Privacy Policy
We take your privacy seriously. This policy explains what data we collect, how we use it, and your rights.
Last updated: February 6, 2026
Data Controller
TL;DR - The Important Stuff
- We do NOT sell your data. Ever.
- Your website visitor data is pseudonymized and used only for optimization.
- You can export or delete your data at any time.
- We comply with GDPR and other privacy regulations.
- All data is encrypted in transit and at rest.
- Most of our data processing happens in the EU.
- You control what data is collected on your website.
Information We Collect
Account Information
When you create a CroPilot account, we collect your name, email address, and password. This is necessary to provide our services.
Payment Information
Payment data is processed by Lemon Squeezy, who acts as our Merchant of Record. Lemon Squeezy handles all payment processing, billing, and tax compliance. We do not store your credit card details.
Website Tracking Data
Our tracking script collects visitor behavior data on your website including clicks, scrolls, page views, form interactions, and device information. This data is pseudonymized and used solely for conversion optimization.
Usage Data
We collect information about how you use CroPilot, including features accessed, tests created, and dashboard interactions. This helps us improve the product.
Legal Basis for Processing
Contract Performance
We process your account data, payment information, and usage data to provide CroPilot services as agreed in our Terms of Service.
Legitimate Interest
We use aggregated, anonymized data to improve our AI models and optimization algorithms. We also monitor for security threats and fraudulent activity.
Consent
We obtain your consent for marketing emails and optional analytics. You can withdraw consent at any time.
How We Use Your Information
Service Delivery
We use your information to provide CroPilot services, including analytics, A/B testing, heatmaps, and optimization recommendations.
Product Improvement
Aggregated, anonymized data helps us improve our AI models. Individual site data is never shared with third parties.
Communication
We use your email to send service updates, test results, and important account notifications. You can opt out of marketing emails at any time.
For Website Owners (Data Processing)
When you install CroPilot on your website:
- You are the Data Controller for your website visitors
- CroPilot acts as a Data Processor on your behalf
- We only process visitor data according to your instructions
- We do not use your visitor data for our own purposes
Data Processing Agreement (DPA)
A Data Processing Agreement is available for customers who require one for GDPR compliance. Contact privacy@cropilot.ai to request a DPA.
E-commerce Integration
If you connect your e-commerce store, we receive order data (order value, products, timestamps) to measure conversion goals. This data is processed according to your DPA and used only to provide optimization insights.
Shopify Store Data
If you install CroPilot via the Shopify App Store, we access the following data from your Shopify store:
- Order data (read_orders): Order values, timestamps, and line items to measure conversion goals and attribute revenue to experiments.
- Script tags (write_script_tags): We install and manage a script tag on your storefront to load the CroPilot tracking and experimentation script.
- Web Pixel / Customer events (write_pixels, read_customer_events): We deploy a Shopify Web Pixel extension that captures customer behavior events (page views, add-to-cart, purchases) in compliance with Shopify's customer privacy consent framework.
We comply with Shopify's API Terms of Service and process all Shopify merchant and customer data in accordance with Shopify's privacy requirements.
Customer events collected via the Web Pixel respect Shopify's privacy consent framework. When a customer has not consented to tracking, the pixel does not fire.
We honor Shopify's mandatory GDPR webhooks: customers/redact, customers/data_request, and shop/redact. When these webhooks are received, we delete or provide the relevant data within the timeframes required by Shopify and applicable law.
Sub-Processors & Service Providers
We share limited data with trusted service providers who help us operate CroPilot. These providers are bound by contractual obligations to protect your data.
| Service | Purpose | Location |
|---|---|---|
| Lemon Squeezy | Payment processing (Merchant of Record) | United States |
| Intercom | Customer support & chat | EU |
| PostHog | Product analytics | EU |
| Google Analytics 4 | Website analytics (marketing site) | US |
| Render.com | Hosting infrastructure | US |
| Shopify Inc. | E-commerce platform integration (order data, script tags, web pixel) | Canada / US |
We do NOT sell your data. CroPilot will never sell or rent your personal information or your website visitor data to third parties.
International Data Transfers
Most of our data processing occurs within the European Union. However, some of our service providers (Google Analytics, Render.com) are based in the United States.
For transfers to the US, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Additional technical and organizational safeguards
We continuously evaluate our sub-processors to ensure adequate data protection.
Data Security
Encryption
All data transmitted to and from CroPilot is encrypted using TLS/SSL. Data at rest is encrypted using AES-256.
Access Controls
Access to your data is restricted to authorized CroPilot employees who need it to provide support. All access is logged and monitored.
Pseudonymization
Visitor tracking data is pseudonymized. We do not collect personally identifiable information from your website visitors unless you explicitly configure goals to do so.
Your Rights
Access & Portability
You can access and export your data at any time through your CroPilot dashboard.
Correction
You can update your account information directly in your settings.
Deletion
You can delete your CroPilot account at any time. We will remove your data within 30 days.
Opt-Out
You can opt out of marketing emails using the unsubscribe link in any email.
Right to Lodge a Complaint
If you believe we have violated your privacy rights, you have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet):
Cookies & Tracking
CroPilot Cookies
We use cookies to maintain your login session and remember your preferences. We also use cookies to track A/B test variants for your website visitors.
Analytics on Our Website
We use PostHog (EU-hosted) for product analytics and Google Analytics 4 (US-hosted) for marketing analytics to understand how visitors use CroPilot.ai. This is separate from the tracking script you install on your site.
Your Website Visitors
Our tracking script places a cookie on your visitors' browsers to track their behavior. This cookie does not contain personally identifiable information.
Cookie Consent
You are responsible for obtaining consent from your website visitors for CroPilot tracking cookies, as required by applicable laws (GDPR, ePrivacy Directive).
Data Retention
CroPilot retains your data for as long as your account is active. Visitor tracking data is retained for 24 months by default.
Upon account deletion, we will delete your data within 30 days, except where required for legal purposes.
You can configure shorter retention periods in your account settings.
Children's Privacy
CroPilot is not intended for use by children under 16 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, contact us at privacy@cropilot.ai.
Changes to This Policy
We may update this privacy policy to reflect changes in our practices or legal requirements. We will notify you of material changes via email or a notice in your dashboard.
Continued use of CroPilot after policy changes constitutes acceptance of the updated policy.
Questions About Privacy?
Our team is here to help with any privacy-related questions or requests.
Privacy Questions: privacy@cropilot.ai
GDPR & Data Requests: privacy@cropilot.ai
DPA Requests: privacy@cropilot.ai
CROPILOT AS • Org. nr: 937 028 245
Elisenbergveien 17, 0265 OSLO, Norway