ToShopBeta
  • Product
  • Resources
Download for macOS
ToShopBeta

Dedicated AI workforce built for your business.

Contact Us

EmailTelegramDiscord
Product
  • Features
  • Testimonials
  • FAQ
Resources
  • Docs
Company
  • About
Legal
  • Privacy Policy
  • Terms of Service
  • Open Source Notices
© 2026 Zuler Technology PTE. LTD. All Rights Reserved.

Privacy Policy

2026/05/07

Effective date: 7 May, 2026

1. Introduction

This Privacy Policy describes how ZULER TECHNOLOGY PTE. LTD. ("ToShop", "we", "us", or "our") collects, uses, and discloses personal information when you use our website at toshop.ai, our desktop application, our web application, and related services (together, the "Service").

If you have questions about this policy, contact us at support@toshop.ai.

2. Scope

This policy applies to:

  • People who create a ToShop account and use the Service ("Users").
  • Workspaces, businesses, and merchant accounts that use ToShop ("Customers" or "Merchants").
  • People whose information flows into ToShop because a Merchant has connected a third-party service that contains data about them (for example, a Shopify store's customers). We refer to these people as "End Users".

This policy does not apply to third-party services you connect to ToShop. Those services are governed by their own privacy policies and terms.

3. Information We Collect

We collect personal information you provide to us, information collected automatically when you use the Service, and information from third-party sources.

3.1 Information you provide to us

  • Contact data, such as your name, email address, and any other contact details you provide when you sign up, get in touch with us, or update your profile (for example, profile image, language or locale preference).
  • Account and credential data, such as the password used to authenticate you (stored only as a hash by our identity provider), and any additional authentication factors you set up, including WebAuthn or passkey credentials and TOTP or recovery codes for two-factor authentication.
  • Inputs, prompts and user-generated content, such as messages, prompts, files, notes, memories, and other content you upload, use as input to, generate with, transmit through, or otherwise make available on the Service, as well as associated metadata (for example, when content was created or edited, file names, and tags).
  • Workspace configuration, such as workspaces you create, skills and plugins you install, webhooks and scheduled tasks you configure, and settings you choose.
  • Communications data, based on our exchanges with you, including when you contact us through the Service, by email, or otherwise.
  • Marketing data, such as your preferences for receiving our marketing communications and details about your engagement with them, where we offer such communications.
  • Payment data, needed to complete transactions, which is collected and processed directly by our payment processors, such as Stripe, as further described in the "How we share information" section below.

3.2 Information we collect automatically

  • Device and connection data, such as your IP address, user-agent string, operating system, and — for the desktop application — a device identifier and device fingerprint that we use to register your installation and keep you signed in.
  • Session data, such as session tokens and expiry timestamps that keep you authenticated while you use the Service.
  • Usage and audit data, such as records of actions taken inside your workspace, including who or what initiated an action, what was changed, and a description of the action. We use these records to operate the Service, investigate problems, prevent abuse, and respond to data subject requests.
  • Error and reliability data, such as crash reports, latency and reliability metrics, and rate-limiting counters used to keep the Service available. We use Sentry as a service provider to collect and review error reports.
  • Cookies and similar technologies, as described in Section 4.

3.3 Information from third-party sources

We may combine personal information we receive from you with information we obtain from other sources, including:

  • Third-Party AI Providers. Parts of the Service are integrated with third-party AI platforms that help generate responses to your inputs and prompts. These providers process your inputs as part of generating outputs and may return information to us as part of that processing.
  • Service providers that perform services on our behalf or help us operate the Service or our business.
  • Third-party login services, such as Google, that you use to sign in to your ToShop account. When you choose this option, we receive limited account information from that provider (for example, your name, email address, and a unique account identifier) based on your settings with that provider.
  • At your direction. Where you connect a third-party service to your workspace, we receive only the information needed to carry out the actions you request, consistent with the permissions you grant. A "Connector" is a pre-built integration that allows ToShop to connect to an external data source, application, or service that you designate (for example, Shopify). Our Connectors process data only from sources you have authorized and only as you instruct, and they only access the categories of data you authorize. We follow the applicable provider policies for each Connector. The data we may receive through Connectors and how we handle it is described in Section 5.

4. Cookies And Similar Technologies

We use cookies and similar browser storage (such as localStorage) to operate the Service, keep you signed in, and remember your preferences. We do not use cookies for third-party advertising or cross-site tracking.

5. Information From Connected Services and Integrations

ToShop lets you connect third-party services to your workspace so the AI agents can work with data that already lives in those services.

If you connect a service, we may access and process data from that service based on the permissions you approve at the time of connection. The categories of data we receive depend on the integration and the scopes you grant, and may include account, store, product, inventory, order, customer, fulfillment, discount, file, report, and related metadata. We use this data to provide ToShop features such as workflow assistance, analysis, reporting, customer-support drafts, inventory and order monitoring, and growth recommendations.

We store the credentials needed to keep the integration working (for example, OAuth access tokens, account or store identifiers, and the list of scopes you approved). Sensitive credentials such as access tokens are encrypted at rest. You can disconnect an integration at any time from your workspace settings; once disconnected, ToShop stops receiving new data from that service and the stored credentials are deleted or rendered unusable.

For example, if you connect a Shopify store, ToShop uses Shopify's standard OAuth flow and may process store metadata, products and inventory, orders and fulfillments, customer records associated with orders, discounts, files, and related reports — depending on the scopes you approve. To keep workspace data in sync, ToShop subscribes to Shopify webhooks for relevant events, and to Shopify's required privacy and lifecycle webhooks (customers/data_request, customers/redact, shop/redact, app/uninstalled), which are handled as described in Section 12.

