This Privacy Policy explains how Ecom Forward Studio, operated by ECOMFORWARD LLC (“Ecom Forward”, “we”, “us”), collects, uses, shares, and protects personal data when you visit studio.ecomforward.io, book a build call, or engage us to build a custom AI operations system. We handle personal data in line with applicable United States privacy laws and, where it applies to individuals in the EU or UK, the EU/UK General Data Protection Regulation (GDPR).
The business responsible for your personal data is:
For GDPR purposes, ECOMFORWARD LLC acts as the “controller” of the personal data described below. We are not required to appoint a statutory Data Protection Officer; you can reach us at the address above for any data protection matter.
During a build engagement we may be given access to operational data from your store and connected tools (for example Shopify, Klaviyo, Meta, Google, support inboxes). Where this data includes personal data of your customers or staff, we act as a processor / service provider on your behalf — see section 9.
Where the GDPR applies, our legal bases are noted below. In the United States, we process this data to provide and improve our services, communicate with you, and meet our legal obligations.
| Purpose | GDPR legal basis (Art. 6) |
|---|---|
| Responding to enquiries and scheduling/holding build calls | Steps prior to a contract at your request (6(1)(b)); legitimate interests (6(1)(f)) |
| Scoping, delivering, and supporting a build engagement | Performance of a contract (6(1)(b)) |
| Optional, cookieless, aggregate analytics (if enabled) | Consent (6(1)(a)) — declined by default; gathered via our banner |
| Securing the site, preventing abuse, keeping records | Legitimate interests (6(1)(f)) |
| Meeting legal, tax, and accounting obligations | Legal obligation (6(1)(c)) |
We do not use advertising or cross-site tracking cookies, and the site sets no non-essential cookies. We do not currently run analytics at all. If we ever enable analytics, it will be privacy-friendly and cookieless, and it will load only after you click “Accept” on our consent banner. If you click “Reject” (or take no action), no non-essential scripts are loaded. Your choice is remembered locally in your browser (via localStorage), which is strictly necessary to honour your preference and is not used for tracking. You can change your choice at any time by clearing your browser storage for this site.
We do not sell or rent personal data. We share data only with service providers who help us run the site and the service, under appropriate agreements. These currently include:
| Provider | Purpose |
|---|---|
| Vercel Inc. (USA) | Website hosting & delivery |
| Calendly LLC (USA) | Scheduling build calls |
| Google LLC — Google Workspace (USA) | Email, correspondence & document storage |
We may also disclose data where required by law, to enforce our terms, or to protect our rights, property, or safety.
We are based in the United States and our service providers are primarily located in the United States. If you are in the EU, the UK, or another region with data-transfer rules, your personal data will be transferred to and processed in the United States. Where required, we rely on an appropriate safeguard — typically the European Commission’s Standard Contractual Clauses (and the UK Addendum) and/or a provider’s certification under the EU–US Data Privacy Framework — together with supplementary measures where needed.
We apply appropriate technical and organisational measures, including encryption in transit (HTTPS), access controls on a need-to-know basis, the use of your own keys and stack for build work where possible, and the principle that nothing is published or actioned without your approval. No method of transmission or storage is perfectly secure, but we work to protect your data and to notify you and any relevant authority of a qualifying breach without undue delay.
When we build and operate AI workflows on your data, you are the controller (or “business”) and we act as your processor (or “service provider”). In that role we:
A separate Data Processing Agreement (DPA), including the current list of sub-processors for your build, is available on request and forms part of any engagement that involves processing personal data on your behalf. Contact info@ecomforward.io to request it.
Depending on where you live, you may have the right to: access your data; correct inaccurate data; delete data; restrict or object to processing; data portability; withdraw consent at any time (without affecting prior processing); and not be discriminated against for exercising these rights. To exercise any right, email info@ecomforward.io and we will respond within the timeframe required by applicable law (within one month under the GDPR).
If we process your personal data on behalf of a store you are a customer of, please direct your request to that store (the controller); we will support them in responding.
If you are in the EU or UK, you also have the right to lodge a complaint with your local data protection authority. US residents may have rights under state laws such as the CCPA/CPRA where applicable.
Our site and services are intended for businesses and are not directed at children. We do not knowingly collect personal data from anyone under 16.
We may update this policy from time to time. The “last updated” date above reflects the latest version. Material changes will be highlighted on this page.
Questions about this policy or your data? Email info@ecomforward.io or write to ECOMFORWARD LLC at the address in section 1.