Privacy Policy

1. Overview

Fitastic, a service operated by ASE Inc., a United States-based company, helps Shopify retailers follow up with customers after a purchase to confirm sizing, gather measurements, and, when appropriate, suggest order updates. This Privacy Policy explains how ASE Inc. (“Fitastic,” “we,” “us,” or “our”) collects, uses, shares, and protects personal information when merchants install the Fitastic Shopify app, connect third-party email accounts, or otherwise interact with our services. By installing or using the app, you agree to this policy.

Merchants are responsible for ensuring they have a lawful basis to share customer information with Fitastic and for communicating relevant notices to their customers. Fitastic processes personal information as the merchant’s service provider/processor unless stated otherwise.

2. Information We Collect

We only collect information required to provide, secure, and improve the Fitastic service.

Shopify merchant and store information

• Store name, domain, contact details, and Shopify identifiers.

• Staff user information required for authentication and access control.

• Shopify billing information related to app subscriptions (processed by Shopify on our behalf).

Retailer account and configuration data

• Account profile details, subscription plan, and credit balances.

• Settings such as product selections, messaging preferences, brand voice, return policies, and notes added by staff.

• Size charts, garment measurement files, and other resources you upload.

Customer and order information received from Shopify

• Customer names, contact details, order numbers, items purchased, variants, sizing history, delivery preferences, and notes.

• Shopify customer tags, metafields, and order attributes used for sizing workflows.

Email communications and conversation history

• Message metadata (sender, recipients, timestamps, thread IDs, message IDs) received through Gmail or Microsoft Outlook APIs.

• Message bodies, attachments, and AI-generated draft replies required to communicate with customers.

• Delivery receipts, bounce notices, and follow-up status information.

Authentication credentials

• OAuth tokens and refresh tokens for connected Gmail and Outlook accounts so emails can be sent from the retailer’s mailbox. Tokens are stored securely and refreshed as needed.

Usage and technical information

• Application logs, API metadata, queue identifiers, IP addresses, device/browser context, and similar technical data used to monitor performance, maintain security, and troubleshoot the app.

Support communications

• Information you provide when contacting Fitastic (including email address, screenshots, or other context).

We do not intentionally collect sensitive information unless merchants include it in free-form fields or customer communications. Merchants should avoid sharing unnecessary sensitive data with Fitastic.

3. How We Use Information

We use the information described above to:

• Authenticate merchants and staff and provide access to the Fitastic app.

• Retrieve orders and customer details from Shopify to power sizing workflows.

• Draft, send, and manage customer emails through connected Gmail or Outlook accounts.

• Generate sizing recommendations using AI models and apply approved updates back to Shopify.

• Provide customer support, respond to inquiries, and resolve technical issues.

• Maintain, secure, and improve the reliability of our services, including monitoring for abuse and misuse.

• Analyze anonymized or aggregated data to understand product performance and sizing trends.

• Comply with applicable legal obligations and enforce our agreements.

We do not sell personal information and do not use customer data for advertising.

4. How We Share Information

We share personal information only with trusted partners that help us deliver the service, or when required by law.

Service providers and infrastructure

We rely on the following processors and sub-processors:

• Shopify – platform APIs and billing.

• Supabase – hosted Postgres database, authentication, and file storage.

• Google Cloud Platform – Pub/Sub and serverless functions that process email events.

• Google Workspace APIs (Gmail) – sending and receiving messages when merchants connect Google accounts.

• Microsoft Graph (Outlook / Office365) – sending and receiving messages for merchants who connect Microsoft accounts.

• OpenAI – generates AI-assisted email drafts and sizing recommendations; we send only contextual information needed for the specific analysis.

• Vercel – hosts the Fitastic web application and backend.

Service providers may process information in the United States or other jurisdictions. They are contractually obligated to use data only to provide services to Fitastic and to protect it according to applicable laws.

Merchants and authorized users

Customer communications, notes, and analytics are visible to the merchant account and its authorized staff members to support the merchant’s operations.

