Legal · Privacy · Document 01 of 02

Your data. Your rules.
Not a buzzword, a policy.

How Ralph collects, uses, stores, and protects the information you trust us with. Written to be read, not hidden behind. We don't sell data, we don't train on it, we don't enrich profiles, and we don't feed it to ad networks. If any of that ever changes, we'll tell you first.

Last updated · 14 April 2026
Version · 2.1
Jurisdiction · England & Wales
Delete my data Ask a question
Regulatory posture

Aligned with the actual standards.

GDPR
UK & EU GDPR
Lawful basis documented. DPAs on file. 30-day subject-rights response window.
Compliant
CCPA
CCPA / CPRA
Californian rights honoured. No "sale" or "sharing" of personal information.
Compliant
PCD
Shopify Protected Customer Data
Level 1 & Level 2 obligations. Mandatory webhooks implemented and HMAC-verified.
Certified flow
LU
Google API Limited Use
No advertising use. No training on user data. No human access without consent.
Disclosed
Meta
Meta Platform Terms
Data-Deletion callback live. No sale, no brokers, no cross-merchant pooling.
Assessed
AES
AES-256-GCM at rest
Per-tenant key derivation for OAuth tokens and customer PII. Encrypted backups.
Enforced
TLS
TLS 1.3 in transit
HSTS, strict certificate pinning for critical endpoints, HMAC on every webhook.
Enforced
SOC
SOC 2 (in progress)
Type I observation window commenced Q2 2026. Letter available on request.
In flight
The short version

Four promises, in plain English.

01
We do not sell your data.
Not to ad networks, not to brokers, not to "industry benchmark" services. Ever. If it can be sold, we're not the people selling it.
02
We do not train on it.
Claude, Gemini, and any other model invoked by Ralph operate under commercial terms that forbid retention or training on your inputs.
03
Delete it in under 30 days.
In-app button, email request, or just uninstall. Webhook fires, purge runs, confirmation sent. Backups age out on a 7-day rolling window.
04
Encrypted end-to-end.
AES-256-GCM at rest with per-tenant keys. TLS 1.3 in transit. OAuth tokens never logged. Staff access principle-of-least-privilege, audited.

Short version. We collect only what we need to operate Ralph. We never sell your data. We never share your data with third parties for their own advertising. Data accessed via Shopify, Meta, or Google APIs is used solely to provide the features you asked for — never to train general-purpose models, build advertising profiles, or enrich data for other customers.

01 Who We Are

Ralph AI Ltd ("Ralph", "we", "our", "us") operates the Ralph eCommerce intelligence platform at ralph.ai and mustberalph.com. We are incorporated in England and Wales. Our registered address and company number are available on request at rocketman@mustbeagency.com.

For the purposes of UK GDPR and EU GDPR, Ralph AI Ltd is the data controller for account and billing data, and a data processor for store data you connect via Shopify, Meta, Google, and similar platforms.

02 Data We Collect

2.1 Account information

When you sign up we collect your name, work email, company name, and billing details. Billing is handled by Stripe — we do not store card numbers.

2.2 Usage telemetry

We collect standard telemetry (page views, feature usage, error logs, device/browser metadata). Server logs use Pino and are retained for 90 days.

2.3 Conversation & voice data

Voice commands and chat conversations with Ralph are processed by Anthropic's Claude API under Anthropic's commercial data-processing terms (no training on your inputs). Conversation content is retained for up to 30 days to power Ralph's memory feature. You can clear conversation history at any time in Settings.

2.4 Connected platform data

When you connect Shopify, Meta (Facebook/Instagram), Google Ads, Google Analytics 4, Google Search Console, Google Merchant Center, Klaviyo, or similar platforms, we access data via each platform's official OAuth flow. The scope of that access is detailed in sections 4, 5, and 6.

03 How We Use Your Data

  • To operate the Ralph platform and execute actions you request
  • To generate campaigns, copy, pricing recommendations, briefings, and reports
  • To run background jobs (intelligence refreshes, monitoring, notifications)
  • To send transactional communications (alerts, digests, account updates)
  • To improve and secure the Service (using aggregated, de-identified data only)
  • To comply with legal obligations

We do not use data obtained through Shopify, Meta, or Google APIs to train general-purpose AI/ML models, to serve advertising, to build or enrich profiles for other customers, or for any purpose unrelated to the feature the data was collected for.

