Privacy Policy

TinySEO Ltd · Cyprus · Registration No. HE 489006
Last updated: 5 May 2026

This Privacy Policy describes how TinySEO Ltd (“TinySEO,” “we,” “us,” or “our”), a company registered in Cyprus under registration number HE 489006, collects, uses, stores, and discloses personal data when you use our application (“App”) available through the Shopify App Store, our website at tinyseo.com, and any related services (collectively, the “Services”).

By installing, accessing, or using the Services, you acknowledge that you have read and understood this Privacy Policy. If you are using the Services on behalf of a business, you confirm that you have authority to accept this policy on behalf of that business.

1. Data Controller

1.1 The data controller for the personal data collected through the Services is TinySEO Ltd, registered in the Republic of Cyprus (HE 489006). For data protection inquiries, contact us at info@tinyseo.com.

1.2 When TinySEO processes personal data from your Shopify store on your behalf (for example, data about your customers that may appear in product content or store metadata), you are the data controller and TinySEO acts as a data processor. In this capacity, we process such data solely as necessary to provide the Services and in accordance with your instructions.

2. Data We Collect

2.1 Account and installation data

When you install the App from the Shopify App Store, we receive information from Shopify necessary to authenticate and provision your account. This includes your store name, store URL, store owner name, email address, Shopify plan details, locale, and timezone. This data is collected via the Shopify OAuth process and the Shopify Admin API.

2.2 Store data

To provide the Services, we access and process data from your Shopify store via the Shopify API. This may include: product data (titles, descriptions, tags, images, variants); collection and page content; theme files and template code; image files and metadata; navigation and menu structures; URL structures and redirects; and blog content. We access only the data scopes authorized during installation and necessary for the features you use.

Important: Certain features of the Services may modify your store’s theme code, metadata, or image files. We strongly recommend that you duplicate your active theme before enabling optimization features. This ensures you can restore your original theme at any time. TinySEO is not liable for unintended changes to themes that were not duplicated prior to optimization.

2.3 Usage data

We automatically collect information about how you interact with the App, including pages viewed within the App, features used, optimization actions taken, settings configured, timestamps, and session duration.

2.4 Website visitor data

When you visit tinyseo.com, we collect standard web analytics data including your IP address, browser type and version, operating system, referring URL, pages visited, time spent on pages, and device identifiers. This data is collected via cookies and analytics tools as described in Section 8.

2.5 Communications data

When you contact our support team or communicate with us via email, chat, or other channels, we collect the content of those communications along with associated metadata (timestamps, email addresses).

2.6 Data we do not collect

TinySEO does not collect payment or financial information from merchants. All billing is handled by Shopify through the Shopify Billing API. We do not process credit card numbers, bank account details, or other financial data. We also do not collect personal data of your end customers beyond what may incidentally appear in store content that we process (such as product reviews or testimonials embedded in page content).

3. How We Use Your Data

3.1 Service delivery. To provide, operate, and maintain the Services, including image optimization, SEO auditing, metadata management, page speed optimization, structured data generation, content creation, broken link detection, sitemap generation, and site audit reporting.

3.2 AI-powered features. Certain features, including blog content generation, AI-generated product descriptions, and SEO recommendations, involve sending relevant portions of your store data to third-party AI providers (currently OpenAI and Anthropic) for processing. Data sent to AI providers is limited to what is necessary for the specific feature, is transmitted securely, and is subject to the data processing terms of those providers. Your store data is not used to train, fine-tune, or improve any AI models — it is used solely for generating the requested output and is not retained by the AI provider beyond the duration of the request. We do not send personally identifiable end-customer data to AI providers.

3.3 SEO analysis. Certain features, including SERP analysis and keyword research, involve sending search queries and URL data to third-party SEO data providers (currently DataForSEO) to retrieve search engine results and competitive data.

3.4 Service improvement. To analyze usage patterns, identify issues, and improve the functionality and performance of the Services.

3.5 Communication. To send you service-related communications, including technical notices, support responses, security alerts, and product updates.

3.6 Compliance. To comply with applicable legal obligations, respond to lawful requests from public authorities, and enforce our Terms and Conditions.

4. Lawful Basis for Processing

Under the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applicable data protection laws, we rely on the following lawful bases for processing your personal data:

4.1 Performance of a contract. Processing necessary to provide the Services you have requested by installing and using the App (Article 6(1)(b) GDPR).

4.2 Legitimate interests. Processing necessary for our legitimate interests, including improving the Services, ensuring security, and conducting analytics, where those interests are not overridden by your rights and freedoms (Article 6(1)(f) GDPR).

4.3 Consent. Where we rely on consent (for example, for marketing communications or non-essential cookies), you may withdraw your consent at any time by contacting us at info@tinyseo.com or by adjusting your cookie preferences (Article 6(1)(a) GDPR).

4.4 Legal obligation. Processing necessary to comply with a legal obligation to which we are subject (Article 6(1)(c) GDPR).

5. Data Sharing and Sub-Processors

We share personal data only as necessary to deliver and support the Services. We do not sell personal data. The following categories of third parties may receive personal data:

Sub-Processor

Purpose

Data Shared

Location

Shopify Inc.

Platform, billing, authentication

Store data, account data, billing

Canada / USA

OVH SAS

Server hosting and infrastructure

All data processed by the Services

EU (France)

Amazon Web Services (CloudFront)

Content delivery network (CDN)

Optimized images, static assets

Global (edge locations)

OpenAI

AI content generation

Store content for AI processing

USA

Anthropic

AI content generation

Store content for AI processing

USA

DataForSEO

SEO data and SERP analysis

Search queries, URLs

USA / EU

Google (Analytics)

Website analytics

Website visitor data (anonymized)

USA

We may also share data with professional advisors (legal, accounting), law enforcement when required by law, or in connection with a merger, acquisition, or sale of assets (in which case we will notify affected users).