Legal and compliance

We may disclose information when required to comply with legal obligations, respond to lawful requests, protect our rights, or prevent fraud or security threats.

Business transfers

If we are involved in a merger, acquisition, financing, or sale of assets, we may transfer information to the relevant third parties, subject to confidentiality obligations and continued protection of the data.

We do not share or disclose personal information beyond the situations described above without consent.

5. Data Retention and Deletion

• Fitastic retains identifiable customer and merchant information for as long as the associated Shopify store uses the app or as necessary to provide services.

• When Shopify sends a customers/redact or shop/redact webhook, we anonymize or delete personal information within 48 hours, replacing names, emails, and message content with non-identifiable placeholders while preserving aggregate analytics.

• Aggregated or de-identified information (such as sizing metrics) may be retained for product analytics and reporting.

• Support inquiries and operational logs are kept only as long as needed for the original purpose or to meet legal requirements.

Merchants can uninstall the app at any time through Shopify Admin. Uninstalling automatically triggers Shopify’s shop/redact webhook, which prompts Fitastic to anonymize store data. Merchants may also submit data access or deletion requests directly through Shopify Admin or by contacting us.

6. Data Security

We implement technical and organizational safeguards to protect the information we process, including:

• Encryption for data in transit and encryption or secure storage for OAuth tokens and other sensitive fields.

• Role-based access controls, audit logging, and least-privilege principles for staff access.

• Network and infrastructure controls provided by Supabase, Google Cloud, and Vercel.

• Continuous monitoring of error logs and automated alerts for unusual activity.

Despite our efforts, no system can be guaranteed to be completely secure. Merchants are responsible for safeguarding their own Shopify, Gmail, and Outlook credentials.

7. International Data Transfers

ASE Inc. operates primarily from the United States. Our primary infrastructure is located in the United States, and service providers may process data in other countries. Where required, we rely on appropriate safeguards such as Standard Contractual Clauses or equivalent legal mechanisms to protect personal information transferred internationally.

8. Your Rights and Choices

Shopify merchants

• Manage data access and deletion requests through the Shopify Admin by triggering the GDPR webhooks (customers/data_request, customers/redact, shop/redact).

• Review and update account settings within the Fitastic app.

• Contact us at accounts@fitastic.io to ask questions about how we process merchant or customer data.

End customers of the merchant

• Customers should contact the Shopify store they purchased from to exercise their privacy rights. When we receive a verified request through Shopify or directly from the merchant, we honor it according to Shopify’s requirements.

• Depending on your location (for example, within the European Economic Area, the United Kingdom, or California), you may have specific rights to access, correct, delete, or restrict the use of your personal information. We assist merchants in meeting those obligations and will respond to verified requests forwarded to us.

• You may opt out of future Fitastic communications by following the instructions within the emails or by contacting the merchant. Merchants can pause or deactivate communications from within the Fitastic app.

We do not discriminate against individuals who exercise their privacy rights.

9. Shopify-Mandated Data Deletion Process

Fitastic implements all mandatory Shopify privacy webhooks:

• customers/data_request: Returns stored customer data to the requesting merchant.

• customers/redact: Anonymizes customer data (names, emails, email bodies, thread topics) within 48 hours.

• shop/redact: Anonymizes store-level data and clears connected OAuth tokens within 48 hours after app uninstall.

Merchants may confirm deletion by contacting accounts@fitastic.io.

10. Children’s Privacy

Fitastic is intended for use by Shopify merchants and their adult customers. We do not knowingly collect information from anyone under 16 years old. If we learn that we inadvertently received personal information from a child, we will delete or anonymize it promptly.

11. Changes to This Policy

We may update this Privacy Policy to reflect changes to our practices or applicable laws. We will post the revised policy with an updated “Last updated” date and, when required, provide additional notice. Continued use of the app after a policy change constitutes acceptance of the revised terms.

12. Contact Us

If you have questions or requests concerning this Privacy Policy, please contact Fitastic at:

ASE Inc. d/b/a Fitastic
accounts@fitastic.io