Privacy Policy

Cassian™ ("Cassian," "we," "us," or "our") is a company registered in New Zealand. We are a remote team based in New Zealand and Canada, and we operate the platform at app.getcassian.com.

Cassian is the data controller for the personal information we collect directly from you (such as your account details). Where we process your customers' data on your behalf through our Shopify integration, we act as a data processor, and our Data Processing Agreement applies.

We collect the following categories of data:

Account information. Your email address, name, and organisation details provided during registration. We do not collect passwords — authentication is handled via one-time passcodes.

Store data. When you connect a Shopify store, we access product listings, page content, themes, metafields, collections, navigation menus, and other storefront data through the Shopify Admin API. This may include personal data of your customers (names, email addresses) if present in the accessed resources.

Scan results. Screenshots, analysis reports, issue logs, Cassian Score calculations, and historical scan data generated by our platform.

Billing information. Payment card details are collected and processed by Stripe directly. We store your billing address and subscription status but never have access to your full card number.

Usage data. Anonymous analytics about how you interact with the platform, including pages visited, features used, and session duration. We use Vercel Analytics, which does not collect personally identifiable information.

Directly from you. When you create an account, update your profile, connect a store, or contact support.

From the Shopify API. When you authorise Cassian to connect to your Shopify store, we access store data through the Shopify GraphQL Admin API using the permissions you grant.

Automatically via crawling. Our scanning system visits the public pages of your connected store to capture screenshots, analyse page structure, and evaluate content quality.

Automatically via cookies and analytics. We use essential cookies for authentication and anonymous analytics to understand platform usage. See our Cookie Policy for details.

Under the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (EU GDPR), we process your personal data on the following legal bases:

Contractual necessity. Processing your account and store data is necessary to provide the Cassian service under our Terms of Service.

Legitimate interests. We process usage analytics and aggregated data to improve the platform, develop benchmarks, and maintain security. We balance these interests against your privacy rights.

Consent. Where we send you marketing communications or use non-essential cookies, we do so based on your explicit consent, which you may withdraw at any time.

Legal obligation. We may process data to comply with legal requirements, such as tax reporting or responding to lawful requests from authorities.

We use your data to:

• Provide the service — scanning your store, generating reports, calculating your Cassian Score, and delivering findings
• Manage your account — authentication, organisation settings, and user permissions
• Process payments — managing subscriptions, invoices, and billing through Stripe
• Communicate with you — transactional emails (scan results, weekly digests), support responses, and, with your consent, product updates
• Improve the platform — analysing usage patterns, fixing bugs, and developing new features
• Maintain security — detecting abuse, preventing fraud, and protecting the integrity of the platform

We do not sell your personal data. We do not share your data with third parties for their own marketing purposes.

We share data only with our subprocessors — third-party services that help us deliver the platform. These include infrastructure providers, payment processors, email services, and AI analysis providers. A complete list is available on our Subprocessors page.

We may also disclose data when required by law, to protect our rights, or in connection with a merger, acquisition, or sale of assets (in which case we will notify you).

Cassian uses artificial intelligence to analyse your store data. Specifically, store content is processed by Anthropic Claude, OpenAI GPT, and Google Gemini via their respective APIs.

This processing is transient. Your data is sent to these providers for analysis and the results are returned to Cassian. Neither Anthropic, OpenAI, nor Google retains your data after processing, and your data is not used to train their models. All providers process data under our data processing agreements and are bound by strict confidentiality obligations.

Account data. Kept for as long as your account is active. Deleted within 30 days of account closure.

Scan data. Retained according to your plan tier. Inspector retains the most recent scan only. Paid plans retain historical scan data for the duration of the subscription plus 30 days after cancellation.

Billing records. Retained for 7 years as required by New Zealand tax law.

Usage analytics. Aggregated and anonymised data may be retained indefinitely for product improvement and benchmarking purposes.

Our primary database is hosted by Supabase in Virginia, United States. Your account and store data is stored in the United States by default.

For transfers of personal data from the EU/UK to the United States, we rely on the EU-U.S. Data Privacy Framework (DPF) and Standard Contractual Clauses (SCCs) as appropriate. Our subprocessors include Vercel (hosting), Cloudflare (CDN and storage), Stripe (payments), Supabase (database), Anthropic (AI analysis), OpenAI (AI analysis), and Google (AI analysis). Where data is transferred internationally, we ensure adequate safeguards are in place in compliance with the UK GDPR and EU GDPR.

Enterprise customers with data residency requirements may request a dedicated EU instance. Contact enterprise@getcassian.com for details.

Under the UK GDPR and EU GDPR, you have the following rights regarding your personal data:

• Right of access — request a copy of the personal data we hold about you
• Right to rectification — ask us to correct inaccurate or incomplete data
• Right to erasure — request deletion of your personal data ("right to be forgotten")
• Right to restrict processing — ask us to limit how we use your data
• Right to data portability — receive your data in a structured, machine-readable format
• Right to object — object to processing based on legitimate interests or for direct marketing
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, contact us at privacy@getcassian.com. We will respond within 30 days. You also have the right to lodge a complaint with the Office of the Privacy Commissioner in New Zealand or your local data protection authority.

We use cookies and similar technologies on the platform. For detailed information about the cookies we use, their purpose, and how to manage them, please see our Cookie Policy.

Cassian is not designed for, marketed to, or intended to be used by individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will take steps to delete it promptly. If you believe a child has provided us with personal data, please contact us at privacy@getcassian.com.

We may update this Privacy Policy from time to time. If we make material changes, we will provide at least 30 days' notice via email or a prominent notice within the platform. The "Last updated" date at the top of this page reflects the most recent revision.

For privacy-related enquiries, contact:

Cassian — Privacy Team
New Zealand
Email: privacy@getcassian.com

Data Protection Officer: dpo@getcassian.com