Privacy Policy

Last updated: June 14, 2026 · AdCreator AI for Shopify

This policy explains what AdCreator AI ("the app", "we") collects from your Shopify store when you install it, what we do with that data, and how to remove your data if you uninstall.

What we collect on install

When you install AdCreator AI from the Shopify App Store, we receive and store:

• Shop identifier and domain (e.g. yourstore.myshopify.com) — used to recognize your shop on every request.
• OAuth access token — encrypted at rest with AES-256-GCM and used to make Shopify Admin API calls on your behalf.
• Shop metadata (name, owner name, email, currency, country, primary domain, timezone) — pulled via the Shopify Admin GraphQL API and used to brand the ad copy we generate for you.

What we collect when you use the app

• Product photos you upload — stored on our server, scoped to your shop's directory, and used as the source frame for AI image-to-video generation.
• Product descriptions and ad prompts you write — sent to our AI providers (see below) to generate ad copy and video. We store the generated outputs so you can reference them later.
• Usage counters — number of image ads and video ads generated per month, used to enforce plan quotas.

What we don't collect

• We don't read or store your customer data (names, emails, addresses, orders).
• We don't read or store your product catalog beyond what you explicitly type into the app.
• We don't track or profile your shoppers.
• We don't sell, rent, or share data with marketing partners.

Third-party AI providers we send your data to

Generating ad copy and video requires calling third-party AI providers. The prompts you write and the photos you upload are sent to the providers below for the duration of each generation request. They process the request and return a result; we do not authorize them to retain your data for training.

• Groq, Cerebras, DeepSeek, Mistral, Google Gemini, Anthropic, OpenAI — text generation (ad copy). Provider is chosen automatically per request based on availability and cost.
• Kling AI (klingai.com) — video generation (Pro+ plan only).
• ElevenLabs (elevenlabs.io) — voiceover synthesis on generated video ads (Pro+ plan only). Only the voiceover script you write is sent; product photos and shop data are never sent to ElevenLabs.

Billing

All paid plans are billed through the Shopify Billing API. We never see or store your payment method — Shopify handles the charge, and we receive a webhook indicating your active plan. Cancellation, refunds, and disputes flow through the standard Shopify billing surface in your admin.

Webhooks Shopify sends us

For compliance with Shopify's platform requirements we register these GDPR mandatory webhooks:

• customers/data_request — when a customer of your shop requests their data, we report that we hold none.
• customers/redact — when a customer requests deletion, we report that we hold none.
• shop/redact — 48 hours after uninstall, we delete all stored data for the shop (see below).
• app/uninstalled — fires when you uninstall; we immediately revoke and erase your access token.
• shop/update — keeps shop metadata (currency, plan, locale) in sync.

Data retention and deletion

Your data is retained for as long as the app is installed. When you uninstall:

• Your encrypted access token is erased immediately on the app/uninstalled webhook.
• All shop data (shop row, generated ads, video jobs, brand kit, uploaded photos) is deleted within 48 hours, triggered by the shop/redact webhook Shopify sends.
• If you'd like deletion sooner, email customer.service@0xpi.com and we'll process it within one business day.

Security

• Access tokens are encrypted at rest using AES-256-GCM. The encryption key is held outside the database.
• All Shopify-side communication is over HTTPS.
• All inbound webhook requests are verified with HMAC-SHA256 against the app's secret before being processed.
• All embedded-app requests are verified with Shopify session tokens (signed JWT, HS256).

Cookies and tracking

The embedded app does not set cookies and does not run analytics or tracking scripts. The only cookies you'll encounter on this domain are Shopify's session cookies that App Bridge needs to render the app inside Shopify admin.

Changes to this policy

If we change what we collect or how we use it, we'll update this page and the "Last updated" date above. Material changes will be announced inside the embedded app.

Contact

Questions, concerns, or data requests: customer.service@0xpi.com

Support · Back to app