PRIVACY POLICY

Last updated: June 22, 2026

This Privacy Notice for Mousa Khodaei (doing business as Fiducia) ("we," "us," or "our") describes how and why we might access, collect, store, use, and/or share ("process") your personal information when you use our services ("Services"), including when you:

Questions or concerns? Reading this Privacy Notice will help you understand your privacy rights and choices. We are responsible for making decisions about how your personal information is processed. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact us at [email protected].

SUMMARY OF KEY POINTS

This summary provides key points from our Privacy Notice, but you can find out more details about any of these topics by clicking the link following each key point or by using our table of contents below to find the section you are looking for.

What personal information do we process? When you use our Services, we may process personal information depending on how you interact with us, the choices you make, and the products and features you use. Learn more about personal information you disclose to us.

Do we process any sensitive personal information? No. We do not process sensitive personal information (such as racial or ethnic origin, sexual orientation, or religious beliefs).

Do we collect any information from third parties? Yes — when a merchant installs Fiducia, we receive limited order and customer information from Shopify's Admin API in order to provide our analytics Services. We do not collect information from public databases, marketing partners, data brokers, or social media platforms. Learn more about information collected from other sources.

How do we process your information? We process your information to provide, improve, and administer our Services, communicate with you, and to comply with law. We do not process your information for advertising or marketing purposes. Learn more about how we process your information.

In what situations and with which parties do we share personal information? We may share information with the specific third-party service providers described in when and with whom we share your personal information.

How do we keep your information safe? We have organizational and technical processes and procedures in place to protect your personal information. However, no electronic transmission or storage technology can be guaranteed to be 100% secure. Learn more about how we keep your information safe.

What are your rights? Depending on where you are located, applicable privacy law may give you certain rights regarding your personal information. Learn more about your privacy rights.

How do you exercise your rights? The easiest way is by contacting us at [email protected]. We will consider and act upon any request in accordance with applicable data protection laws.

TABLE OF CONTENTS

  1. What information do we collect?
  2. How do we process your information?
  3. What legal bases do we rely on to process your personal information?
  4. When and with whom do we share your personal information?
  5. Do we use cookies and other tracking technologies?
  6. Do we offer artificial intelligence-based products?
  7. Is your information transferred internationally?
  8. How long do we keep your information?
  9. How do we keep your information safe?
  10. Do we collect information from minors?
  11. What are your privacy rights?
  12. Controls for Do-Not-Track features
  13. Do United States residents have specific privacy rights?
  14. Do other regions have specific privacy rights?
  15. Data processing, deletion, and access requests
  16. Do we make updates to this notice?
  17. How can you contact us about this notice?
  18. How can you review, update, or delete the data we collect from you?

1. WHAT INFORMATION DO WE COLLECT?

Personal information you disclose to us

In Short: We collect personal information that you provide to us.

We collect personal information that you voluntarily provide to us when you express an interest in our Services, when you use the Services, or when you contact us. The personal information we collect may include:

Sensitive Information. We do not process sensitive information.

All personal information that you provide to us must be true, complete, and accurate, and you must notify us of any changes to such personal information.

Information collected from other sources

In Short: We obtain limited personal information about your customers from Shopify's Admin API in order to provide our Services.

When a merchant installs and uses Fiducia, we receive order and customer information from Shopify, including a customer ID and customer email address associated with each order. We use this information solely to provide profit analytics, customer segmentation, lifetime value, and cohort analysis to the merchant, and to identify and erase the relevant records when a deletion request is received. We do not obtain information about you from public databases, marketing partners, data brokers, affiliate programs, or social media platforms, and we do not use this information for targeted advertising or marketing purposes.

2. HOW DO WE PROCESS YOUR INFORMATION?

In Short: We process your information to provide, improve, and administer our Services, communicate with you, and to comply with law. We do not process your information for advertising or marketing purposes.

