Skip to main content

Privacy Policy

Last updated: January 2026

1. Introduction

FirstShelf.AI ("we," "us," or "our") is committed to protecting your privacy and ensuring transparency about how we collect, use, and safeguard your personal information. This Privacy Policy explains our data practices when you use our Generative Engine Optimization (GEO) platform and services (collectively, the "Service").

By using the Service, you consent to the collection, use, and disclosure of your information as described in this Privacy Policy. If you do not agree with our practices, please do not use the Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Email address: Required for account creation, authentication, and communications
  • Password: Securely hashed and stored (for email/password authentication)
  • Name: If provided during registration or via Google OAuth
  • Profile picture: If provided via Google OAuth
  • Google account ID: If you authenticate using Google OAuth

2.2 Product Listing Data

To provide our GEO optimization services, we collect the product information you submit:

  • Product titles: The titles of your e-commerce listings
  • Product descriptions: Full text descriptions you provide for analysis
  • Product tags/keywords: Tags associated with your listings
  • Product images: Images you upload for visual analysis
  • Platform information: Which e-commerce platform (Etsy, Shopify, etc.) your listing is on
  • Product category: The type of product you're selling

2.3 Usage Data

We automatically collect information about how you use the Service:

  • Audit and optimization history: Records of analyses and optimizations performed
  • Feature usage counts: Number of audits, optimizations, and image generations used
  • Session information: Login timestamps and session duration
  • Device information: Browser type, operating system, and device type
  • IP address: For security, fraud prevention, and approximate location

2.4 Payment Information

We do not directly collect or store payment card details. All payment processing is handled by our third-party payment processor, LemonSqueezy. We receive:

  • Subscription status and tier
  • Billing cycle dates
  • Transaction IDs for reference
  • Customer ID from the payment processor

3. How We Use Your Information

We use the information we collect to:

3.1 Provide and Improve the Service

  • Analyze your product listings using AI to generate GEO scores and recommendations
  • Generate optimized titles, descriptions, and tags for your products
  • Analyze uploaded images for text-image alignment and visual quality
  • Generate AI-optimized product images (Pro and Premium tiers)
  • Store your audit history for future reference
  • Track and enforce usage limits based on your subscription tier

3.2 Account Management

  • Authenticate your identity and maintain account security
  • Process subscription payments and manage billing
  • Send transactional emails (audit completions, password resets, etc.)
  • Respond to support requests and inquiries

3.3 Service Improvement

  • Analyze aggregate usage patterns to improve our algorithms
  • Identify and fix technical issues
  • Develop new features based on user needs

3.4 Legal and Security

  • Prevent fraud, abuse, and unauthorized access
  • Comply with legal obligations
  • Enforce our Terms of Service

4. AI Processing and Data Handling

4.1 How AI Analyzes Your Data

When you submit product listings for analysis or optimization, your content is processed by AI systems to generate scores, insights, and recommendations. This includes:

  • Text analysis for semantic density, structure quality, and entity detection
  • Image analysis for visual signal quality and text-image alignment
  • Content generation for optimized titles, descriptions, and tags
  • Image generation using AI models (for applicable tiers)

4.2 Third-Party AI Providers

We use third-party AI model providers to power our analysis and generation features. When your content is sent to these providers for processing:

  • Your data is transmitted securely using encryption
  • We use API-based integrations that process but do not retain your data beyond the request
  • AI providers are bound by their own privacy policies and data processing agreements

4.3 What We Don't Do

  • We do not train AI models on your specific product data
  • We do not share your product listings with other users
  • We do not use your content for advertising purposes

5. Data Storage and Security

5.1 Where We Store Your Data

Your data is stored using the following services:

  • Supabase: Cloud-hosted PostgreSQL database for account data, listings, audits, and optimizations
  • Supabase Storage: Secure cloud storage for uploaded and generated images

5.2 Security Measures

We implement industry-standard security measures to protect your data:

  • Encryption in transit: All data transmitted between your browser and our servers uses TLS/HTTPS encryption
  • Encryption at rest: Database and storage data is encrypted at rest
  • Secure authentication: Passwords are hashed using secure algorithms; OAuth tokens are handled securely
  • Access controls: Row-level security ensures users can only access their own data
  • Signed URLs: Private images use time-limited signed URLs (10-minute expiration)

