Disro Privacy Policy
Last updated: March 5, 2026
1. Who We Are
This Privacy Policy describes how Disro, Inc. ("Disro," "we," "us," or "our"), a company incorporated in Delaware, United States with offices at 1007 N Orange St. 4th Floor, Suite #5295, Wilmington, Delaware 19801, United States, collects, uses, and shares information when you use the Disro application and website at disro.com (collectively, the "Service").
For questions about this policy, contact us at privacy@disro.com.
2. What Information We Collect
2.1 Information You Provide
- Account information: When you connect your Shopify store, we receive your Shopify store URL, email address, and store name via Shopify OAuth.
- Billing information: If you subscribe to a paid plan, Stripe collects and processes your payment information. Disro does not store credit card numbers or payment details.
- Communications: If you contact us via support@disro.com or through our in-app chat, we retain those communications.
2.2 Information We Collect from Your Shopify Store
When you connect your Shopify store, Disro requests the following Shopify API permissions:
read_products— to read product titles, descriptions, images, alt text, SEO metadata, tags, and statuswrite_products— to publish approved content fixes back to your storeread_product_listings— to access product listing data for analysis
Store information: Store name and store URL, provided automatically via Shopify OAuth.
While the read_products API scope may expose certain fields such as pricing and inventory data, Disro does not use, store, or process those fields. We access only: product titles, descriptions, images, alt text, SEO metadata, tags, and status. We do not access or use: customer personal data, order history, revenue data, or financial data.
2.3 Usage Data
We automatically collect certain information when you use the Service:
- Browser type, operating system, and device type
- IP address (anonymized after 90 days)
- Pages visited and features used within the Disro application
- Error logs and performance data (via Sentry)
3. How We Use Your Information
3.1 Lawful Basis for Processing (GDPR)
If you are located in the EEA, UK, or Switzerland, Disro processes your personal data under the following lawful bases:
| Processing Activity | Lawful Basis |
|---|---|
| Providing the Service (catalog audit, fixes, publishing) | Performance of a contract (Art. 6(1)(b)) — necessary to deliver the Service you subscribed to |
| Billing and subscription management | Performance of a contract (Art. 6(1)(b)) |
| Security monitoring, fraud prevention | Legitimate interests (Art. 6(1)(f)) — protecting our systems and merchants |
| Analytics and service improvement (aggregated, anonymized) | Legitimate interests (Art. 6(1)(f)) — improving the Service |
| Marketing communications | Consent (Art. 6(1)(a)) — only if you have opted in |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) |
You may withdraw consent for marketing communications at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
3.2 Controller and Processor Roles
- Merchant store content: When Disro processes your Shopify product content to provide audits, fixes, and publishing, Disro acts as a data processor and you (the merchant) act as the data controller.
- Account and billing data: For account administration (e.g., contact email, support communications, billing), Disro acts as a data controller.
Where required by applicable law, we offer a Data Processing Addendum (DPA) upon request at legal@disro.com.
3.3 How We Use Your Information
We use the information we collect to:
- Provide the Service: Analyze your product catalog, generate AI readiness scores, produce content rewrites, and publish approved changes to your Shopify store.
- Improve the Service: Analyze aggregate, anonymized usage patterns to improve our AI models and product features. We do not use your specific product content to train AI models without your consent.
- Communicate with you: Send product updates, support responses, and — if you opt in — marketing communications.
- Process billing: Manage your subscription via Stripe.
- Ensure security: Detect and prevent fraud, abuse, and technical issues.
- Comply with legal obligations: Respond to lawful requests from authorities.
4. AI Content Processing
When you request a product fix, Disro sends your product content (title, description, images) to OpenRouter, an AI routing service that routes requests to OpenAI, Anthropic, and Google AI services depending on the model used.
- No storage by default: According to OpenRouter's documentation, OpenRouter does not store prompts or responses by default.
- No model training: According to OpenRouter's terms and those of its upstream providers, API data is not used for model training.
- Disro uses OpenRouter's Zero Data Retention (ZDR) mode where available, which according to OpenRouter's documentation ensures data is deleted by upstream providers immediately after a response is returned.
- Product content processed via OpenRouter is subject to the OpenRouter Privacy Policy.
- Content sent for processing is not retained by Disro beyond what is necessary to display your fix preview and publish history.
5. How We Share Your Information
We do not sell your personal information. We share data only as follows:
5.1 Service Providers (Data Processors)
| Provider | Purpose | Data shared |
|---|---|---|
| Stripe | Payment processing | Billing info (not stored by Disro) |
| Supabase (US-East-1, AWS Virginia) | Database and authentication | Store data, product scores, fix history |
| Vercel (US-East) | Application hosting | All application traffic |
| Sentry | Error monitoring | Error logs, anonymized usage data |
| OpenRouter | AI model routing (may route to OpenAI, Anthropic, Google AI) | Product content submitted for fixes |
5.2 Legal Requirements
We may disclose your information if required by law, court order, or to protect the rights, property, or safety of Disro, our merchants, or the public.
5.3 Business Transfers
If Disro is acquired or merges with another company, your information may be transferred as part of that transaction. We will notify you via email or prominent notice on the Service.
6. Data Retention
- Product data and audit scores: Retained for the duration of your active subscription. Upon cancellation, you have 30 days to export your data, after which it is permanently deleted.
