Ai MachinaAIMACHINA.SHOP
● SYSTEM PROTOCOL · 002

PRIVACY
POLICY.

Last updated: April 30, 2026

AiMachina Shop ("we," "us," or "our") operates the AiMachina Shop website and mobile application located at aimachina.shop. This policy explains what we collect, why we collect it, who we share it with, how long we keep it, and the rights you have under the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA).

// 01

INFORMATION WE COLLECT

We collect only what we need to deliver and protect the service:

  • Account & identity: email address, and (for operator accounts) display name.
  • Order & transaction data: products purchased, amount, currency, country, and a Stripe payment identifier. We never see or store your full card number — card data is collected directly by Stripe.
  • Support & chat content: messages you send to our Ripley assistant or to support@aimachina.shop.
  • Usage & device data: pages viewed, referrer, approximate region, browser/OS, and anonymized IP via Google Analytics 4 (IP anonymization enabled).
  • Newsletter / signal opt-in: email address only, provided voluntarily.

We do not collect: government IDs, precise location (GPS), contacts, photos, microphone, camera, SMS, call logs, health data, or biometric identifiers.

// 02

LEGAL BASES (GDPR ART. 6)

  • Contract — to deliver purchased playbooks and operate your account.
  • Legal obligation — to retain tax/invoice records and respond to lawful requests.
  • Legitimate interest — to secure the platform, prevent fraud, and improve the product through aggregated analytics.
  • Consent — for the optional newsletter and any non-essential cookies. You can withdraw consent at any time.
// 03

HOW WE USE YOUR INFORMATION

  • Provide, maintain, and improve the service
  • Process payments and deliver digital products
  • Send transactional emails (receipts, downloads, support)
  • Detect abuse, fraud, and security incidents
  • Comply with tax, accounting, and legal obligations

We do not use your data for advertising, profiling, or automated decisions with legal effect.

// 04

THIRD-PARTY PROCESSORS (SUB-PROCESSORS)

We rely on the following vetted processors. Each is bound by a Data Processing Agreement and processes data only on our instructions.

ProcessorPurposeDataRegion
Supabase (Lovable Cloud)Database, auth, storage, edge functionsEmail, account, orders, chat logsEU / US
StripePayment processingCard data (direct), email, billing countryUS / EU
ResendTransactional email deliveryEmail, message contentUS
Google Analytics 4Aggregated usage analyticsAnonymized IP, page views, deviceUS
CloudflareHosting, CDN, DDoS protectionIP, request metadataGlobal edge
OpenAI / Anthropic / Google AIAI generation (chat, playbooks)Prompt content (no training opt-in)US
ElevenLabsOptional voice synthesisText submitted for TTSUS

International transfers rely on the EU Standard Contractual Clauses (SCCs) and the EU–US Data Privacy Framework where applicable. We do not sell or "share" personal information for cross-context behavioral advertising as defined by the CCPA/CPRA.

// 05

DATA RETENTION

  • Account data: kept until you request deletion, then removed within 30 days.
  • Order & invoice records: retained for 7 years to satisfy tax and accounting law.
  • Support & chat logs: 24 months, then anonymized.
  • Newsletter list: until you unsubscribe.
  • Analytics (GA4): 14 months, aggregated.
  • Server & security logs: 90 days.
  • Backups: rolling 30-day window, then overwritten.
// 06

DATA SECURITY

  • TLS 1.3 in transit; AES-256 at rest
  • Row-Level Security on every database table
  • Role-based access; principle of least privilege
  • Secrets stored in encrypted vaults, never in code
  • Stripe handles all card data (PCI-DSS Level 1)
  • Breach notification within 72 hours where required by law
// 07

YOUR RIGHTS (GDPR / CCPA / CPRA)

You have the right to:

  • Access — request a copy of your personal data
  • Rectification — correct inaccurate data
  • Erasure ("right to be forgotten") — GDPR Art. 17 / CCPA §1798.105
  • Restriction — limit how we process your data
  • Portability — receive your data in a machine-readable format
  • Object — to processing based on legitimate interest
  • Withdraw consent — at any time, without penalty
  • Opt out of "sale" or "sharing" — we do neither, but the right is honored
  • Non-discrimination — we will not penalize you for exercising any right
  • Lodge a complaint — with your local supervisory authority (e.g. your EU DPA, the UK ICO, or the California Privacy Protection Agency)

Submit a request through our data deletion request page, or email support@aimachina.shop. We respond within 30 days (GDPR) or 45 days (CCPA), and may extend once where permitted. Identity verification may be required.

// 08

CHILDREN'S PRIVACY

The service is not directed to children under 16. We do not knowingly collect data from minors. If you believe a child has provided us data, contact support@aimachina.shop and we will delete it.

// 09

CONTACT US

Privacy questions, rights requests, or DPA inquiries: support@aimachina.shop

EU/UK users may also contact their local data protection authority. California residents may contact the California Privacy Protection Agency at cppa.ca.gov.

// 10

CHANGES TO THIS POLICY

We may update this policy periodically. Material changes will be announced on this page and, where appropriate, by email. Continued use of the service after the "Last updated" date constitutes acceptance of the revised policy.

// YOUR DATA IS A LIABILITY WE REFUSE TO HOARD.