We process your personal information for the following reasons:

3. WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR INFORMATION?

In Short: We only process your personal information when we have a valid legal reason to do so, such as with your consent, to comply with laws, to fulfill our contractual obligations, to protect your rights, or to fulfill our legitimate business interests.

If you are located in the EU or UK, the GDPR and UK GDPR require us to explain the valid legal bases we rely on:

If you are located in Canada, we may process your information with your express or implied consent, which you may withdraw at any time, or as otherwise permitted by applicable Canadian law.

4. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?

In Short: We share information only with the specific service providers described below, who process it solely on our instructions.

We have contracts in place with each provider below designed to safeguard your personal information. They cannot use your personal information for any purpose other than providing services to us, and they do not share it with any other organization.

We do not sell or share your personal information with any other third party, and we do not use it for advertising or marketing purposes.

Business Transfers. We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.

5. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?

In Short: We use a single, essential cookie required to operate the Services. We do not use cookies or similar technologies for advertising, marketing, or analytics.

Fiducia uses one cookie, set by Shopify's application framework, that is strictly necessary to authenticate your session within the Shopify Admin. We do not use tracking pixels, web beacons, or any cookie for advertising, retargeting, or analytics purposes, and we do not permit any third party to use tracking technologies on our Services.

6. DO WE OFFER ARTIFICIAL INTELLIGENCE-BASED PRODUCTS?

In Short: Yes — we use AI to generate a written summary of profit performance, using only aggregated business data.

As part of our Services, we offer an AI-generated weekly profit narrative, powered by a third-party AI service provider, Anthropic. This feature provides AI insights and AI document generation — a written summary of the merchant's profit performance, top and worst performing products, and customer segment trends.

Only aggregated, anonymized business metrics (such as total profit, margin percentages, product names, and coupon codes) are shared with Anthropic to generate this narrative. We do not share raw customer personal information — such as a customer ID or customer email — with Anthropic or any other AI service provider.

7. IS YOUR INFORMATION TRANSFERRED INTERNATIONALLY?

In Short: We may transfer, store, and process your information in countries other than your own.

Our servers, and those of our service providers (Railway, Resend), are located in the United States. If you are a resident of the European Economic Area (EEA), United Kingdom, or Switzerland, your information will be transferred to and processed in the United States.

We rely on the European Commission's Standard Contractual Clauses as the legal mechanism for transferring personal information from the EEA or UK to the United States. Our Standard Contractual Clauses can be provided upon request.

8. HOW LONG DO WE KEEP YOUR INFORMATION?

In Short: We keep your information for as long as you have an account with us, unless a longer period is required by law.

We will only keep your personal information for as long as you have Fiducia installed, unless a longer retention period is required or permitted by law. See Data Processing, Deletion, and Access Requests below for the specific deletion timeline that applies upon uninstallation.

9. HOW DO WE KEEP YOUR INFORMATION SAFE?

In Short: We aim to protect your personal information through organizational and technical security measures.

We use HTTPS/TLS to secure data in transit, validate every incoming webhook with HMAC signatures, encrypt stored OAuth access and refresh tokens, and restrict database access to our application's runtime environment. However, no electronic transmission or storage technology can be guaranteed to be 100% secure.

10. DO WE COLLECT INFORMATION FROM MINORS?

We do not knowingly collect data from or market to children under 18 years of age. Fiducia is a business tool intended for use by merchants operating a Shopify store, not by individual consumers. If you become aware of any data we may have collected from a minor, please contact us at [email protected].

11. WHAT ARE YOUR PRIVACY RIGHTS?

Depending on your location, you may have the right to request access to and a copy of your personal information, request correction or deletion, restrict or object to processing, request data portability, and withdraw consent where applicable. You can exercise these rights by contacting us at [email protected].

If you are located in the EEA or UK and believe we are unlawfully processing your personal information, you have the right to lodge a complaint with your Member State or UK data protection authority. If you are located in Switzerland, you may contact the Federal Data Protection and Information Commissioner.

