Privacy Policy

Effective: April 29, 2026

This Privacy Policy describes how Atolio ("we", "us", "our") collects, uses, and protects personal information when you use our services. We are committed to protecting your privacy and complying with applicable data protection laws, including the Japanese Act on the Protection of Personal Information (APPI), the European Union General Data Protection Regulation (GDPR), the United Kingdom Data Protection Act, and the California Consumer Privacy Act (CCPA).

1. Who We Are

Atolio is a Shopify store optimization service operated by Arata Horie, an independent business operator based in Japan. For contact details, please refer to our Legal Notice page.

For all privacy-related inquiries, you may contact us at: info@atolio-plus.com

2. Information We Collect

2.1 Information you provide directly

• Name and contact information (email address, phone number when provided)
• Billing address (collected by our payment processor Stripe)
• Shopify store domain and credentials granted via Shopify OAuth
• Communications you send to us (emails, messages, feedback)

2.2 Information collected automatically

• Store HTML content, page structure, and metadata from your Shopify storefront (collected via automated scans you authorize)
• Performance metrics from Google PageSpeed Insights API related to your store
• Server logs containing IP addresses, timestamps, and access information
• Anonymous diagnostic data and usage analytics

2.3 Information from third parties

• Payment metadata from Stripe (transaction ID, payment status, last 4 digits and brand of payment card — we do not receive or store full card numbers)
• Shopify store metadata accessible via the permissions you grant during app installation

3. How We Use Your Information

We use your personal information for the following purposes:

• Service delivery: Operating the diagnostic tool, generating improvement recommendations, and implementing changes to your store as part of our service
• Communication: Sending service-related notifications, weekly reports, and responding to inquiries
• Billing: Processing payments and managing subscriptions
• Service improvement: Analyzing aggregate usage patterns to improve our diagnostic accuracy and service quality
• Legal compliance: Meeting regulatory obligations and responding to lawful requests

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area or the United Kingdom, our legal bases for processing your personal data are:

• Performance of contract: Processing necessary to deliver the service you have purchased
• Legitimate interests: Operating, securing, and improving our service
• Consent: Where you have given us consent for specific purposes (you may withdraw consent at any time)
• Legal obligation: Where processing is required to comply with applicable laws

5. Third Parties We Share Data With

We share your information with the following service providers, each acting as data processors under written agreements:

• Shopify Inc. — App platform and store integration. Subject to Shopify's privacy policy.
• Stripe, Inc. — Payment processing. Stripe collects and processes your payment information directly. We do not receive or store your full payment card details.
• Anthropic, PBC — AI-powered analysis. Your store HTML content is sent to Anthropic's Claude API for diagnostic processing. Anthropic does not retain or train on this data per their API terms.
• Fly.io (Fly, Inc.) — Server hosting infrastructure. Customer data is stored on servers operated by Fly.io in the Tokyo region.
• Cloudflare, Inc. — Content delivery, DNS, and security services for our website.
• GitHub, Inc. — Source code repository. We do not store customer personal data on GitHub.
• Formspree, Inc. — Contact form handler for inquiries submitted via our website.
• Google LLC (PageSpeed Insights API) — Performance metrics for your store pages.

We do not sell your personal information to third parties under any circumstances.

6. International Data Transfers

Atolio is based in Japan, and our servers are located in the Tokyo region. However, some of our service providers (Stripe, Anthropic, Cloudflare, GitHub, etc.) may process data in the United States, the European Union, or other regions.

Where data is transferred outside your jurisdiction, we rely on appropriate safeguards, including Standard Contractual Clauses (SCCs) for transfers from the EEA, UK, or Switzerland.

7. Data Retention

• Active customer data: Retained for the duration of your subscription
• Post-cancellation data: Retained for up to 12 months after service termination, unless deletion is requested earlier
• Billing records: Retained for 7 years to comply with Japanese tax law
• Server logs: Retained for up to 90 days
• Inquiry communications: Retained for up to 24 months

8. Your Rights

Depending on your location, you have the following rights regarding your personal information:

• Access: Request a copy of the personal data we hold about you
• Rectification: Request correction of inaccurate or incomplete data
• Erasure: Request deletion of your personal data ("right to be forgotten")
• Restriction: Request that we limit the processing of your data
• Portability: Request transfer of your data in a structured, machine-readable format
• Objection: Object to processing based on legitimate interests
• Withdraw consent: Where processing is based on consent, withdraw it at any time
• Lodge a complaint: File a complaint with your local data protection authority

For California residents, the California Consumer Privacy Act (CCPA) provides additional rights, including the right to know what personal information is collected, the right to delete, and the right to opt-out of the sale of personal information (we do not sell personal information).

To exercise any of these rights, please contact us at info@atolio-plus.com. We will respond within 30 days.

9. Data Security

We implement industry-standard technical and organizational measures to protect your personal information, including:

• Encryption in transit (TLS/HTTPS) for all data transfers
• Access controls including IP allowlisting, two-factor authentication (TOTP), and rate limiting on administrative interfaces
• Regular security audits including dependency vulnerability scanning and OWASP ZAP testing
• Secure credential management via environment variable secrets
• Strict access policies for personal data — only authorized personnel may access customer information

10. Cookies and Tracking

Our website (atolio-plus.com) currently uses minimal cookies, limited to essential session management. We do not use third-party advertising or tracking cookies.

Our embedded Shopify app uses cookies necessary for authentication via Shopify OAuth.

11. Children's Privacy

Atolio is a B2B service intended for business operators. Our service is not directed at individuals under the age of 18, and we do not knowingly collect personal information from children. If we become aware that we have collected such information, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to active customers. The most recent version will always be available at this URL with a clearly indicated "Effective" date.

13. Contact Us

For privacy-related questions, requests, or complaints, please contact:

Atolio
Operations Manager: Arata Horie
Email: info@atolio-plus.com
Address: 1-6-25 Higashiyamata, Tsuzuki-ku, Yokohama, Kanagawa 224-0023, Japan