[ Legal ]

Privacy Policy

This policy explains what data Refractr AI collects, how we use it, and your rights.

Effective date: 4 May 2026

1. Who We Are

This Privacy Policy applies to Refractr AI, a trading name of Alwan Technologies Ltd (Company No. 16764007), registered in England and Wales. You can contact us at support@refractrai.com.

Refractr ("we", "us", "our") operates the Refractr e-commerce growth platform. This Privacy Policy explains what personal data we collect, how we use it, who we share it with, how long we keep it, and the choices you have — including how to request deletion.

2. Data We Collect

We collect and process the following categories of data to operate and improve the Service:

Account and profile data

  • Name and email address, provided when you register.
  • Authentication credentials, managed by our authentication provider.
  • Subscription status, plan tier, and credit balance.
  • Billing information, processed by our third-party payment provider (we do not store full card numbers).

Product and content data

  • Products you create, including names, descriptions, images, pricing, and audience information.
  • Ad creatives, copy, hooks, and imagery you generate or upload.
  • Campaign configurations, targeting parameters, budgets, and schedules.
  • Shopify store pages and landing funnels you generate through the Service.
  • Saved ads, bookmarks, filters, and Ad Library search activity you create in the Service. This is stored as part of your workspace and does not depend on you connecting a Meta account; it is separate from Meta Ads Manager data below.
  • Workflow state, including the steps you have completed or paused.

Meta Ads Manager (only if you connect Meta)

  • OAuth tokens and refresh metadata for your Meta connection. Access tokens used to call the Meta Marketing API are stored encrypted at rest.
  • Ad account IDs and related identifiers you select or that we display after you connect (for example account names or IDs needed to run Ads Manager features).
  • Campaign, ad set, and ad identifiers, creative references, and performance or delivery fields returned by the Meta Marketing API when you use Ads Manager features.
  • We use this data only to provide Ads Manager functionality you initiate. Connecting Meta is optional and is not used to power Ad Library browsing or competitor search inside the product.

Shopify (only if you connect a store)

  • OAuth tokens and connection metadata for your Shopify store. Sensitive tokens are encrypted at rest.
  • Store identifiers, scopes granted, and data needed to create or update themes, navigation, products, or pages as you request through the Service.

Usage and technical data

  • Log data including IP addresses, browser type, device identifiers, and pages visited.
  • Feature usage patterns to understand how the Service is used and to improve it.
  • Error reports and diagnostic information.

3. How We Use Your Data

We use the data we collect to:

  • Provide, operate, and maintain the Service, including running AI workflows, generating content, and managing integrations on your behalf.
  • Manage your account, subscription, and credit balance.
  • Process payments and issue invoices via our payment provider.
  • Send transactional communications such as account notifications, billing alerts, and workflow status updates.
  • Respond to support requests.
  • Detect, investigate, and prevent abuse, fraud, and policy violations.
  • Analyse usage to improve the Service and develop new features.
  • Comply with legal obligations.
  • Where you have connected Meta Ads Manager, to authenticate, maintain your connection, and call the Meta Marketing API only to carry out actions you initiate (such as publishing or editing campaigns and reading delivery or performance information shown in the Service).

4. Sharing with Third Parties

We do not sell your personal data. We may share your data with third-party service providers (subprocessors) as necessary to operate the Service. These include:

  • Authentication and database providersto store your account and application data securely.
  • AI providersto process product descriptions, ad copy requests, image generation prompts, and other inputs you submit through the Service. Inputs you provide may be sent to AI APIs to generate outputs.
  • Payment processorsto handle billing, subscriptions, and invoicing.
  • Hosting and infrastructure providersto run the Service reliably.
  • Analytics and logging providersto monitor performance, diagnose errors, and understand usage patterns.
  • Metaonly when you connect Meta Ads Manager: we send API requests and receive responses as needed for the features you use. Meta processes data under Meta's own policies.
  • Shopifyonly when you connect a store: we send API requests and receive responses as needed for the features you use. Shopify processes data under Shopify's own policies.

We may also share data if required by law, court order, or to protect the rights, property, or safety of Refractr, its users, or the public.

5. Data retention and deletion

We retain your account and application data for as long as your account is active so we can provide the Service.

You may delete individual content (such as products, creatives, or saved items) where the Service provides controls. Deleting content removes it from active databases used by the product; residual copies in encrypted backups may persist for a limited period and are then overwritten according to our hosting provider's backup cycle.

Account and associated data deletion: where the Service offers permanent account deletion in your account settings, you may use that control. For the standard email process (including the subject line you must use), what we delete, typical timelines, identity verification, and exceptions, see our dedicated Data deletion page in the Company section of this website (/company/data-deletion). That page forms part of our transparency commitments together with this Privacy Policy.

We may retain certain records after account deletion where the law requires it (for example limited billing and tax records), or where necessary to establish, exercise, or defend legal claims or prevent fraud. Such retention is minimised and not used to market to you.

If you connected Meta or Shopify, disconnecting or revoking access in the Service or in the third-party platform stops new data sync from that connection. Meta and Shopify will continue to hold information under their own retention policies for accounts and ads you created on their systems.

6. Security

We implement reasonable technical and organisational measures to protect your data, including encryption of sensitive credentials at rest and in transit.

However, no system is completely secure. We cannot guarantee that unauthorised access, data breaches, or data loss will never occur. You use the Service at your own risk and should avoid storing highly sensitive personal data — such as financial account numbers or government-issued identifiers — within the platform.

7. AI Processing and Your Content

When you use AI-powered features, inputs you provide — such as product descriptions, images, competitor URLs, and creative briefs — may be sent to third-party AI APIs to generate outputs. These providers operate under their own terms and data policies.

AI-generated outputs (copy, images, research, recommendations) may be inaccurate, incomplete, or unsuitable for their intended purpose. You are responsible for reviewing all AI-generated content before using it commercially.

8. Your rights and data deletion requests

Depending on where you live, you may have rights to access, correct, object to certain processing, port a copy of data you provided, or request deletion of your personal data.

For account-level deletion and associated data removal, follow the instructions on our Data deletion page (/company/data-deletion), including the required email subject line when contacting support@refractrai.com. For other privacy rights (for example access or correction that is not covered there), email support@refractrai.com from the email address on your account and describe your request. We may ask for reasonable information to confirm your identity before acting.

We will respond to verifiable requests within a reasonable period. If we decline a request (for example because we cannot verify you, or because an exception applies), we will explain why.

Deletion of your Refractr account does not delete advertising accounts, campaigns, or ads on Meta or products in Shopify; manage or delete those directly with the relevant platform if needed.

9. Cookies and Tracking

We may use cookies and similar technologies to maintain sessions, remember preferences, and analyse usage. Essential cookies are necessary for the Service to function. We do not currently use third-party advertising cookies or cross-site tracking cookies.

10. Children's Privacy

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will take appropriate steps.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by a prominent notice in the Service before the changes take effect.

12. Contact

For privacy-related questions, data requests, or concerns, please contact us at support@refractrai.com.

For deletion of your account and associated data, use the process described on our Data deletion page (/company/data-deletion).