Back

Privacy Policy


Last Updated: September 12, 2025


Introduction

Insightto (“we”,“our,” or “Insightto”) is committed to protecting your personal information. This Privacy Policy explains in detail how we collect, use, store, disclose, and protect your personal information, as well as your rights in the data processing process. This Policy applies to all information you provide through our website [https://www.insightto.ai], services, SDK, or other means of interaction with us.


We understand the importance of privacy and strive to ensure that our data practices are transparent, fair, and compliant with applicable data protection laws, including but not limited to the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA/CPRA).


This Privacy Policy also describes how we process and protect data obtained through the Shopify API and how we comply with Shopify’s data protection and app‑review requirements.



Key Definitions

  • ● You / Customer: Refers to individual or business customers who register and use Insightto’s services.
  • ● Visitor / End User: Refers to individual or business customers who register and use Insightto’s services.
  • ● Personal Information: Refers to individual or business customers who register and use Insightto’s services.
  • ● Services: Refers to individual or business customers who register and use Insightto’s services.


1. Our Roles in Data Protection

We process personal information in two distinct roles:


a) When we act as a “Data Controller”

When you register an account with us, use our application, or communicate directly with us, we act as the Data Controller of your personal information. Your data privacy is protected — we will only access your account to assist you in resolving issues or fixing software bugs unless you explicitly request otherwise. We will not browse or sell your data to third parties. We log all account accesses by IP address, enabling us to verify any unauthorized access as long as the logs are retained.


b) When we act as a “Data Processor”

When you embed our SDK into your website and use our services to collect visitor data, you are the Data Controller of your visitors’ personal information, and we are the Data Processor. This means we only collect, store, and process visitor data on your behalf, according to your instructions and as outlined in this Privacy Policy.

As a Data Controller, you are responsible for:

  • ● Ensuring that your website privacy policy clearly informs visitors that you are using our services to collect their data.
  • ● Obtaining valid consent from visitors (e.g., through Cookie consent banners) in compliance with applicable data protection laws such as the GDPR and CCPA/CPRA.
  • ● Responding to data subject rights requests (e.g., access, deletion) from visitors and, where necessary, coordinating with us to fulfill such requests.

Shopify-Specific Data Protection Compliance

To comply with Shopify’s mandatory data protection framework, we support and respond to the following Shopify GDPR webhooks:

  • ● shop/redact

When Insightto receives these requests from Shopify, we delete, redact, or return data in accordance with Shopify’s timelines and requirements.



2. Information We Collect

We collect two main categories of information:


a) Information Directly from You (when Insightto is the Data Controller)

When you register an account, subscribe to our services, contact us, or otherwise interact with us, we may collect:

  • ● Account & Contact Information:
    • Acquired via Shopify Authorization:Upon installation, we receive your store Email Address, and the associated Store Domain through the Shopify API. The API permissions we request are limited to store administration (for app embedding), billing, and basic shop information. We use this information for account management, customer support, and essential service notifications.

      ■ Information Received via Shopify API

      • ● Store ID
      • ● Store domain
      • ● Store email address
      • ● Granted API scopes
      • We only request and use Shopify API scopes necessary to deliver our app functionality.
    • Voluntarily Provided Information:We generally do not collect personal information such as Phone Numbers, Mailing Address, or detailed Billing Address. We may only process these details if you voluntarily provide them during account creation, customer support or sales communications.
  • ● Login Credentials:Encrypted password (if you register using email/password).
  • ● Payment Information: We utilize the Shopify Billing API (For shopify user) and Stripe API to process all subscription payments. Crucially, we do not directly store or access complete credit card information or comprehensive billing address details.
  • ● Communication Data: Aggregated or anonymized data regarding how you use our application to help us improve product performance and features.
  • ● Usage Data: Aggregated or anonymized data on how you use our products and services to help us improve them.

b) Information We Process on Behalf of the Merchant (when Insightto is the Data Processor)

In order to provide AI survey and analysis services, we collect data from your store's visitors on your behalf.This collection focuses on aggregated and non-personally identifiableThis data includes:

  • ● Visitor Response Data: The specific answers and feedback provided by your customers (visitors) through the surveys displayed on your storefront.
  • ● Behavioral Data: Visitor interactions on your website, including:

    - Mouse Activity: Clicks, movement paths, hovers, scroll depth.

    - Page Interactions: Browsing paths, time on page, page transitions.

    - Form Interactions: Inputs, modifications, deletions in form fields.

    - Event Triggers: Custom events (e.g., adding items to cart, completing payment) configured by you.

  • ● Technical Data:

    - Device Information: Device type, operating system, screen resolution.

    - Browser Information: Browser type and version.

    - Referrer URL: The URL visited prior to arriving on your site.

    - Anonymous Visitor ID: Used to identify unique visitor sessions on your site. Or provided by the Shopify API to link survey responses to session data.


No Sensitive or Prohibited Data Collection

We do not collect or store payment card details, customer passwords, or any sensitive identifiers from Shopify merchants or visitors.


We do not proactively collect sensitive personal information (such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or sexual orientation). If you choose to collect such data via surveys, you, as the Data Controller, bear full responsibility and must ensure that you have obtained explicit consent from visitors.



3. How We Use the Information

a) For Your Personal Information (Customer Data)

We process your personal information based on the following lawful bases and purposes:

  • ● Contract Performance: To provide the services you request, including account management, product functionality, technical support, and billing.
  • ● Legitimate Interests: To improve our services, conduct marketing analysis, ensure network and information security, and prevent fraud.
  • ● Legal Obligations: To comply with applicable laws, regulations, and governmental requests.
  • Your Consent: In certain cases, we may seek your consent to process your personal information, such as for sending marketing communications (you may withdraw consent at any time).

b) For Visitor Information (Processed on Your Behalf)

We process visitor information solely according to your instructions and this Privacy Policy to:

  • ● Collect survey feedback based on your created forms.
  • ● Analyze visitor behavior for behavioral insight reports.
  • ● Trigger surveys according to rules you configure (e.g., specific visitor actions or page states).
  • ● Provide aggregated and anonymized reports on survey performance and website usage trends.