Account Information

Merchants can update their account information by adjusting settings within the Shopify Admin or within Fiducia's settings page. To delete account data, merchants can uninstall Fiducia from the Shopify Admin — all associated data is automatically and permanently deleted within 48 to 72 hours of uninstall. Merchants may also contact us at [email protected] to request deletion sooner or to ask questions about their data.

12. CONTROLS FOR DO-NOT-TRACK FEATURES

Because there is not yet a uniform technical standard for recognizing Do-Not-Track ("DNT") signals, we do not currently respond to DNT browser signals. This has no practical effect on you, since we do not use tracking technologies in the first place.

13. DO UNITED STATES RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?

If you are a resident of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia, you may have rights to access, correct, delete, and obtain a copy of your personal information, and to opt out of certain processing. These rights may be limited in some circumstances by applicable law.

Categories of Personal Information We Collect

CategoryExamplesCollected?
A. IdentifiersEmail address, account/customer IDYES
B. California Customer RecordsName, address, education, employment, financial infoNO
C. Protected classificationsGender, age, race, national origin, etc.NO
D. Commercial informationPurchase/order historyYES
E. Biometric informationFingerprints, voiceprintsNO
F. Internet/network activityUTM/ad-attribution data tied to an orderYES
G. Geolocation dataPrecise device locationNO
H. Audio/visual informationRecordings, imagesNO
I. Professional/employment infoJob title, work historyNO
J. Education informationStudent recordsNO
K. InferencesCustomer segment, cohort, lifetime-value tierYES
L. Sensitive personal informationNO

We retain Categories A, D, F, and K for as long as the merchant has an account with us. We have disclosed Categories D, F, and K to our third-party service providers (Railway) for hosting purposes — see When and with whom do we share your personal information. We have not sold or shared any personal information with any third party for advertising or marketing purposes in the preceding twelve months.

Your Rights

To exercise these rights, contact us at [email protected]. You may designate an authorized agent to submit a request on your behalf, subject to proof of authorization. We may need to verify your identity before processing a request.

Appeals. If we decline to act on your request, you may appeal by emailing [email protected]. We will respond in writing with the outcome. If your appeal is denied, you may submit a complaint to your state attorney general.

California "Shine the Light" Law. California residents may request, once a year and free of charge, information about any personal information we disclosed to third parties for direct marketing purposes in the preceding calendar year. We do not disclose personal information for direct marketing purposes.

14. DO OTHER REGIONS HAVE SPECIFIC PRIVACY RIGHTS?

Australia and New Zealand. We process your personal information under the obligations and conditions of Australia's Privacy Act 1988 and New Zealand's Privacy Act 2020. You have the right to request access to or correction of your personal information, and to lodge a complaint with the Office of the Australian Information Commissioner or the Office of the New Zealand Privacy Commissioner.

Republic of South Africa. You have the right to request access to or correction of your personal information. If you are unsatisfied with our response, you may contact The Information Regulator (South Africa) at [email protected].

15. DATA PROCESSING, DELETION, AND ACCESS REQUESTS

Data Processing Relationship. When you install Fiducia, you (the merchant) are the data controller and Fiducia acts as a data processor, processing personal information solely on your instructions to provide the app's analytics functionality.

Deletion Timeline. Upon uninstalling Fiducia, all associated shop data — including customer ID and customer email — is permanently deleted within 48 to 72 hours.

Data Access and Export Requests. Requests to access or export personal information are currently processed manually. We aim to respond within 30 days of receiving a request at [email protected].

16. DO WE MAKE UPDATES TO THIS NOTICE?

We may update this Privacy Notice from time to time. The updated version will be indicated by a revised "Last updated" date at the top of this notice. We encourage you to review this Privacy Notice periodically.

17. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?

If you have questions or comments about this notice, you may email us at [email protected] or contact us by post at:

Nasim Fallah
Ritterstraße 12
26789 Leer
Germany

18. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?

You have the right to request access to, correction of, or deletion of the personal information we collect from you. To submit such a request, please email [email protected].