Privacy Policy — Keisuite

1. Introduction

Keisuite ("Keisuite," "we," "us," or "our") is an AI-powered product studio for wine merchants on Shopify. We take your privacy seriously. This Privacy Policy explains what data we collect when you use our service, why we collect it, how we use and share it, and what choices you have.

We've tried to write this plainly. If something is unclear, or you want to know more about how we handle a specific type of data, email us at guido@primalwine.com.

This policy applies to all users of keisuite.com and the Keisuite web application. By using Keisuite, you agree to the data practices described here. This policy is incorporated into our Terms of Service.

2. Information We Collect

We collect information in three ways: information you give us directly, information generated by your use of the Service, and information from third-party services you connect.

2.1 Account Information

When you create an account, we collect your name and email address. This is handled through Clerk, our authentication provider. If you sign in with Google or another third-party provider, we receive only the basic profile information that provider shares (typically name and email). We never see your passwords — those are managed entirely by Clerk.

2.2 Payment Information

When you purchase credits, your payment is processed by Stripe. We never see or store your full card number, CVV, or other sensitive payment credentials — those go directly to Stripe's servers over an encrypted connection. What we do store is a Stripe customer ID (a reference token), your transaction history with us (amounts, dates, credit packages purchased), and billing details required for invoicing (such as name and billing country).

2.3 Shopify Store Data

When you connect your Shopify store, we receive your store URL and a Shopify access token that allows us to create and update products on your behalf. The access token is encrypted at rest in our database using industry-standard encryption. We access your Shopify store only to perform actions you explicitly request (e.g., creating a product listing). We do not browse your store data, read your customer data, or access orders.

2.4 Uploaded Images

The photos you upload for enhancement are the most sensitive data we handle. Here is exactly what happens to them:

Your image is received by our servers over HTTPS.
We send the image to OpenAI's API for processing (background removal, enhancement, and clean image generation).
The resulting enhanced image is returned to you and, if you choose, published to your Shopify store.
We store the original and enhanced images temporarily — for approximately 24 hours — to allow you to review and use the output.
After that window, images are permanently deleted from our storage systems.
We do not use your images to train any AI model, and we do not share them with any party other than OpenAI (for processing) and your Shopify store (if you choose to publish).

OpenAI's handling of API-submitted data is governed by OpenAI's Privacy Policy. As of the effective date of this policy, OpenAI does not use API inputs to train their models by default.

2.5 Usage Data

We track how you use the Service in order to operate it correctly and improve it over time. This includes: credit balance and transaction history, jobs created and their status (e.g., enhancement complete, publishing failed), timestamps of actions, and which features you use.

2.6 Log Data

Like most web services, our servers automatically collect standard log data when you visit or use Keisuite. This may include your IP address, browser type and version, referring URL, pages visited, and error logs. This data is used for security, debugging, and operational monitoring. It is not linked to your account profile for marketing purposes.

3. How We Use Your Information

We use the data we collect for the following purposes:

Providing the Service. Processing your images through OpenAI, generating product copy, publishing products to your Shopify store, and managing your credit balance.
Account management. Creating and maintaining your account, authenticating your identity, and enabling Shopify store connections.
Payment processing. Charging your card for credit purchases, issuing receipts, and managing billing through Stripe.
Transactional communications. Sending you emails about your account — such as credit purchase confirmations, job completion notifications, or alerts about issues with your Shopify connection. We do not send marketing emails unless you opt in.
Service improvement. Analyzing aggregated usage patterns to understand how the product is used, identify bugs, and decide what to build next. This analysis uses anonymized or aggregated data wherever possible.
Security and fraud prevention. Monitoring for suspicious activity, unauthorized access, and abuse of the Service.
Legal compliance. Retaining records as required by law (e.g., financial records for tax purposes) and responding to lawful requests from authorities.

We do not use your data for advertising, profiling, or any purpose unrelated to operating Keisuite.