4. How We Share and Disclose Information

We will never sell, rent, or trade your personal information or visitor information to third parties. We only share information in these limited cases:

  • ● Service Providers: With trusted third‑party service providers performing services for us, such as cloud hosting (AWS), payment processing (Stripe), or customer support tools (Zendesk). Such providers are authorized to use your information only as necessary to perform their functions and are contractually obligated to protect your data.

    Third‑Party Service Providers Used

    • ○ AWS— cloud hosting and data storage
    • ○ Stripe — payment processing
    • ○ Shopify Billing API – subscription billing for Shopify merchants
    • ○ (Add any logging/analytics provider if applicable)

    These providers are authorized to process data only as necessary to deliver the service.

  • ● Your Instructions: At your explicit request to share information with third parties (e.g., via API integrations).
  • ● Legal Requirements: When disclosure is required by law, court order, government investigation, or to protect our rights, property, or safety.
  • ● CCPA Statement:We do not “sell” or “share” personal information as defined under the CCPA/CPRA.


5. Your Privacy Rights

You (as our customer) and your visitors (as data subjects) have rights under applicable law. To exercise these rights, contact us using the details at the end of this Policy.


a) For Your Personal Information (Insightto as Data Controller)

You have the right to:

  • ● Right to be Informed: Know how we collect and use your personal information.
  • ● Right of Access: Obtain a copy of your personal information we hold.
  • ● Right to Rectification: Request correction of inaccurate or incomplete personal information.
  • ● Right to Erasure (Right to be Forgotten): Request deletion of your personal information in certain circumstances.
  • ● Right to Restrict Processing: Request limitation of processing under certain conditions.
  • ● Right to Data Portability: Receive your data in a structured, commonly used, machine‑readable format and transmit it to another controller.
  • ● Right to Object: Object to processing based on legitimate interests, including for direct marketing purposes.
  • ● Right to Withdraw Consent: Withdraw consent where processing is based on consent.
  • ● Data Export Process: If you request access to your personal information, we will provide it in a structured, commonly used, machine‑readable format (such as JSON or CSV). Exports are typically fulfilled within 30 days in compliance with GDPR.

b) For Visitor Information (Insightto as Data Processor)

Your visitors should submit data subject rights requests directly to you. You are responsible for handling these requests and directing us if our assistance is required.


c) Additional Rights for California Residents (CCPA/CPRA)

If you are a California resident, in addition to the above rights, you have the right to:

  • ● Opt‑Out of Sale/Sharing: We do not “sell” or “share” your personal information or your visitors’ personal information. You have the right to direct us not to “sell” or “share” your personal information.
  • ● Non‑Discrimination: You will not receive discriminatory treatment for exercising any of your CCPA/CPRA rights.


6. International Data Transfers

Our servers and data processing facilities may be located outside your country/region. If you are located in the EU/EEA, your personal information may be transferred to countries outside the EU/EEA. In such cases, we will ensure appropriate safeguards (such as Standard Contractual Clauses or Data Transfer Agreements) are in place to ensure an equivalent level of protection.

● Data Storage Location

All data is stored on secure servers hosted by Amazon Web Services (AWS) in the following region:


AWS us-east-2


Appropriate safeguards, including Standard Contractual Clauses (SCCs), are applied where required.



7. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes for which it was collected, unless a longer retention period is required or permitted by law. Factors considered include the nature and sensitivity of the data, potential risks, legal obligations, and business needs.

For visitor data you collect as a Data Controller, we will retain it according to your instructions and our service agreement.

Shopify App Uninstallation Data Deletion:

When a Shopify merchant uninstalls our app, we automatically delete all store‑related personal information within 48 hours, in accordance with Shopify’s data protection requirements.



8. Data Security

We are committed to securing your personal information through industry‑standard measures, including:

  • ● Encryption: For data in transit and at rest.
  • ● Access Control: Strict internal permissions to ensure only authorized personnel access sensitive data.
  • ● Security Audits: Regular vulnerability scans and penetration testing.
  • ● Employee Training: Staff training on data protection and privacy awareness.

While we take these precautions, no method of transmission or electronic storage is 100% secure, and we cannot guarantee absolute security.



9. Cookies and Tracking Technologies

We use cookies and other tracking technologies to identify your browser and device to enhance your service experience.


  • ● Our Cookies: Maintain login sessions, remember preferences, and analyze service usage.
  • ● SDK Cookies: When our SDK is deployed, cookies may be used to identify visitors for behavior tracking and survey delivery. You, as the Data Controller, are responsible for managing and disclosing these cookies.

You can manage your browser settings to block or delete cookies, but some features of our services may be affected.



10. Policy Changes

We may occasionally update this Privacy Policy to reflect changes in our data practices or legal requirements. We will notify you by posting the updated version on our website, via your account, or by email. We encourage you to review this Policy periodically.



11. Contact Us

If you have any questions about this Privacy Policy, want to know how we handle your personal information, or wish to exercise your rights, please contact us at:


FORESIGHT AI PTE. LTD.

Email: support@insightto.ai

Address: 91 Bencoolen Street #12-03, Sunshine Plaza, Singapore 189652


If you believe we have not handled your personal information properly, you also have the right to lodge a complaint with the relevant data protection authority.