Privacy Policy

Introduction

At Ecom AI & Co, we take your privacy seriously. As a UK-based AI consultancy serving e-commerce businesses worldwide, we are committed to protecting your personal data and ensuring transparency. This Privacy Policy explains how we collect, use, store, and protect your data when you visit our website, work with us as a client, or interact with our services — including email communications, automations, and hosted solutions. We comply with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and the California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA).

We believe privacy should be clear, not complicated. This policy explains what we do with your data and your rights — in plain English.

Who We Are

Ecom AI & Co is an AI consultancy based in the United Kingdom. We help e-commerce businesses automate operations using open-source tools like n8n, with a focus on data privacy, transparency, and measurable impact.

We believe privacy should be clear, not complicated. This policy explains what we do with your data and your rights — in plain English.

What Data We Collect

We collect personal data depending on how you interact with us:

When You Visit Our Website:

– IP address and browser information

– Cookie identifiers

– Page views and navigation behavior (via Google Analytics)

When You Download a Resource or Book a Call:

– Name

– Email address

– Business name and website

– Survey responses (e.g., via Typeform)

When You Become a Client:

– Workflow-related business data

– Store performance metrics

– Access credentials (only with your explicit consent)

– Customer data (only when required for automation builds)

How We Collect Information

We collect data in the following ways:

– Directly from you: Through forms, discovery calls, or client onboarding.

– Automatically: Via cookies, tracking pixels, or analytics tools (e.g., Google Analytics).

– From third-party tools: Such as Typeform (intake forms), Calendly (scheduling), or social media platforms.

Legal Basis for Processing

We process your personal data based on the following legal grounds:

– Contractual Necessity: To deliver our consultancy services as agreed in our contract with you.

– Consent: For optional activities, such as marketing emails or non-essential cookies.

– Legitimate Interests: To improve our website, services, and user experience, provided this does not override your rights.

– Legal Obligation: To comply with applicable laws and regulations.

How We Use Your Data

We use your data to:

– Deliver and optimize our AI consultancy services

– Respond to questions or support requests

– Send educational content or marketing emails (with an opt-out option)

– Customize your experience and recommendations

– Monitor website performance and improve user experience

– Meet legal and security obligations

We do not sell your data — ever.

Data Sharing and Disclosure

We only share data with trusted third-party services that help us operate, such as:

– Google Analytics (for website performance)

– Mailchimp or similar (for email campaigns)

– Typeform (for intake forms)

– Calendly (for scheduling)

– Slack or Notion (for project delivery)

We have Data Processing Agreements (DPAs) in place with all third-party vendors to ensure they process your data securely and in compliance with applicable data protection laws, including UK GDPR, EU GDPR, and CCPA/CPRA. Access is limited to what’s necessary, and we never share data for resale or advertising purposes. We may also disclose data when required by law.

Data Storage & Security

We apply strong safeguards to protect your data:

– Encrypted storage and secure data transmission

– Credential masking and rotation

– Secure environments for hosted workflows (e.g., n8n, Docker, HTTPS)

– Restricted access for internal staff

Self-hosted clients maintain full control over their data and infrastructure. We never access your environment without your explicit permission.

Self-Hosting & Client Data Ownership

Our solutions are privacy-first:

– Clients own 100% of their workflows.

– All access is opt-in, scoped, and auditable.

– Self-hosted delivery ensures no vendor lock-in.

– We never access your customer data without your consent.

Your Rights by Region

Depending on your location, you have specific rights regarding your personal data:

UK & EU Residents (UK GDPR and EU GDPR):

– Access: Request a copy of your data.

– Rectification: Correct inaccurate data.

– Erasure: Request deletion (“right to be forgotten”).

– Restriction: Limit processing in certain cases.

– Objection: Object to processing based on legitimate interests or marketing.

– Data Portability: Receive your data in a machine-readable format.

– Withdraw Consent: Revoke consent (e.g., unsubscribe from emails).

– Lodge a Complaint: Contact the UK Information Commissioner’s Office (ICO) or your local EU data protection authority.

California Residents (CCPA/CPRA):

– Right to Know: Learn what data we collect, use, or share.

– Right to Delete: Request deletion of your data.

– Right to Opt-Out: Opt out of data sales (we do not sell data).

– Non-Discrimination: Receive equal service when exercising rights.

Other Countriesm, Under local laws you may have rights to:

– Access: Request details about your data.

– Correct: Fix inaccurate data.

– Delete: Request data deletion, subject to exceptions.

– Object: Oppose processing, such as marketing.

– Portability: Receive data in a portable format (e.g., Brazil, Canada).

– Withdraw Consent: Revoke consent where applicable.

– Complain: Contact your local data authority (e.g., Brazil’s ANPD).

Note: Rights vary. For example, China’s PIPL emphasizes consent, while Japan’s APPI focuses on access. Contact us for details.

All Users:

Even without local privacy laws, we’re committed to transparency. You can:

– Access or delete your data.

– Opt out of marketing communications.

– Ask about our practices.

We aim to respond within 30 days.

Contact: contact@ecomai.co

International Data Transfers

As a UK-based consultancy serving global clients, your data may be processed outside the UK (e.g., in the United States via third-party tools). We ensure compliance with UK GDPR using:

– Adequacy Decisions: For countries with recognized data protection standards (e.g., EU countries).

– **Standard Contractual Clauses (SCCs)**: For transfers to other regions, such as the US.

– Secure encrypted transmission for all data transfers.

Cookies & Tracking

We use cookies and tracking technologies to enhance your experience:

– Necessary Cookies: Enable site functionality.

– Analytics Cookies: Analyze site usage (e.g., Google Analytics).

– Marketing Cookies: Support targeted campaigns (optional).

A cookie banner will appear when you first visit our site, allowing you to manage preferences. You can also adjust settings via your browser.

Data Retention

We retain data only as long as necessary:

– Website data: Up to 26 months (via Google Analytics).

– Client data: For the duration of the engagement + 90 days (unless otherwise agreed).

– Marketing lists: Until you unsubscribe or are inactive for 12 months.

Third-Party Links

Our website may link to external sites. These have separate privacy policies, and we are not responsible for their practices. Please review their policies before sharing data.

Changes to This Policy

We may update this policy to reflect changes in our practices or legal requirements. The latest version will always be posted here, and we will notify you by email of material changes.

Contact Us

Questions or concerns? Reach out:

contact@ecomai.co