Privacy Policy

This Privacy Policy describes how Sellium ("we", "us", "our") collects, uses, and shares personal information when you use the Sellium platform, website, and related services (the "Service"). We are committed to protecting your privacy and complying with applicable data protection laws including the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

1. Who We Are

Sellium is a software-as-a-service (SaaS) platform providing e-commerce, marketing, and AI tools to direct-to-consumer brands. For the purposes of data protection law, Sellium acts as:

• Data Controller for personal data of our direct customers (e.g., business owners who sign up for Sellium).
• Data Processor for personal data of our customers' end users (e.g., shoppers on tenants' storefronts), processed on behalf of our customers.

2. Information We Collect

Information you provide directly

• Account information: name, business name, email, password (hashed), subscription plan.
• Billing information: payment card details (processed and stored by Stripe, not by us), billing address.
• Content: products, images, ad copy, customer data you upload, messages you send via our platform.
• Support requests: correspondence with our support team.

Information collected automatically

• Usage data: pages visited, features used, timestamps, clickstream data.
• Device and browser data: IP address, browser type, operating system, device identifiers.
• Cookies and similar technologies: session cookies, authentication tokens, analytics cookies.
• AI usage logs: prompts submitted, tokens consumed, costs, model used (retained for billing and abuse-prevention purposes).

Information from third parties

• Authentication providers (if you sign in with a third-party identity).
• Payment processors confirming successful charges.
• Ad platforms (Meta, Google, TikTok) when you connect your accounts, for purposes of campaign management and attribution.

3. How We Use Information

• Provide, maintain, and improve the Service.
• Process payments and manage subscriptions.
• Generate AI content (ad copy, videos, landing pages) at your request.
• Send transactional emails (welcome, password reset, invoices, trial expiry).
• Send product updates and marketing emails (opt-out available at any time).
• Detect and prevent fraud, abuse, and security incidents.
• Comply with legal obligations (tax, accounting, law enforcement requests).
• Aggregate usage data for analytics, research, and improving the Service (in anonymized form where possible).

4. Legal Bases for Processing (GDPR)

• Contract: to provide the Service you have subscribed to.
• Legitimate interest: to protect our business, prevent fraud, and improve our offering.
• Consent: for marketing emails, optional cookies, and certain data processing you have opted into.
• Legal obligation: to comply with tax, regulatory, and law-enforcement requirements.

5. Subprocessors (Who We Share Data With)

We use the following third-party service providers ("subprocessors") to operate the Service. They are contractually bound to protect your data:

We do not sell your personal information to third parties.

6. International Data Transfers

Some of our subprocessors are located outside the European Economic Area (EEA) or the United Kingdom. When we transfer personal data outside of these regions, we rely on Standard Contractual Clauses (SCCs), adequacy decisions, or other legal transfer mechanisms as required by GDPR.

7. Data Retention

• Account data: retained while your account is active and for 90 days after cancellation.
• Billing records: retained for 7 years for tax and legal compliance.
• AI usage logs: retained for 12 months for billing reconciliation and abuse detection.
• Marketing data: retained until you opt out or request deletion.
• Customer data uploaded by you: retained while you use the Service, exportable for 30 days after cancellation, then deleted.

8. Your Rights

Subject to applicable law, you have the following rights regarding your personal information:

• Access: request a copy of the data we hold about you.
• Rectification: correct inaccurate or incomplete data.
• Erasure ("right to be forgotten"): request deletion of your data, subject to legal retention requirements.
• Portability: receive your data in a machine-readable format for transfer to another service.
• Restriction: limit how we process your data in certain circumstances.
• Objection: object to processing based on legitimate interest, including direct marketing.
• Withdraw consent: where processing is based on consent, withdraw it at any time.
• Complain: file a complaint with your local data protection authority.

California residents (CCPA/CPRA): You have the right to know what personal information we collect; the right to delete personal information; the right to correct inaccurate personal information; the right to limit the use of sensitive personal information; and the right to opt out of the sale or sharing of your personal information. Sellium does not sell or share your personal information as those terms are defined under CCPA/CPRA. We do not process your data for cross-context behavioral advertising purposes without your explicit consent.

To exercise any of these rights, email us at privacy@sellium.app with the subject line "Data Subject Request" and include enough information for us to verify your identity. We will respond within 30 days (GDPR) or 45 days (CCPA, with possible 45-day extension). You also have the right to not be retaliated against for exercising your privacy rights.

Business customers: if you need a signed Data Processing Addendum (DPA), see our DPA page or email privacy@sellium.app.

9. Cookies

We use cookies and similar technologies for:

• Essential cookies: authentication, session management, security. Required for the Service to function.
• Functional cookies: remember your preferences (theme, plan selection).
• Analytics cookies: understand how the Service is used (aggregated and anonymized where possible).
• Marketing cookies: used by our ad platform integrations with your consent.

You can manage cookie preferences anytime using the Cookie preferences link in our footer, or via your browser settings. Essential cookies cannot be disabled because they are required for the Service to function. Optional analytics and marketing cookies are off by default until you explicitly consent.

10. Security

We implement reasonable technical and organizational measures to protect your data, including:

• Encryption in transit (TLS 1.2+) and at rest;
• Strong authentication (SHA-256 password hashing, rate limiting);
• Network security (Cloudflare DDoS protection, WAF);
• Access controls (role-based access, least-privilege principle);
• Regular security audits and vulnerability scanning.

No system is 100% secure. We will notify you of data breaches affecting your personal information without undue delay as required by applicable law.

11. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from minors. If we learn we have collected such data, we will delete it.

12. AI and Automated Processing

The Service uses AI (Anthropic Claude, Creatify, and similar providers) to generate content at your request. AI-generated outputs may contain errors or reflect biases in training data. We do not use your private data to train third-party AI models. Your prompts and generated content are processed by our AI subprocessors subject to their privacy terms.

13. Changes to This Policy

We may update this Privacy Policy. Material changes will be communicated by email or in-product notice at least 30 days before taking effect. The "Last updated" date at the top reflects the most recent version.

14. Contact Us

Questions or requests regarding your privacy:

• Privacy email: privacy@sellium.app
• General support: support@sellium.app
• Data Protection Officer: dpo@sellium.app (for GDPR inquiries)