Politique de confidentialité

1. Data Controller

The processing of personal data collected via stepio.app and the associated SaaS application (the "Service") is carried out by:

AB Solutions LLC
1209 MOUNTAIN ROAD PL NE STE N, Albuquerque, NM 87110, United States
Email: contact@stepio.app

2. EU Representative (GDPR)

In accordance with Article 27 GDPR, AB Solutions LLC has appointed the following representative established in the European Union:

EU Data Protection Representative OÜ
Harju maakond, Tallinn, Pärnu mnt 141, 11314, Estonia
Email: privacy@eudataprotection.eu

This representative acts as the EU point of contact for data protection matters.

3. Personal Data We Collect

a) Account Data

Name and surname
Email address
Password (encrypted, never stored in clear text)

b) Billing Data

Billing address
Stripe customer ID and payment history
Amounts, subscriptions, and credits used

c) Technical & Usage Data

IP address, browser type/version
Dates, times, and duration of sessions
Technical logs, error logs, access logs
Information related to scraped sites (domain name, site structure)

d) API Connection Data

Data explicitly authorized by the user when connecting a Shopify or WooCommerce store: products, collections, blog posts, general statistics (order count, gross revenue)
No customer PII from the store (names, emails, addresses) is collected
API keys and tokens are encrypted and stored securely

e) AI-Generated Data

Texts generated from user instructions (product pages, descriptions, blog posts)
Such data is not retained after generation
Data entered or generated is not used to train or improve any internal or external AI models

4. Purposes of Processing

Create and manage user accounts
Perform and deliver the Service
Manage billing and payments
Security, fraud prevention, and technical maintenance
Continuous improvement of the Service and user experience
Statistical analysis and performance measurement of the Service (product analytics)
Support responses and communications with users

5. Legal Bases (GDPR)

Contract performance (Art. 6(1)(b)) for providing the Service
Legitimate interests (Art. 6(1)(f)) for security, fraud prevention, and product improvement
Consent (Art. 6(1)(a)) for non-essential marketing communications, where applicable

Data sent to the OpenAI API is processed on the basis of contract performance. OpenAI acts as AB Solutions LLC’s data processor under EU Standard Contractual Clauses (SCCs).

6. Data Retention

Data Type	Retention Period
User account	As long as the account remains active + up to 90 days after deletion
Billing data	10 years (accounting/legal obligations)
Technical & security logs	Up to 12 months
API keys/tokens	Deleted within 90 days after account deletion
Generated data (AI, scraping)	Not retained after generation
Automatic backups	Up to 6 months before final deletion

7. International Data Transfers

Data is hosted securely on servers located in the United States and/or the European Economic Area (EEA), depending on our providers.

Where data is transferred outside the EEA, AB Solutions LLC implements EU Standard Contractual Clauses (SCCs) approved by the European Commission to ensure an equivalent level of protection.

Communications with our EU representative in Estonia occur within the European Union and do not involve transfers to third countries.

8. Processors & Recipients

To operate the Service, AB Solutions LLC uses selected providers:

Stripe — payments and billing
Supabase — database and authentication
Vercel — web application hosting
Cloudinary — image hosting and optimization
Trigger.dev — background jobs and automations
OpenAI — AI content generation
Cloudflare — CDN, DDoS protection, and network security
Support tools — email/CRM services (e.g., Gmail, Crisp, Intercom, Notion) used solely to respond to user requests
Analytics/Performance — product analytics and performance tools (e.g., PostHog, Sentry, or equivalents)

Data may also be shared, to the extent necessary, with: (i) technical service providers acting under AB Solutions LLC’s responsibility; (ii) contractual partners involved in delivering the Service; (iii) competent administrative or judicial authorities legally entitled to receive such information.

Each processor acts strictly under AB Solutions LLC's instructions and confidentiality obligations.

9. Your GDPR Rights

Access — obtain a copy of your personal data
Rectification — correct inaccurate data
Erasure — “right to be forgotten”
Portability — receive your data in a structured, commonly used, machine-readable format (e.g., CSV or JSON)
Restriction and Objection
Right not to be subject to a decision based solely on automated processing, including profiling, producing legal effects concerning you
Complaint — lodge a complaint with your local supervisory authority (e.g., CNIL in France)

To exercise your rights, contact: contact@stepio.app.

We will respond within 30 days, extendable once by an additional 30 days for complex requests, in accordance with GDPR Article 12.

10. Security

We implement appropriate technical and organizational measures, including:

Encryption of communications and API keys
Restricted access controls
Secure cloud infrastructure
Firewalls, Cloudflare protection, and continuous monitoring
Regular, tested backups

In the event of a security incident likely to risk individuals' rights and freedoms, AB Solutions LLC will notify the competent supervisory authority within 72 hours of becoming aware, pursuant to GDPR Article 33, and inform affected users without undue delay where a high risk is identified.

A Data Processing Agreement (DPA) is available upon request or at: https://stepio.app/dpa.

11. Special Categories of Data

Users agree not to input into the Service any “special category” data within the meaning of GDPR Article 9 (e.g., health data, political opinions, religious beliefs, sexual orientation). Any such data inadvertently entered will be deleted as soon as notified.

12. Cookies Policy

Current status: Stepio does not set any browser cookies. As no cookies are used, no cookie banner is displayed and no consent is required at this time.

If Stepio introduces cookies in the future, we will update this Policy, display a clear notice, and, where required, provide a consent manager allowing users to accept or refuse non-essential cookies.

12.1 Default durations for any future cookies

Session cookies: last only for the browsing session and are removed when you close your browser.
Essential persistent cookies (if any): up to 12 months by default.
Analytics cookies (if introduced): up to 13 months by default.
Advertising/marketing cookies (if introduced): up to 13 months by default (only with prior consent).

When/if non-essential cookies are introduced, you will be able to manage your preferences at any time via a cookie settings panel (opt-in/opt-out).

13. Exercising Rights & Contact

For any questions or requests related to this Policy or your personal data, contact: contact@stepio.app. AB Solutions LLC will respond within the timeframes required by GDPR and assist users in exercising their rights.

14. Children's Data

The Service is not intended for children under 16. We do not knowingly collect data relating to minors.

15. Changes to This Policy

AB Solutions LLC may amend this Policy at any time to reflect legal or technical developments. Material changes will be notified by email or on the website.

16. Governing Law

This Policy is governed by the laws of the State of New Mexico, USA. For users located in the European Union, the mandatory provisions of the GDPR continue to apply.

17. California Residents (CCPA)

For California residents, AB Solutions LLC complies with applicable provisions of the California Consumer Privacy Act (CCPA). You may request:

Access to your personal information
Deletion of your personal information
To opt out of the sale of personal information

Submit requests to: contact@stepio.app. AB Solutions LLC does not sell personal information.