Skip to content
privacy · procurement-ready

Privacy Policy.

How Sumeru Systems collects, processes, and protects your data. We try to keep this short and specific. If anything is ambiguous, email legal@sumeru.systems and we'll fix it.

Effective · 2026-05-18 · Last updated · 2026-05-18 · Version 1.0

1. Overview

Sumeru Systems ("Sumeru," "we," "us") provides a commerce intelligence runtime — software that connects to your e-commerce platform, search console, advertising accounts, and messaging surfaces to produce attribution, automation, and analytics outputs. This policy describes the personal data we process to deliver that service.

If you are a customer (i.e. an organisation contracting with us for the runtime), our role is data processor as defined under the GDPR; your end-customers' data is processed under your instructions. If you are an end-user (a website visitor or a buyer at one of our customers' stores), our customer is the controller and we are the processor; you should contact our customer first for data-access requests.

2. Scope

This policy applies to:

  • Data we collect on sumeru.systems (this website)
  • Data processed when our customers' shops route events through Sumeru's runtime
  • Data collected when you contact us via the form, email, or phone

This policy does not apply to third-party platforms our customers integrate (Shopify, Google, Meta, etc.). Those platforms have their own privacy policies.

3. Data we collect

From you (a visitor to this site):

  • Form submissions: name, work email, company, role, GMV bracket, stack, current attribution tool, notes (only when you submit the contact form)
  • IP + user-agent: captured by the lead-capture Worker for spam detection; not used for marketing tracking
  • Aggregated analytics: via Plausible Analytics — no cookies, no personal identifiers, only aggregate page-view counts

From our customers (the organisations contracting with us):

  • Account contact (name, work email, role) of users we authorise on the platform
  • Authentication tokens for connected platforms (Shopify, Google Ads, Meta, etc.) — encrypted at rest with KMS-managed keys
  • Configuration data (rules, thresholds, RBAC assignments, audit log)

From our customers' end-users (e.g. buyers at a Shopify shop):

  • Order, refund, and customer events — as they flow from Shopify into Sumeru's ingest pipeline
  • Pixel-event data (page view, cart action) — only on customers that enable storefront-side pixel
  • Search Console query data — aggregated, not per-user
  • Ad-platform conversion data — as our customers grant us scope

4. How we use it

To deliver the service:

  • Run attribution, automation, decay detection, and the other engines our customers contract for
  • Trigger events to which our customers have subscribed (webhooks, alerts, automation handlers)
  • Write audit-log rows for every autonomous action (365-day default retention)
  • Authenticate users and enforce per-shop RBAC

To improve the service:

  • Diagnose errors via redacted error logs (PII scrubbed before persistence)
  • Aggregate, anonymous usage patterns to prioritise engineering investment

To run our business:

  • Reply to your contact-form submission within 4 business hours
  • Send service-related emails (billing, security incidents, scheduled maintenance)
  • Comply with legal obligations (subpoena, lawful court order, tax records)

We do not sell personal data. We do not use customer-supplied event data to train any general-purpose model.

For EU/EEA/UK data subjects, we rely on the following Article 6 lawful bases:

  • Contract (6(1)(b)): processing necessary to deliver the runtime to our customer
  • Legitimate interest (6(1)(f)): security, fraud prevention, aggregated service improvement
  • Legal obligation (6(1)(c)): tax, accounting, lawful court orders
  • Consent (6(1)(a)): only where required — e.g. marketing emails to subscribed addresses

6. Sharing + subprocessors

We share data only with subprocessors necessary to deliver the service. Current subprocessor list (data location · category):

  • Cloudflare (USA · EU edge) — hosting, CDN, Worker runtime for lead-capture
  • AWS (USA · EU multi-region) — primary application hosting
  • Stripe (USA) — payment processing
  • Resend (USA) — transactional email
  • Anthropic Claude API (USA) — AI Copilot inference (per-shop opt-in)
  • OpenAI (USA) — AI Copilot inference (per-shop opt-in)
  • Google Cloud Platform (USA · EU multi-region) — overflow + redundancy
  • DataForSEO (USA) — backlink + SERP intelligence (Competitor Intelligence engine only)
  • Plausible Analytics (EU) — cookie-less aggregate analytics for this website

Subprocessor list is updated as we add or remove vendors. Material changes are notified to active customers 30 days in advance.

7. Retention

  • Audit log: 365 days default (configurable per-tier)
  • Customer event data: retained for the duration of the merchant's subscription. After uninstall, Shopify sends a shop/redact webhook ~48 hours later; we delete all shop-scoped data immediately on receipt. If the merchant reinstalls within that 48-hour window, data is preserved.
  • Authentication tokens: retained for the duration of the OAuth grant; rotated hourly; deleted immediately on revocation
  • Lead-form submissions: 24 months (per CRM retention)
  • Server access logs: 90 days
  • Backups: 30 days encrypted, then purged

8. Security

Detail in our Security & Trust page. In summary:

  • AES-256-GCM encryption at rest; symmetric keys stored outside the application database and rotated on a defined schedule
  • TLS 1.3 in transit, modern cipher suites only
  • Schema-level tenant isolation enforced on every database query
  • 145 fine-grained RBAC permissions
  • SOC 2 Type II audit in progress (target completion 2026 Q2)
  • Multi-AZ Postgres with synchronous replica; daily encrypted snapshots; quarterly restore drills

9. Your rights

Depending on your jurisdiction (GDPR, UK GDPR, CCPA/CPRA, LGPD, etc.), you may have the right to:

  • Access the personal data we hold about you
  • Rectify inaccurate data
  • Erase data (subject to legal retention obligations)
  • Restrict or object to processing
  • Port your data (machine-readable export)
  • Withdraw consent at any time
  • Lodge a complaint with your local data-protection authority

To exercise any of these, email privacy@sumeru.systems. We respond within 30 days; usually faster.

If you are an end-user of one of our customers' shops, please contact that customer first — they are the data controller and best positioned to fulfil your request.

For buyers at a Shopify merchant who uses Sumeru: when you exercise erasure rights through the merchant's Shopify admin, Shopify sends us a customers/redact event. We anonymise or delete your personal data across all linked records (orders, messages, attribution events, opt-in records) within 30 days of receipt — typically within 24 hours. Anonymisation preserves aggregate counts (e.g. "5 messages sent") without retaining identifying information.

10. International transfers

Sumeru is headquartered in India, operates infrastructure in the USA and EU, and serves customers globally. Where data is transferred across borders, we rely on:

  • Standard Contractual Clauses (2021) for EU/EEA → US transfers
  • UK International Data Transfer Addendum for UK → non-adequate destinations
  • Data residency options at Enterprise tier — EU-only deployment available

11. Cookies + tracking

This website uses no marketing cookies. We use Plausible Analytics for aggregated page-view counts (no cookies, no personal identifiers, EU-hosted). Functional cookies may be set for session state if you authenticate to the customer-facing application; those are essential and not used for tracking.

12. Children

Sumeru is a B2B service and is not directed at children under 16. We do not knowingly collect data from children. If you believe we have, email privacy@sumeru.systems and we will delete it.

13. Changes to this policy

Material changes are notified to active customers 30 days before they take effect. Non-material changes (clarifications, formatting, link updates) are reflected in the "Last updated" date at the top of this page.

14. Contact us

Privacy questions, data-access requests, complaints, or subprocessor-list requests:

For our Data Processing Agreement (DPA), see /legal/dpa. For our Terms of Service, see /legal/terms.