Privacy Policy

Last updated: March 27, 2026

1. Introduction

Operator ("we", "us", "our"), operated via runoperator.ai, is an AI-powered business operations platform for DTC and ecommerce brands. We are based in Amsterdam, Netherlands, and we are committed to protecting your personal data in compliance with the General Data Protection Regulation (GDPR) and other applicable privacy laws.

2. What We Collect

We collect the following categories of data:

  • Account information: email address, name, and password (hashed) when you create an account.
  • Business data: Shopify orders, revenue, product information, Meta Ads spend, campaign performance, and Klaviyo email/SMS metrics that you connect to our platform.
  • Platform credentials: API tokens and OAuth access tokens for your connected services (Shopify, Meta, Klaviyo). These are encrypted at rest and never stored in plain text.
  • Usage data: pages visited, features used, and interactions within the platform for the purpose of improving our service.
  • Payment information: processed securely by Stripe. We do not store credit card numbers on our servers.

3. How We Use Your Data

Your data is used to provide and improve our services:

  • Generating analytics dashboards and performance reports for your business.
  • Producing AI-generated operational reports, ad copy suggestions, and creative recommendations.
  • Sending alerts when your key metrics (ROAS, spend, inventory) require attention.
  • Processing payments and managing your subscription.
  • Communicating service updates, security notices, and support responses.

We do not sell your data to third parties. We do not use your business data to train AI models. Your data is used solely to provide services to you.

4. Third-Party Services

We integrate with or rely on the following third-party services:

  • Shopify API: to read your store orders, products, and revenue data.
  • Meta Marketing API: to read your ad campaign performance, spend, and creative data.
  • Anthropic (Claude AI):to generate reports, insights, and ad copy. Your business data may be sent to Anthropic's API for processing. Anthropic does not use API inputs to train models.
  • Stripe: to process subscription payments securely.
  • Resend: to deliver transactional emails (account verification, password resets, reports).

Each third-party service operates under its own privacy policy. We encourage you to review their policies.

5. Data Security

All data is stored in a PostgreSQL database with encryption at rest. API tokens and OAuth credentials are encrypted using industry-standard encryption before storage. All data in transit is protected via TLS. Access to production systems is restricted and monitored. We conduct regular security reviews of our infrastructure.

6. Your Rights

Under the GDPR and applicable privacy laws, you have the right to:

  • Access: request a copy of all personal data we hold about you.
  • Export: receive your data in a portable, machine-readable format.
  • Rectification: correct any inaccurate personal data.
  • Deletion: request deletion of your account and all associated data.
  • Credential revocation: disconnect any connected platform (Shopify, Meta, Klaviyo) at any time from your dashboard settings.
  • Objection: object to processing of your data for specific purposes.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

7. Cookie Policy

We use essential cookies to maintain your session and authentication state. We do not use third-party tracking cookies or advertising pixels on our platform. Analytics, if used, rely on privacy-respecting, cookieless methods.

8. Data Retention

We retain your data for as long as your account is active. If you delete your account, we will delete all associated personal and business data within 30 days. Anonymized, aggregated data that cannot identify you may be retained for analytics purposes.

9. Changes to This Policy

We may update this privacy policy from time to time. When we make material changes, we will notify you via email or through a notice on our platform. The "Last updated" date at the top of this page reflects when the policy was last revised.

10. Contact

If you have any questions about this privacy policy or our data practices, contact us at:

Operator
Amsterdam, Netherlands
[email protected]