04 Shopify Data

When you install the Ralph app to your Shopify store, we request OAuth scopes sufficient to provide the features you enable. These may include: read_products, write_products, read_orders, read_customers, read_inventory, read_content, write_content, read_themes, write_price_rules, read_discounts, write_discounts, read_marketing_events, write_marketing_events, read_analytics.

Data accessed includes orders, line items, products, variants, inventory, metafields, customers (name, email, order history), collections, themes (read-only unless you approve edits), discounts, and blog/page content.

Protected Customer Data. Ralph complies with Shopify's Protected Customer Data rules (Level 1 and Level 2 where applicable). Customer personal data (PII) is encrypted at rest with AES-256-GCM, processed only for the specific merchant that owns it, never combined across merchants, never used for advertising, and is purged on uninstall within 48 hours (with a final 30-day backup retention window required for disaster recovery).

Uninstall. When you uninstall the Ralph app from Shopify, we receive the app/uninstalled webhook and automatically purge your store's data according to Shopify's mandatory webhooks: customers/data_request, customers/redact, and shop/redact. Full deletion completes within 30 days of uninstall.

05 Google API Services & OAuth

Ralph integrates with Google Ads, Google Analytics 4, Google Search Console, and Google Merchant Center via Google OAuth 2.0. You grant these scopes explicitly during connection, and you can revoke them at any time at myaccount.google.com/permissions.

Google API Services User Data Policy · Limited Use disclosure

Limited Use commitments

Ralph's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, data obtained from Google APIs is used only to:

  • Provide or improve user-facing features that are prominent in Ralph's interface (campaign performance, SEO recommendations, shopping feed health, analytics dashboards, conversion tracking).

Data obtained from Google APIs is not:

  • Transferred to others, except as necessary to provide or improve these user-facing features, comply with applicable law, or as part of a merger, acquisition, or sale of assets with user notice.
  • Used to serve advertising, including retargeting, personalised, or interest-based advertising.
  • Read by humans, unless we obtain your affirmative agreement, it is necessary for security purposes (e.g. investigating abuse), to comply with applicable law, or the data is aggregated and used for internal operations in line with applicable privacy requirements.
  • Used to develop, improve, or train generalised AI/ML models. Claude and Gemini, when invoked by Ralph, do not retain or train on Google API data.

Scopes we request (when you connect the relevant integration):

  • Google Ads API — adwords (manage campaigns, read performance)
  • Google Analytics 4 — analytics.readonly (read traffic & conversion data)
  • Google Search Console — webmasters.readonly (read search performance)
  • Google Merchant Center — content (read feed health, optionally write fixes)
  • Basic profile — openid email profile (to identify the connecting user)

06 Meta Platform Data (Facebook & Instagram)

When you connect Meta Ads, we use Facebook Login and request permissions sufficient to read ad account performance and, optionally, to publish campaigns you approve. Typical permissions: ads_management, ads_read, business_management, pages_show_list, pages_read_engagement, instagram_basic, instagram_manage_insights, catalog_management.

Ralph complies with the Meta Platform Terms and Developer Policies:

  • We use Platform Data solely to provide or improve the integration features you enabled (campaign creation, performance reporting, audience analysis, creative optimisation).
  • We do not sell or license Platform Data, and do not transfer it to data brokers, advertising networks, or information resellers.
  • We do not use Platform Data for eligibility decisions (credit, housing, employment, insurance) or for surveillance.
  • We protect Platform Data with administrative, physical, and technical safeguards consistent with Meta's Data Protection Assessment requirements.
  • We do not combine Platform Data from one merchant with data from another merchant for any cross-merchant purpose.

Data deletion for Meta users. You can request deletion of your Meta-sourced data at any time by emailing rocketman@mustbeagency.com, by revoking Ralph's access at facebook.com/settings?tab=business_tools, or by using the automated data-deletion endpoint described at Section 9 (Data Deletion). We honour Meta's Data Deletion Request Callback and will purge Platform Data within 30 days.

07 Data Sharing & Sub-processors

We share data with the following sub-processors, each under written data-processing terms:

  • Anthropic PBC — Claude AI inference. Commercial terms: no training on inputs, 30-day maximum retention.
  • Google LLC — Gemini image generation (when you generate creative). Input prompts and store-context are processed per Google's Gemini API terms.
  • Stripe, Inc. — payment processing. Stripe is PCI-DSS Level 1.
  • Railway, Inc. — application hosting (backend, PostgreSQL, Redis).
  • Vercel, Inc. — frontend hosting and edge CDN.
  • AWS (Amazon Web Services) — object storage and encrypted backups, eu-west-1 (Ireland).
  • Resend / Postmark — transactional email delivery.
  • ElevenLabs — voice synthesis for morning briefings (audio only; text never stored by ElevenLabs beyond session).