5.3 Data Retention

  • Account data: Retained while your account is active and for a reasonable period after deletion
  • Audit history: Retained for your reference; you may request deletion
  • Uploaded images: Stored as long as needed for the Service; deleted upon request
  • Generated images: Retained in your account unless you delete them
  • Usage logs: Retained for security and analytics purposes, typically for 90 days

6. Third-Party Services

We share data with the following third-party service providers who process data on our behalf:

ServicePurposeData Shared
SupabaseDatabase, authentication, file storageAll account and listing data
LemonSqueezyPayment processing, subscription managementEmail, subscription status, payment details
AI Model ProvidersText analysis, content generation, image generationListing content submitted for analysis
ResendTransactional email deliveryEmail address, email content
GoogleOAuth authentication (optional)Authentication tokens, basic profile info

Each third-party provider is bound by their own privacy policy and applicable data protection laws. We select providers who demonstrate commitment to data security and privacy.

7. Cookies and Tracking

7.1 Essential Cookies

We use essential cookies that are necessary for the Service to function:

  • Authentication cookies: To maintain your logged-in session
  • Security cookies: To prevent cross-site request forgery (CSRF) attacks
  • Preference cookies: To remember your settings and preferences

7.2 What We Don't Use

  • We do not use third-party advertising cookies
  • We do not use cross-site tracking cookies
  • We do not sell data to advertisers or data brokers

8. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal data:

8.1 Access and Portability

You have the right to access the personal data we hold about you and to receive a copy of your data in a portable format. You can view your audit history and account information directly in the dashboard.

8.2 Correction

You have the right to correct inaccurate personal data. You can update your account information through your account settings.

8.3 Deletion

You have the right to request deletion of your personal data. To delete your account and all associated data, contact us at Email us. Note that some data may be retained for legal or legitimate business purposes.

8.4 Restriction and Objection

You may have the right to restrict or object to certain processing of your data. Contact us to discuss your specific situation.

8.5 Withdraw Consent

Where processing is based on consent, you may withdraw consent at any time. This will not affect the lawfulness of processing before withdrawal.

8.6 Lodge a Complaint

If you believe your privacy rights have been violated, you have the right to lodge a complaint with your local data protection authority.

9. GDPR Compliance (EEA Users)

If you are located in the European Economic Area (EEA), the following additional provisions apply:

9.1 Legal Basis for Processing

We process your personal data based on the following legal bases:

  • Contract performance: Processing necessary to provide the Service you requested
  • Legitimate interests: Processing for fraud prevention, security, and service improvement
  • Consent: Where you have given explicit consent (e.g., for marketing communications)
  • Legal obligation: Processing required by law

9.2 International Data Transfers

Your data may be transferred to and processed in countries outside the EEA. When we transfer data internationally, we ensure appropriate safeguards are in place, such as:

  • Standard Contractual Clauses approved by the European Commission
  • Adequacy decisions for countries with adequate data protection
  • Binding corporate rules where applicable

9.3 Data Protection Officer

For GDPR-related inquiries, contact us at Email us.

10. CCPA Compliance (California Users)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • Right to Know: Request disclosure of personal information collected, used, and disclosed
  • Right to Delete: Request deletion of your personal information
  • Right to Opt-Out: We do not sell personal information, so this right does not apply
  • Right to Non-Discrimination: We will not discriminate against you for exercising your rights

To exercise your CCPA rights, contact us at Email us.

11. Children's Privacy

The Service is not intended for children under the age of 16. We do not knowingly collect personal information from children under 16. If we learn that we have collected personal information from a child under 16, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at Email us.

12. Data Breach Notification

In the event of a data breach that affects your personal information, we will:

  • Notify affected users without undue delay (within 72 hours where required by law)
  • Provide information about the nature of the breach and data involved
  • Describe the measures taken to address the breach
  • Recommend steps you can take to protect yourself
  • Report to relevant supervisory authorities as required by law

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes:

  • We will update the "Last updated" date at the top of this policy
  • We will notify you via email or through a notice on the Service for significant changes
  • Your continued use of the Service after changes constitutes acceptance of the updated policy

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at Email us

We aim to respond to all inquiries within 30 days.

← Back to Home