: strictly necessary cookies to keep you signed in, preference cookies for your settings, and (with your consent) analytics cookies to understand how the product is used. You can manage your preferences in your browser or via the cookie banner on our website.

12Children

AgentIQ is a B2B service. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided personal information, contact us and we will delete it.

13Changes

We update this policy when our practices change. We post the new version here with a revised effective date. Material changes are notified by email or in-app at least 30 days before they take effect.

14Contact

Questions, requests, or complaints: contact@40rty.ai. For users in the EU / UK, this address also serves as our data protection contact.

Privacy policy.

Contents