Legal

Privacy Policy

Last updated: 12 April 2026

Short version: We collect only what we need to operate Ralph. We never sell your data. We never share it with third parties for advertising. Your store data stays yours.

1. Who We Are

Ralph AI Ltd ("Ralph", "we", "our") operates the Ralph eCommerce intelligence platform at ralph.ai. We are incorporated in England and Wales. Our registered address is available on request.

2. Data We Collect

2.1 Account Information

When you sign up, we collect your name, email address, and billing information. Billing is handled by Stripe — we do not store card numbers.

2.2 Store Data

When you connect your Shopify store, Ralph reads the following via OAuth:

Orders, products, inventory, and customer data (for intelligence processing)
Metafields and collections (for campaign management)
Storefront and theme settings (read-only, for SEO recommendations)

This data is processed to generate intelligence, campaigns, and recommendations. It is stored encrypted in our database (AES-256-GCM) and never shared with third parties.

2.3 Connected Platforms

If you connect Google Analytics 4, Google Search Console, Meta Ads, or Klaviyo, we access those platforms via their respective OAuth flows. We read performance data only — we do not modify your accounts without your explicit instruction.

2.4 Voice Commands & Conversations

Voice commands and chat conversations with Ralph are processed by Anthropic's Claude API. Conversation content may be retained for up to 30 days for conversation memory features. You can clear your conversation history at any time in Settings.

2.5 Usage Data

We collect standard usage telemetry (page views, feature usage, error logs) to improve the product. This is anonymised and aggregated. We use Pino for server-side logging. Logs are retained for 90 days.

3. How We Use Your Data

To provide the Ralph intelligence platform and execute actions you request
To generate campaigns, copy, pricing recommendations, and briefings
To run background jobs (intelligence updates, monitoring, notifications)
To send transactional emails (alerts, digests, account updates)
To improve our AI models and product features (using anonymised, aggregated data only)
To comply with legal obligations

4. Data Sharing

We share your data with:

Anthropic — for AI inference (Claude models). Subject to Anthropic's commercial data processing terms.
Google (Gemini) — for image generation. Subject to Google's API terms.
Stripe — for payment processing. We are PCI-compliant.
AWS / hosting providers — for infrastructure. Data is stored in eu-west-1 (Ireland) by default.

We do not sell, rent, or share your data with advertising networks, data brokers, or any third party for marketing purposes.

5. Data Retention

Account data: Retained for the duration of your subscription, plus 30 days after cancellation
Store/order data: Retained and regularly refreshed during active subscription
Conversation history: 30 days rolling window (configurable in Settings)
Logs: 90 days
Backups: 7-day rolling encrypted backups

6. Your Rights (UK GDPR)

Under UK GDPR, you have the right to:

Access — request a copy of the personal data we hold about you
Rectification — correct inaccurate personal data
Erasure — request deletion of your data ("right to be forgotten")
Portability — receive your data in a machine-readable format
Objection — object to processing based on legitimate interests
Restriction — request we limit processing of your data

To exercise any of these rights, email privacy@ralph.ai. We will respond within 30 days.

7. Security

We take security seriously:

All data encrypted at rest (AES-256-GCM) and in transit (TLS 1.3)
JWT authentication with rotating secrets
Rate limiting and anonymous request throttling
Circuit breakers on all third-party API calls
Regular dependency audits
Database access logged and monitored

If you discover a security vulnerability, please report it to security@ralph.ai.

8. Cookies

Ralph uses minimal cookies: a session cookie (essential, httpOnly, secure), and optional analytics cookies (Google Analytics 4 in anonymised mode). You can disable analytics cookies in your browser settings.

9. Changes to This Policy

We will notify active users by email at least 14 days before any material changes to this policy take effect.

10. Contact

For privacy questions: privacy@ralph.ai
For general enquiries: hello@ralph.ai