Privacy Policy

Carve is a product optimization platform for Shopify merchants, operated by Vinga AI AB, a company registered in Sweden (“Carve”, “we”, “us”). Carve is the data controller for personal data processed through the service. We process data on the basis of consent, contract performance, legitimate interest, and legal obligations as applicable under Article 6 of the GDPR.

For privacy questions, data access requests, or to exercise your rights under this policy, contact us at william@carve.ac.

We collect only the data necessary to provide and improve the service, and we use it only for the purposes described below. If we need to use data for a new purpose not covered here, we will update this policy and, where required, obtain your consent before doing so.

Where we rely on legitimate interest, we have assessed our interest against the rights and freedoms of the data subjects affected, and we have designed our data practices — including the anonymization of cross-merchant aggregates and the scoping of access through row-level security — to minimize the impact on those rights. You can object to processing based on legitimate interest at any time by contacting us at the email in Section 1.

Carve’s use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, data we receive through the webmasters.readonly and analytics.readonly OAuth scopes is used to:

• Measure the performance of your product pages and display those measurements in your Carve dashboard.
• Compute reward signals that improve content optimization for your own store within the Carve application.
• Contribute, in aggregated and anonymized form only, to Carve’s product improvement dataset as described in Section 7.

We do not use Google API data to serve advertisements, including retargeting or personalized advertising. We do not transfer Google API data to third parties except as necessary to provide the service (for example, our infrastructure providers listed in Section 8). We do not allow humans to read Google API data except with your explicit consent, for security investigations, or to comply with applicable law. We do not sell Google API data under any circumstances.

We access your Shopify store through the Admin API using scopes limited to product data. We do not request access to orders, customers, checkouts, or other sensitive resources. Shopify credentials are encrypted at rest.

We honor Shopify’s mandatory GDPR webhooks: customers/data_request and customers/redact are acknowledged and logged — because Carve does not store end-customer personal data from Shopify, there is no data to return or delete. shop/redact clears any remaining Shopify credentials associated with the shop.

When you uninstall Carve from your Shopify store, we clear your Shopify access credentials immediately.

While your account is active, we retain the data described above to provide continuous optimization and performance measurement. Our reinforcement learning loop benefits from historical signal, so disconnecting a data source does not delete previously synced data.

Disconnecting a data source (Shopify, Google Analytics 4, Google Search Console, Yotpo, or Judge.me) clears the access credentials for that source immediately. Historical data already synced from that source is retained for the duration of your Carve account so that you can reconnect without losing continuity.

Deleting your account triggers permanent deletion of all data associated with your workspace: merchant profiles, product catalogs, feed runs, optimizations, analytics data, scoring history, team members, and activity logs. Deletion is irreversible. To delete your account, use the workspace deletion function in Carve or contact us at the email in Section 1.

Customer review personal information (reviewer names, emails, phone numbers, IP addresses) is discarded during ingestion and never retained beyond the duration of the sync operation.

Carve uses machine learning to identify patterns in what kinds of product content perform well across different categories and verticals. To support this, we retain aggregated and anonymized statistical patterns derived from historical performance data — such as which content structures tend to perform well within a product category. These aggregates contain no merchant-identifying information and cannot be linked back to any individual merchant or store. Under GDPR Recital 26, data that has been anonymized in this way falls outside the scope of personal data protections, and we retain it as part of Carve’s product improvement dataset. Account deletion removes all merchant-identifiable data but does not remove contributions that have already been incorporated into these anonymized aggregates.

We do not transfer merchant data to third-party AI providers for the purpose of training their models. Prompts sent to OpenAI and Perplexity for optimization generation are covered by those providers’ standard API terms, under which API inputs are not used for model training by default.

We share data with the following service providers strictly to operate Carve:

• Supabase — database and authentication
• Vercel — application hosting and serverless compute
• OpenAI — large language model inference for content analysis and optimization generation
• Perplexity — product data enrichment via web search
• Upstash — job queue infrastructure
• Shopify, Google, Yotpo, Judge.me — source platforms you explicitly connect

Each provider accesses data only as needed to deliver its part of the service. We do not sell data to any third party.

If Carve is acquired, merged, or restructured — including changes to the legal entity that operates the service — merchant data may transfer to the successor entity as part of that transaction. We will notify active users of any such transfer and update this policy to reflect the new controller. The successor entity will be bound by the commitments in this policy until a new policy is published and users are given notice of the change.

Carve is operated from Sweden, within the European Economic Area. Some of our subprocessors are located in the United States, including OpenAI, Vercel, and Supabase (depending on the selected region). Transfers to the United States rely on the EU-US Data Privacy Framework, where the provider is certified, and on Standard Contractual Clauses with each provider as a supplementary safeguard.

If you are in the European Economic Area, the United Kingdom, or another jurisdiction with comparable data protection laws, you have the right to access the personal data we hold about you, request correction or deletion, object to or restrict processing, withdraw consent where we rely on it, and request portability of your data. To exercise any of these rights, contact us at the email in Section 1. We will respond within 30 days.

You also have the right to lodge a complaint with your local data protection authority. In Sweden this is Integritetsskyddsmyndigheten (IMY). If you are based elsewhere in the EEA, you may contact your national data protection authority.

Carve is a business-to-business service intended for Shopify merchants and their team members, and is not directed at children. We do not knowingly collect personal data from individuals under the age of 16. If you believe a child has provided us with personal data, please contact us at the email in Section 1 and we will delete it promptly.

In the event of a personal data breach affecting your data, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, as required by Article 34.

We encrypt sensitive credentials at rest using AES-256-GCM, use TLS for all data in transit, enforce row-level security on merchant data in our database, and limit administrative access to authorized personnel. No system is perfectly secure, but we take reasonable steps to protect the data you entrust to us.

We may update this policy as Carve evolves. Material changes will be communicated to active users by email. The “Last updated” date at the top of this policy reflects the most recent revision.

Questions, concerns, data requests, or complaints: william@carve.ac

Vinga AI AB, Sweden