- Fix history: Retained while your account is active and for 30 days post-cancellation.
- Error logs: Retained for 90 days, then purged.
- Analytics data: Retained in aggregated, anonymized form for 12 months.
- Billing records: Retained as required by law (typically 7 years).
Account deletion — two scenarios:
- Uninstall without cancelling: When you uninstall Disro from your Shopify store, a Shopify webhook automatically triggers data deletion. Your store data is purged within 48 hours of uninstall.
- Cancellation without uninstalling: If you cancel your subscription but keep the app installed, your data is retained for 30 days to allow data export. After 30 days, your data is permanently deleted.
- Both uninstall and cancel: The 48-hour purge applies — the shorter timeline takes precedence.
To request immediate deletion at any time, email privacy@disro.com.
7. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, Disro will:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where required by GDPR (Art. 33).
- Notify affected merchants without undue delay if the breach is likely to result in a high risk to their rights and freedoms (GDPR Art. 34).
- Notifications will include: the nature of the breach, categories of data affected, approximate number of individuals affected, likely consequences, and measures taken or proposed.
To report a suspected security incident, contact security@disro.com.
8. Data Security
We implement industry-standard security measures including:
- Encryption in transit (TLS 1.2+) and at rest
- Row-level security in our database (Supabase RLS)
- Access controls limiting employee access to merchant data
- Automated security monitoring via Sentry
Your product data is isolated — no other merchant can access your store's data.
No method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.
9. Automated Decision-Making
Disro's AI scoring system automatically evaluates each product in your catalog and assigns an AI readiness score. This automated scoring:
- Affects how products are displayed within the Disro dashboard (prioritized for review/fixing).
- Does not produce legal or similarly significant effects on you as a merchant — the score is informational only. You decide whether to accept, edit, or reject any AI-generated fix.
- Is not used to make decisions about your subscription, pricing, or account status.
In accordance with GDPR Article 22, you have the right to:
- Request human review of any automated score you believe is inaccurate.
- Contest a score and request re-evaluation.
To exercise these rights, contact privacy@disro.com.
10. International Data Transfers
Disro is hosted on infrastructure located in the United States — Vercel (US-East) and Supabase (US-East-1, AWS Virginia). If you are located in the European Economic Area (EEA), UK, or Switzerland, your data is transferred to and processed in the United States.
Where we transfer data outside the EEA, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Data Processing Agreements (DPAs) with our service providers
To request a copy of our DPA or SCCs, contact privacy@disro.com.
11. Your Rights
Depending on your location, you may have the following rights:
GDPR (EEA/UK residents)
- Access: Request a copy of the data we hold about you.
- Rectification: Request correction of inaccurate data.
- Erasure: Request deletion of your data ("right to be forgotten").
- Portability: Request your data in a machine-readable format.
- Objection: Object to processing based on legitimate interests.
- Restriction: Request that we limit processing of your data.
- Withdraw consent: Withdraw consent for consent-based processing at any time.
- Lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority. In the EU, find your authority at edpb.europa.eu. In the UK: ico.org.uk. We encourage you to contact us first at privacy@disro.com so we can try to resolve your concern directly.
CPRA (California residents)
Under the California Privacy Rights Act (CPRA):
- Right to know what personal information we collect, use, disclose, and share.
- Right to delete personal information we have collected.
- Right to correct inaccurate personal information.
- Right to opt out of the sale or sharing of personal information. We do not sell or share personal information for cross-context behavioral advertising.
- Right to limit use of sensitive personal information (we do not collect sensitive personal information as defined by CPRA).
- Right to non-discrimination for exercising your rights.
To verify your identity: We will verify your request by confirming the email address associated with your Shopify store account. For deletion requests, we may require additional verification to prevent unauthorized deletion.
To exercise any of these rights, email privacy@disro.com. We will respond within 45 days. We may extend this period by an additional 45 days where reasonably necessary, with notice.
12. Cookies
Disro uses cookies and similar tracking technologies to:
- Maintain your session after login
- Remember your preferences
- Monitor application performance (via Vercel Analytics)
- Track errors and exceptions (via Sentry)
We do not use Google Analytics, third-party advertising trackers, or cross-site tracking cookies.
You can control cookies through your browser settings. Disabling cookies may affect your ability to log in and use the Service.
13. Children's Privacy
The Service is not directed to children under 13 (or under 16 in the EEA). We do not knowingly collect personal information from children. If you believe we have inadvertently collected such information, contact privacy@disro.com.
14. Links to Third-Party Sites
The Service may contain links to third-party websites. We are not responsible for the privacy practices of those sites. This policy applies only to disro.com and the Disro application.
15. Shopify App Store
Disro is distributed through the Shopify App Store. By installing Disro, you also agree to Shopify's Terms of Service and Privacy Policy. Disro's use of information received via Shopify OAuth complies with the Shopify API Terms of Service.
16. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Posting the updated policy at disro.com/privacy with a new "Last updated" date
- Sending an email to the address associated with your account
Continued use of the Service after changes constitutes acceptance of the updated policy.
17. Contact
Privacy inquiries: privacy@disro.com
General support: support@disro.com
Mailing address: 1007 N Orange St. 4th Floor, Suite #5295, Wilmington, Delaware 19801, United States
Company: Disro, Inc.
This policy was last updated on March 5, 2026.