← Back to DTC Prism

Privacy Policy

Last updated: 29 June 2026

1. Who we are This Privacy Policy explains how DTC Prism ("DTC Prism", "we", "us") handles personal data. You can reach us at contact@dtcprism.com.

2. The data we handle We handle two broad kinds of data:

  • Your account data. Information you give us directly — your name, work email, company, and details you share during onboarding.

  • Connected platform data. When you authorise a connection (for example Shopify, Meta, Google, TikTok, Klaviyo, Gorgias, or your returns tool), we access data from those accounts to generate your insights. This can include order, product, advertising, support, and returns data, and may include personal data about your customers (such as an email or name carried in an order or a support ticket). We process that customer data on your behalf and on your instructions — you remain responsible for it as the controller; we act as your service provider/processor.

3. Data minimization Our analysis is built to work on pseudonymous identifiers — order IDs and platform-internal customer IDs — rather than personal details. We do not use customer email addresses or names to generate insights, and we keep personal data out of our analytics wherever possible. We only ingest what is needed to provide the service to you.

4. Why we use it We use this data solely to operate the service for you: detecting profit-affecting changes, explaining their causes across your sources, and delivering reviewed alerts and insights. We do not sell your data or your customers' data, and we do not use it for advertising.

5. Legal basis and your responsibilities We process your account data to provide the service you've requested (performance of our agreement with you). We process your connected platform data strictly on your documented instructions, on your behalf, to generate your insights. Where your customers' personal data is involved, you confirm that you have the necessary rights, notices, and permissions in place for us to process it for these purposes on your behalf.

6. Who we share it with (sub-processors) We share data only with the infrastructure providers that help us run the service, under contract:

  • Database & hosting — Supabase (United States): stores your account data and your connected platform data.

  • Data pipeline / connectors — Airbyte: moves data from your connected platforms into our database.

  • Email delivery — a third-party email delivery provider: sends your alerts and digests.

  • AI processing — to generate the plain-English wording of your alerts and insights, limited business data (such as product, campaign, and metric details — not your customers' personal data) may be processed by a third-party AI provider under contract; that provider does not use your data to train its models.

We do not share your data with any other third parties except where required by law.

7. Where it's stored Your data is hosted in the United States (our database provider's US region). We currently serve US-based brands, so your data generally stays within the US. If this changes, we'll update this policy and apply appropriate safeguards for any cross-border transfer.

8. How long we keep it, and deletion We keep data only as long as needed to provide the service. You can disconnect any source at any time. You can ask us to delete your data by emailing contact@dtcprism.com, and we honor deletion requests received through your connected platforms (including Shopify's data-deletion requests). On account closure, or following a valid deletion request, we delete or anonymise the associated personal data within 90 days. We may retain aggregated, anonymised insights that do not identify you or your customers.

9. Your choices and rights You can request access to, correction of, or deletion of your data by emailing contact@dtcprism.com. We will respond within 30 days.

10. Security We protect data with measures including encryption in transit, encryption at rest provided by our hosting infrastructure, access controls, and separation between different brands' data. No system is perfectly secure, but we work to safeguard your data and to notify you of any incident affecting it as required by law.

11. Children The service is for businesses and is not directed to children, and we do not knowingly collect personal data from children.

12. Changes We may update this policy and will post the new version here with an updated date.

13. Contact Questions or requests: contact@dtcprism.com.