Privacy Policy
Last updated: 25 April 2026
1. Introduction
This Privacy Policy explains how StoreAI (“we”, “us”) handles information when you use our web application at store.bbiz.ai and our companion Chrome extension. We aim to be specific about what data leaves your machine and what stays on it, so you can make an informed call about whether StoreAI is right for you.
2. Single purpose
StoreAI exists for one purpose: to monitor a Shopee seller’s own store data on the seller’s own behalf, surface anomalies, and deliver scheduled summaries. We do not use the extension or web app for any unrelated purpose, secondary data product, advertising network, or analytics resale.
3. What we collect
For StoreAI to do its job, the Chrome extension extracts the following from your own Shopee Seller Centre while you are signed in to it, and uploads the extracted data to our servers (Supabase, hosted in Singapore):
- Aggregate sales figures: today’s GMV, order count, conversion rate, visitor count, average order value.
- Per-SKU listing data: product name, SKU id, listed price, stock level, listing status (on sale / out of stock / unlisted).
- Per-SKU performance: orders, GMV, impressions, clicks (where Shopee surfaces these).
- Ad campaign data: campaign id, name, daily spend, clicks, orders, ROAS, state.
- Review summary: shop rating, count of unanswered negative reviews, review-rate-of-orders.
- Competitor product pages you have explicitly registered as competitors: price, sold count, rating.
- Account email (for sign-in), brand name, timezone, your morning brief / evening recap times, your Telegram chat id (after you pair it).
- Subscription status, billing-related metadata returned by Stripe.
All of the above is information that you can already see in your own Shopee Seller Centre; we extract a subset of it on your behalf to generate alerts and reports. Nothing is collected from stores you do not own.
4. What we deliberately do NOT collect
- Your Shopee password or any other authentication credential.
- Your Shopee session cookies or any browser-managed session token. The extension scrapes your already-authenticated browser session; cookies stay in Chrome where Shopee placed them.
- Buyer personal data — names, addresses, phone numbers, payment cards, chat content. The extractors target aggregate metrics and product-level data only.
- Your browsing history outside Shopee. The extension’s content scripts only run on
seller.shopee.com.myandshopee.com.my. - Keystrokes, mouse movements, screen captures, audio, video, biometric data.
- Card numbers. Payment is handled by Stripe; card data never touches StoreAI servers.
5. Chrome extension permissions
Each Chrome permission the extension requests, and the narrow reason it requests it:
storage | Persist your sign-in token, brand settings, and last-scan history on your local Chrome profile. |
|---|---|
alarms | Trigger the morning and evening scans at the times you configured. |
activeTab | Read the currently-open Shopee Seller Centre page when a scan runs. |
tabs | Open and close the dedicated scan window the extension uses to step through Shopee dashboard pages. |
scripting | Inject the scraping content scripts into Shopee pages. |
cookies | Read browser cookies for shopee.com.my so the scan window inherits your existing login. Cookies are not transmitted to our servers. |
host_permissions: seller.shopee.com.my, shopee.com.my, your StoreAI origin | Restrict where content scripts run, and where the SSO handshake with the web app is allowed to happen. |
6. Third-party processors
StoreAI is a thin layer over a small set of vendors. Each receives only the data they need for their function:
Supabase | Database + auth. Stores everything in §3 except payment card data. Hosted in Singapore (ap-southeast-1). |
|---|---|
Anthropic (Claude API) | Receives the structured alert data (rule id, numbers, product names) to generate human-readable diagnosis text. Stateless per Anthropic’s commercial terms — not used for model training. |
Stripe | Subscription billing. Receives your account email, brand id, and payment information you provide on the Stripe Checkout page. We never see your card number. |
Telegram (Bot API) | Receives your morning brief / evening recap text + your linked chat id, in order to deliver the message. |
Vercel | Hosts the web app + cron functions. Receives request/response data necessary to serve traffic. |
We do not sell data, share with advertisers, or use the data we collect to train external machine-learning models.
7. Security
All extension ↔ server traffic is encrypted in transit (HTTPS / TLS 1.2+). Server-side data sits in Supabase Postgres with row-level security policies that prevent any account from reading or writing another account’s rows. Extension authentication uses opaque bearer tokens; we store only a SHA-256 hash, so a database leak does not yield usable credentials.
8. Your rights
You can:
- Access — your dashboard at /dashboard always reflects the latest data we hold for you.
- Export — email phpsmile@gmail.com and we will return all data tied to your account in JSON within 14 days.
- Delete — email the same address and we will permanently delete your account, all scan history, alerts, and competitor data within 14 days. Stripe’s record of past invoices is retained for legal / tax reasons.
- Withdraw consent — uninstall the Chrome extension to stop all future scanning. Data already collected can be deleted via the request above.
9. Retention
Scan payloads are retained while your account is active and for 90 days after deletion request, after which they are permanently removed. Stripe billing records are retained for 7 years per local tax regulations.
10. Children
StoreAI is a B2B service for ecommerce sellers. It is not intended for, and we do not knowingly collect data from, anyone under the age of 18.
11. Updates to this policy
If we change what data we collect, who we share it with, or how long we keep it, we will update this page and revise the “Last updated” date. Material changes will additionally be communicated via email to active subscribers.
12. Contact
Questions, exports, deletion requests, or anything else: phpsmile@gmail.com.