We do not sell, rent, or share your data with advertising networks, data brokers, or any third party for their own marketing purposes.

08 Data Retention

  • Account data: Duration of your subscription plus 30 days
  • Store/order/customer data: Refreshed throughout your active subscription; purged within 30 days of uninstall or account closure
  • Conversation history: 30-day rolling window (configurable in Settings)
  • Server logs: 90 days
  • Backups: Encrypted 7-day rolling; full purge within 30 days of account deletion
  • Billing records: 7 years (UK tax law)

09 Data Deletion

You can request deletion of all data Ralph holds about you or your store at any time. The full erasure protocol — three routes, platform endpoints, what's purged, what (little) we keep, step-by-step — lives on its own page so platform reviewers and users can find it in one click.

→ Go to the Data Deletion centre. Request deletion, see the purge process, get the Meta / Shopify / Google endpoints, and read our written-confirmation commitment.

Summary (for quick reference)

Platform deletion endpoints

Ralph exposes the following endpoints to comply with platform requirements (for reviewers and integrators):

  • Shopify mandatory webhooks: customers/data_request, customers/redact, shop/redact (HMAC-verified, 30-day completion).
  • Meta Data Deletion Request Callback URL: https://api.mustberalph.com/webhooks/meta/data-deletion.
  • Google user data deletion: in-app flow (Settings → Privacy → "Delete my data"), completed within 30 days.

Commitment

On receipt, we purge personal data within 30 days (often within hours), with the sole exception of (a) encrypted backups on a 7-day rolling window, and (b) records we are legally required to retain (e.g. invoices on HMRC's seven-year clock). You will receive written email confirmation when deletion completes. Full details and the step-by-step are on the Data Deletion centre.

10 International Transfers

Ralph processes data primarily in the UK and EU (eu-west-1, Ireland). Where data is transferred outside the UK/EEA (e.g. to Anthropic or Stripe in the United States), we rely on the UK International Data Transfer Addendum and/or EU Standard Contractual Clauses, supplemented by technical measures (encryption in transit and at rest).

11 Your Rights (UK & EU GDPR, CCPA)

You have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — correct inaccurate data
  • Erasure — request deletion ("right to be forgotten")
  • Portability — receive your data in a machine-readable format
  • Object — object to processing based on legitimate interests
  • Restrict — request we limit processing
  • Withdraw consent — where processing is based on consent
  • Lodge a complaint — with the UK ICO (ico.org.uk) or your local EU supervisory authority

California residents (CCPA/CPRA) have additional rights, including the right to know, delete, correct, and opt out of "sale" or "sharing" of personal information. Ralph does not sell or share personal information as those terms are defined under CCPA.

To exercise any right, email rocketman@mustbeagency.com. We respond within 30 days.

12 Security

  • All data encrypted at rest (AES-256-GCM) and in transit (TLS 1.3)
  • OAuth tokens stored encrypted with per-tenant key derivation
  • JWT authentication with rotating secrets; HMAC verification on all webhooks
  • Rate limiting, anonymous request throttling, and circuit breakers on all third-party APIs
  • Principle of least privilege for staff access; all database access logged
  • Annual penetration testing and continuous dependency auditing
  • Formal incident response plan; breach notification within 72 hours where required

Report vulnerabilities to rocketman@mustbeagency.com.

13 Children

Ralph is a business tool and is not directed to, or intended for, anyone under 18. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact rocketman@mustbeagency.com and we will delete it.

14 Cookies

Ralph uses minimal cookies: an essential session cookie (httpOnly, secure, SameSite=Lax) and optional analytics cookies (Google Analytics 4 in IP-anonymised mode). You can decline analytics cookies at first visit or in Settings.

15 Changes to This Policy

We notify active users by email at least 14 days before any material change. The "Last updated" date at the top of this page reflects the most recent revision.

16 Contact

Privacy & data requests: rocketman@mustbeagency.com
Security: rocketman@mustbeagency.com
Legal: rocketman@mustbeagency.com
General: rocketman@mustbeagency.com

Ralph AI Ltd, London, United Kingdom.