We maintain contracts with all sub-processors that include data protection obligations consistent with this Privacy Policy and applicable law.

6. International Data Transfers

6.1 TinySEO is based in Cyprus (EU). Some of our sub-processors are located outside the European Economic Area, including in the United States and Canada.

6.2 For transfers of personal data outside the EEA, we rely on one or more of the following safeguards: European Commission adequacy decisions (including the EU-US Data Privacy Framework where applicable); Standard Contractual Clauses (SCCs) approved by the European Commission; or the sub-processor’s binding corporate rules or equivalent measures.

6.3 You may request information about the specific safeguards applied to international transfers of your data by contacting us at info@tinyseo.com.

7. Data Retention

7.1 Account and store data. We retain your account data and store data for as long as the App remains installed on your Shopify store. Upon uninstallation, we retain this data for up to 90 days to facilitate potential reinstallation and data recovery, after which it is deleted.

7.2 Optimized images and content. Optimized image files and generated content are retained for as long as the App is installed. Original image backups are retained for up to 30 days after optimization to allow for restoration.

7.3 Usage and analytics data. Aggregated and anonymized usage data may be retained indefinitely for statistical analysis and service improvement.

7.4 Support communications. Records of support interactions are retained for up to 24 months after the last communication for quality assurance and dispute resolution purposes.

7.5 Legal requirements. We may retain certain data for longer periods where required by applicable law, regulation, or legal proceedings.

The following describes the cookies and tracking technologies used on the tinyseo.com marketing website only. The Shopify App itself does not set, read, or use any cookies. Shopify’s App Store policies prohibit embedded apps from placing cookies on merchant browsers, and TinySEO fully complies with this requirement. All cookies described below apply exclusively to visitors of tinyseo.com.

Essential cookies

Name

Purpose

Duration

CookieConsent

Stores your cookie consent preferences

1 year

PHPSESSID

Maintains session state across page requests

Session

Analytics cookies

Name

Provider

Purpose

Duration

_ga

Google Analytics (GA4)

Distinguishes unique visitors

2 years

_ga_*

Google Analytics (GA4)

Maintains session state

2 years

Marketing cookies

Name

Provider

Purpose

Duration

_fbp

Meta (Facebook)

Tracks visits across websites for ad targeting

3 months

fr

Meta (Facebook)

Delivers and measures ad effectiveness

3 months

You can manage your cookie preferences at any time through the cookie consent banner on our website, or by adjusting your browser settings. Disabling non-essential cookies will not affect the functionality of the App.

9. Social Media and Analytics Integrations

9.1 Our website uses tracking pixels and analytics integrations from third-party social media platforms, including Meta (Facebook and Instagram), for the purpose of measuring advertising effectiveness and understanding how visitors reach our website.

9.2 These integrations may collect data about your browsing activity on our website, including pages visited and actions taken, and may associate this data with your profile on the respective social media platform. This data collection is subject to the privacy policies of those platforms.

9.3 TinySEO does not use social media services for user authentication. All App authentication is handled through Shopify’s OAuth system.

10. Data Security

10.1 We implement commercially reasonable technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include encrypted data transmission (TLS/SSL), access controls and authentication, regular security reviews, network monitoring and intrusion detection, and secure server infrastructure.

10.2 While we take reasonable precautions, no method of electronic storage or transmission is completely secure. We cannot guarantee absolute security of your data.

10.3 If we become aware of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority in accordance with applicable law.

11. Your Rights

Under the GDPR and applicable data protection laws, you have the following rights regarding your personal data:

11.1 Right of access. You have the right to request a copy of the personal data we hold about you.

11.2 Right to rectification. You have the right to request correction of any inaccurate or incomplete personal data.

11.3 Right to erasure. You have the right to request deletion of your personal data, subject to any legal obligations that require us to retain it. If you require immediate deletion of all personal data without the standard 90-day retention window described in Section 7.1, you may submit an urgent erasure request by emailing info@tinyseo.com with the subject line “Immediate Data Deletion Request.” We will process such requests within 72 hours and provide written confirmation once deletion is complete. Please note that immediate deletion is irreversible — data cannot be recovered after this process.

11.4 Right to restrict processing. You have the right to request that we restrict the processing of your personal data in certain circumstances.

11.5 Right to data portability. You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller.

11.6 Right to object. You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes.

11.7 Right to withdraw consent. Where processing is based on consent, you have the right to withdraw that consent at any time, without affecting the lawfulness of processing carried out before withdrawal.

11.8 Right to lodge a complaint. You have the right to lodge a complaint with the Office of the Commissioner for Personal Data Protection in Cyprus or with the supervisory authority in your country of residence.

To exercise any of these rights, please contact us at info@tinyseo.com. We will respond to your request within 30 days. We may ask you to verify your identity before processing your request.

12. Children’s Privacy

The Services are designed for use by businesses and are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe that a child has provided us with personal data, please contact us and we will take steps to delete such data.

13. Changes to This Privacy Policy

13.1 We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable law. When we make material changes, we will update the “Last updated” date at the top of this page and provide reasonable notice, such as an in-app notification or email.

13.2 We encourage you to review this Privacy Policy periodically. Your continued use of the Services after changes are posted constitutes your acceptance of the revised policy.

14. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or have a concern about how we handle your data, please contact us: