Privacy Policy

StoreFront AI is a trading name operated by Conor Shiel, with a principal place of business in County Wicklow, Ireland ("StoreFront AI", "we", "us", or "our"). We are the data controller in respect of personal data collected through this website and in the course of providing our services. This means we determine the purposes and means by which your personal data is processed. Contact details for data protection matters: Email: conor@storefrontai.eu Address: County Wicklow, Ireland If you have any questions about how we handle your personal data, please contact us at the above address before raising a complaint with a supervisory authority.

We collect and process the following categories of personal data: Enquiry and Booking Data When you submit a contact form, book a strategy call, or use our free website audit tool, we collect: your full name, email address, phone number, business type and name, website URL, and the content of any message or challenge description you provide. Communications Data When you correspond with us by email, phone, or through our website chat assistant, we retain records of those communications including the content and metadata of messages exchanged. Technical and Usage Data When you visit our website, our hosting provider automatically collects: your IP address, browser type and version, device type, pages visited, time and date of visit, and referral source. This data is collected via server logs and does not directly identify you but may constitute personal data under GDPR. Voice Interaction Data If you use our voice AI assistant on this website, your voice input is processed in real time by our third-party voice AI provider (Vapi). We do not store audio recordings. Transcripts of conversations may be retained for quality assurance purposes for up to 30 days. Chat Interaction Data Text conversations with our AI chat assistant are processed via OpenAI's API. Message content is transmitted to OpenAI's servers for the purpose of generating responses. We retain chat logs for up to 30 days for quality assurance. We do not intentionally collect sensitive personal data (known as special category data under GDPR) and ask that you do not submit such information through our website.

Under the General Data Protection Regulation (EU) 2016/679 ("GDPR") as retained and implemented in Irish law by the Data Protection Act 2018, we are required to identify a lawful basis for each processing activity. Contract Performance (Article 6(1)(b)) Where you have engaged us to provide services, we process your personal data to the extent necessary to perform the contract between us, including delivering AI automation systems, managing your account, issuing invoices, and providing support. Legitimate Interests (Article 6(1)(f)) We process certain data on the basis of our legitimate interests, including: responding to enquiries from prospective clients, preventing fraud, maintaining the security of our systems, and improving our services. We have assessed that these interests are not overridden by your fundamental rights and freedoms. Legal Obligation (Article 6(1)(c)) We may process your data to comply with applicable Irish and EU law, including tax and accounting obligations under the Taxes Consolidation Act 1997 and related legislation. Consent (Article 6(1)(a)) Where we send you marketing communications, we do so only with your prior consent. You may withdraw your consent at any time by contacting us or using the unsubscribe mechanism in any marketing email.

We use the personal data we collect for the following purposes: — To respond to your enquiries and provide you with information about our services. — To arrange and conduct strategy calls and onboarding consultations. — To deliver, manage, and support the AI automation services you have contracted with us. — To issue invoices and manage payments and financial records. — To operate and improve our website audit tool and AI assistants. — To send transactional communications directly related to your engagement with us. — To send marketing communications where you have given consent or where we have a legitimate interest and you have not opted out. — To comply with our legal and regulatory obligations. — To protect our legitimate business interests, including the detection and prevention of fraud. We do not use your data for automated decision-making that produces legal or similarly significant effects, other than the website audit scoring tool, which generates a simulated report for illustrative purposes only and does not constitute a legally binding assessment.

We do not sell, rent, or trade your personal data. We share data only in the following circumstances: Service Providers and Processors We engage the following third-party processors who act on our instructions and are bound by data processing agreements: Render.com (Render Services, Inc.) — website hosting and infrastructure. Servers located in the European Economic Area where possible. Privacy policy: render.com/privacy. OpenAI, LLC — powers our text chat assistant. OpenAI is based in the United States. Data is transferred under Standard Contractual Clauses approved by the European Commission. Privacy policy: openai.com/privacy. Vapi AI — powers our voice assistant. Vapi is based in the United States. Data is transferred under Standard Contractual Clauses. Privacy policy: vapi.ai/privacy. Professional Advisers We may share your data with our solicitors, accountants, and insurers where necessary for the conduct of our business, all of whom are bound by professional duties of confidentiality. Legal Disclosure We may disclose your data to An Garda Síochána, the Revenue Commissioners, the Data Protection Commission, or other competent authorities where required to do so by Irish or EU law, or where necessary to protect the vital interests of any person. Business Transfer In the event of a merger, acquisition, or sale of all or substantially all of our assets, your personal data may be transferred as part of that transaction. We will notify you before your data is transferred and becomes subject to a different privacy policy.

Some of our third-party service providers (including OpenAI and Vapi) are located outside the European Economic Area ("EEA"), including in the United States. The transfer of personal data outside the EEA is only permitted under GDPR where appropriate safeguards are in place. We rely on Standard Contractual Clauses (SCCs) as approved by the European Commission under Article 46(2)(c) GDPR as the lawful mechanism for these transfers. You may request a copy of the relevant SCCs by contacting us. We conduct transfer impact assessments where required and take supplementary measures where the SCCs alone may not provide adequate protection.

We retain personal data only for as long as is necessary for the purposes for which it was collected, having regard to our legal and contractual obligations. Client data: Retained for the duration of the contract and for 7 years thereafter in accordance with Irish tax and commercial law obligations. Enquiry and lead data (non-clients): Retained for 12 months from the date of last contact, after which it is securely deleted unless you have subsequently become a client. Voice and chat transcripts: Retained for up to 30 days for quality assurance, then automatically deleted. Website audit submissions: Email addresses submitted through the audit email gate are retained for up to 12 months for the purpose of follow-up communications, unless you request earlier deletion. Financial records: Retained for a minimum of 6 years in accordance with the requirements of the Taxes Consolidation Act 1997. Where data is no longer required, we take reasonable steps to ensure it is securely deleted or anonymised.

As a data subject under the GDPR and the Data Protection Act 2018, you have the following rights in respect of your personal data: Right of Access (Article 15): You may request confirmation of whether we process your personal data and, if so, a copy of that data along with information about how it is processed. Right to Rectification (Article 16): You may request correction of any inaccurate or incomplete personal data we hold about you. Right to Erasure (Article 17): You may request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where you withdraw consent, or where the data has been unlawfully processed. This right is subject to our legal retention obligations. Right to Restriction of Processing (Article 18): You may request that we restrict processing of your data in certain circumstances, for example while we verify the accuracy of data you have disputed. Right to Data Portability (Article 20): Where processing is based on consent or contract and is carried out by automated means, you may request a copy of your data in a structured, commonly used, machine-readable format. Right to Object (Article 21): You have the right to object to processing based on legitimate interests, including direct marketing. Where you object to direct marketing, we will cease processing immediately. Rights in Relation to Automated Decision-Making (Article 22): You have the right not to be subject to decisions based solely on automated processing that produce significant legal or similarly significant effects. To exercise any of these rights, please contact us at conor@storefrontai.eu. We will respond within one month of receipt of your request. We may need to verify your identity before processing your request. There is no charge for exercising your rights unless requests are manifestly unfounded or excessive.

Our website uses cookies and similar technologies in accordance with the ePrivacy Regulations 2011 (S.I. No. 336 of 2011) as amended, and GDPR. Strictly Necessary Cookies: These are essential for the website to function and cannot be switched off. They include session cookies required for form submission and navigation. These do not require consent. Analytics Cookies: Where we use analytics tools to understand how visitors interact with our website, we do so only with your prior consent. You may withdraw consent at any time. Third-Party Cookies: Our AI chat and voice widgets may set cookies from OpenAI and Vapi respectively. These are subject to those providers' own cookie policies. You can manage your cookie preferences through your browser settings. Please note that disabling certain cookies may affect the functionality of our website. For more information on managing cookies, visit aboutcookies.org.

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction, or damage. These measures include: — Encrypted data transmission via TLS/SSL. — Access controls limiting data access to authorised personnel only. — Regular review of our data handling practices. — Data processing agreements with all third-party processors. No method of transmission over the internet or electronic storage is completely secure. While we take all reasonable steps to protect your data, we cannot guarantee absolute security. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Data Protection Commission within 72 hours and, where required, notify affected individuals without undue delay.

If you are dissatisfied with how we have handled your personal data, we ask that you contact us in the first instance at conor@storefrontai.eu so that we have the opportunity to resolve your concern. If you remain dissatisfied, you have the right to lodge a complaint with the Data Protection Commission (DPC), which is the Irish supervisory authority for data protection matters. Data Protection Commission 21 Fitzwilliam Square South Dublin 2, D02 RD28 Ireland Web: dataprotection.ie Phone: +353 57 868 4800

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. The date of the most recent revision will be indicated at the top of this page. Where changes are material, we will take reasonable steps to notify you, which may include posting a notice on our website or contacting you directly. We encourage you to review this policy periodically. Your continued use of our website and services following the posting of changes constitutes your acknowledgement of the updated policy.