4. How We Share Information

We do not sell, rent, or trade your personal information. We share data only with the service providers necessary to operate Keisuite, and only to the extent required for that purpose.

Provider	Purpose	What they receive
Clerk	Authentication & account management	Email address, name, session tokens
Stripe	Payment processing	Name, email, card details (directly — we never see card numbers), transaction amounts
OpenAI	AI image enhancement & product copy generation	Your uploaded images (for photo enhancement) and wine product names/details (for copy generation)
Railway	Cloud hosting & infrastructure	All application data (as our hosting provider, Railway stores and processes data on our behalf)
Shopify	Product publishing	Enhanced images and product copy — sent to your store via the Shopify API at your request

Each of these providers is a data processor acting on our behalf, subject to data processing agreements and their own privacy policies. We choose providers that maintain strong security and privacy standards.

Beyond the above, we may also disclose data:

If required by law. In response to valid legal process (e.g., court order or subpoena), or to protect the rights, safety, or property of Keisuite, our users, or the public.
In a business transfer. If Keisuite is acquired, merged, or its assets are transferred, your data may be transferred as part of that transaction. We will notify you in advance and your data will remain subject to this policy until an updated policy is provided.

We never sell your data. Full stop.

5. Data Retention

We hold different types of data for different lengths of time, based on what is needed and what the law requires:

Account and usage data. Retained while your account is active, and for 90 days after you close your account. After 90 days, your account data is permanently deleted from our active systems. We may retain anonymized usage statistics after this period.
Uploaded images. Deleted within approximately 24 hours of processing. We do not maintain long-term storage of your wine bottle photographs.
Payment and financial records. Retained for 7 years from the date of the transaction, as required by US tax law and financial record-keeping regulations. This includes transaction amounts, dates, and billing metadata — not your card details (which are held by Stripe).
Log data. Retained for up to 90 days for security and debugging purposes, then automatically deleted.
Shopify access tokens. Retained while your store remains connected. You can revoke access at any time through your Shopify admin or by contacting us, at which point the token is deleted.

If you request deletion of your account (see Section 6), we will delete your personal data within 30 days, subject to the legal retention requirements described above.

6. Your Rights

You have meaningful control over your data. Specifically, you have the right to:

Access. Request a copy of the personal data we hold about you, including your account information, usage history, and transaction records.
Correction. Ask us to correct inaccurate or incomplete data. You can update your name and email directly through your account settings (managed via Clerk). For other corrections, contact us.
Deletion. Request that we delete your account and associated personal data. We will honor this request within 30 days, subject to data we are legally required to retain (such as financial records).
Portability. Request an export of your data in a structured, machine-readable format.
Objection. Object to specific uses of your data. For example, if we ever introduce analytics beyond what is described in this policy, you can opt out.

To exercise any of these rights, email us at guido@primalwine.com. We will respond within 30 days. We may ask you to verify your identity before processing sensitive requests.

We do not charge a fee for exercising your rights, and we will not discriminate against you for doing so.

7. California Privacy Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) gives you specific rights regarding your personal information.

Right to Know

You have the right to request disclosure of: (a) the categories and specific pieces of personal information we have collected about you; (b) the categories of sources from which we collected it; (c) the business or commercial purpose for collecting it; and (d) the categories of third parties with whom we share it.

Right to Delete

You have the right to request deletion of personal information we have collected from you, subject to certain exceptions (such as data we must retain for legal compliance or to complete a transaction you requested).

Right to Correct

You have the right to request correction of inaccurate personal information we maintain about you.

Right to Opt Out of Sale or Sharing

We do not sell or share personal information for cross-context behavioral advertising. We have not sold personal information in the past 12 months, and we do not intend to. There is nothing to opt out of, but you have this right regardless.

Right to Limit Use of Sensitive Personal Information

We do not use sensitive personal information (such as your Shopify credentials or payment token) for any purpose beyond operating the Service. You do not need to take any action to limit this use.

How to Submit a CCPA Request

Email guido@primalwine.com with the subject line "California Privacy Request." We will respond within 45 days (or notify you if an extension is needed). We will verify your identity before disclosing or deleting data.

Summary: We don't sell your data, don't use it for advertising, and don't share it beyond the providers listed in Section 4. Your California rights are available to you, and we'll honor them promptly.

8. Security

We take reasonable and appropriate measures to protect your data against unauthorized access, disclosure, alteration, or destruction. Specifically:

Encryption in transit. All data transmitted between your browser and Keisuite is encrypted via HTTPS/TLS.
Encryption at rest. Your Shopify access token is encrypted at rest in our database. This means even if our database were compromised, your Shopify credentials would not be directly readable.
Payment security. We never store or process raw credit card data. All payment handling is delegated to Stripe, which is PCI DSS Level 1 certified — the highest standard for payment security.
Authentication security. Account authentication is handled by Clerk, which provides features like secure password hashing, multi-factor authentication support, and session management.
Image handling. Uploaded images are processed and then deleted within 24 hours, minimizing exposure of your product photography.
Infrastructure. The Service is hosted on Railway, which provides managed infrastructure with access controls, monitoring, and security updates.

No system is perfectly secure. If you believe your account has been compromised, contact us immediately at guido@primalwine.com. In the event of a data breach that affects your personal information, we will notify you as required by applicable law.

9. Cookies and Tracking

Keisuite uses a minimal set of cookies, all of which are necessary for the Service to function. We do not use advertising cookies, third-party tracking pixels, or behavioral analytics tools.

Authentication cookies. Clerk sets secure, HttpOnly session cookies to keep you signed in. These cookies do not track you across other websites and expire when you sign out or after a period of inactivity.
CSRF protection cookies. Our application may set a small cookie to protect against cross-site request forgery attacks. This is a security mechanism, not a tracking tool.

We do not use Google Analytics, Facebook Pixel, or any third-party behavioral tracking services. We do not build advertising profiles based on your usage.

If you block all cookies, you will not be able to sign in to Keisuite, as session management requires cookie support. Otherwise, cookie blocking will not meaningfully affect your experience.

10. Children's Privacy

Keisuite is not intended for use by anyone under the age of 13. We do not knowingly collect personal information from children under 13. Because our Service is designed for wine merchants — a category that inherently involves an adult, regulated industry — we also require users to be at least 18 years old (see our Terms of Service).

If we learn that we have inadvertently collected personal information from a child under 13, we will delete it promptly. If you believe a child has provided us with their personal information, please contact us at guido@primalwine.com.

11. International Data Transfers

Keisuite is a US-based service. All data we process is stored and handled in the United States. Our infrastructure (Railway), authentication provider (Clerk), payment processor (Stripe), and AI provider (OpenAI) are all US-based services subject to US law.

If you are accessing Keisuite from outside the United States, please be aware that your data will be transferred to and processed in the US, which may have different data protection laws than your country. By using the Service, you consent to this transfer.

We do not currently offer a localized EU or UK version of the Service, and we do not rely on Standard Contractual Clauses or other cross-border transfer mechanisms. If your jurisdiction has specific requirements about international data transfers, please contact us before using the Service.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes — such as collecting new categories of data, sharing data in new ways, or significantly changing how we use data — we will notify you by email at least 30 days before the changes take effect.

For minor or non-material changes (like clarifying language or correcting formatting), we may update the policy without prior notice. The effective date at the top of this page will always reflect when the policy was last updated.

Continued use of Keisuite after the effective date of any changes constitutes your acceptance of the updated policy. If you disagree with changes, you may close your account and stop using the Service.

The current version of this policy is always available at keisuite.com/privacy.

13. Contact

If you have questions about this Privacy Policy, want to exercise your data rights, or need to report a privacy concern, please reach out:

Keisuite
Email: guido@primalwine.com

We aim to respond to all privacy inquiries within 2 business days, and to honor access or deletion requests within 30 days.

You can also review our Terms of Service.