6. Customer / End-User Data Processed On Behalf Of Merchants

When a Merchant connects a service such as Shopify, ToShop processes data about that Merchant's End Users (for example, the Merchant's customers and order recipients) on the Merchant's behalf, in order to provide ToShop features such as customer-support drafting, order analysis, inventory monitoring, and reporting.

For this data, the Merchant is the controller and ToShop acts as a processor. Merchants are responsible for having a valid legal basis to share End-User data with ToShop and for telling their End Users about that processing. End Users who want to exercise privacy rights about data ToShop holds on behalf of a Merchant should contact the Merchant first; ToShop will assist Merchants in responding.

ToShop does not install storefront scripts, theme extensions, web pixels, cookies, or other tracking technologies on a Merchant's customer-facing storefront, and it does not log how a Merchant's shoppers browse or navigate that storefront. The only End-User data ToShop processes is the data the Merchant has authorized us to read through a connected service (for example, customer records and order details returned by the Shopify Admin API based on the scopes the Merchant approved).

7. How We Use Information

We use the information described above to:

  • Provide, operate, and maintain the Service.
  • Authenticate you, keep you signed in, and protect your account.
  • Run AI agents and skills you invoke, including reading from and writing to connected services with the scopes you approved.
  • Generate analysis, reports, drafts, recommendations, and other AI-assisted output you request.
  • Monitor inventory, orders, fulfillment, and other operational signals you ask ToShop to track.
  • Process subscriptions, billing, and invoicing through Stripe.
  • Send service-related communications (for example, security notices, billing notices, product changes).
  • Maintain audit logs, debug issues, prevent abuse, and enforce our terms.
  • Comply with legal obligations and respond to lawful requests.

8. AI Processing And Automated Analysis

ToShop uses third-party AI service providers (including OpenRouter, Anthropic, OpenAI, Google, and others) to power its AI agents. When you interact with ToShop, content you send to an agent — and relevant context the agent fetches to answer you, which may include data from connected services such as Shopify orders, customers, products, or inventory — is sent to these providers so they can generate a response.

ToShop sends only the data needed to handle your request. We do not use your content, Merchant data, or End-User data to train foundation models. The AI provider's handling of data sent through its API is governed by its own terms.

ToShop also uses AI to produce automated output such as summaries, drafts, classifications, and recommendations. These outputs are AI-generated and may contain errors. They are not legal, financial, medical, or other professional advice.

9. How We Share Information

We share information with third parties only as needed to operate the Service. Categories include:

  • Identity and authentication providers, used to manage sign-up, login, account-recovery, and third-party sign-in (for example, Google).
  • AI service providers, including OpenRouter, Anthropic, OpenAI, Google, and others, used to generate AI responses as described in Section 8.
  • Payment processors, such as Stripe, used to process subscriptions and payments. Payment card details are collected and held by these processors, not by ToShop.
  • Hosting and infrastructure providers, such as Amazon Web Services, used to host our databases, object storage, background workers, and application servers.
  • Error and reliability monitoring providers, such as Sentry, used to collect and review error reports so we can keep the Service available and reliable.
  • Connected services that you choose to connect (for example, Shopify), to the extent ToShop sends data to that service to fulfill an action you ask the agent to take.

We do not sell personal information. We do not share your information with third parties for their own marketing.

We may also disclose information when required by law, to protect rights and safety, to investigate fraud or abuse, or in connection with a corporate transaction such as a merger or acquisition.

10. Third-Party Integrations And Connectors

When you connect a third-party service, that service becomes part of how ToShop works for you, but it remains operated by the third party. Your use of that service is governed by the third party's terms and privacy policy. ToShop only acts on the scopes you approve and only for as long as the connection is active.

If you revoke ToShop's access from inside the third-party service (for example, uninstalling the ToShop app from Shopify), the connection ends and ToShop will stop receiving new data from that service. We will then delete or render unusable the access credentials for that connection.

11. Data Retention

We retain information for as long as your account and workspaces are active and as long as needed to provide the Service. Specific retention behavior includes:

  • Account data: Retained while your account exists.
  • Workspaces: Soft-deleted workspaces are retained for a recovery window and then removed.
  • Sessions: Expire automatically based on the session lifetime set by our identity provider.
  • Integration credentials: Retained while the integration is connected; deleted or rendered unusable after disconnection or uninstall.
  • Audit logs and operational logs: Retained for security, compliance, and abuse-prevention purposes.
  • Backups: May persist for a limited period after deletion as part of standard backup rotation.

We may retain limited information after account closure to comply with legal obligations, resolve disputes, prevent fraud, and enforce our agreements.

12. Data Deletion And Integration Disconnection

You can:

  • Delete a workspace from the workspace settings.
  • Disconnect a connected service from the integration settings.
  • Request deletion of your account by contacting support@toshop.ai.

For Shopify specifically, ToShop honors the Shopify privacy webhooks referenced in Section 5:

  • customers/data_request — ToShop locates the data it holds about the named Shopify customer (using subject references stored in audit logs and workspace data) and provides it to the Merchant who can then forward it to the customer.
  • customers/redact — ToShop deletes the named Shopify customer's data from workspace records, audit logs, and AI memory indexes, subject to legal-retention requirements.
  • shop/redact — When a Merchant uninstalls ToShop from their Shopify store, after Shopify's required waiting period ToShop deletes data associated with that store, including credentials, cached store data, and related records.
  • app/uninstalled — Triggers immediate removal of the Shopify access token and marks the integration as disconnected.

13. Security

We use technical and organizational measures designed to protect information, including:

  • Encryption in transit (TLS) for traffic between your device and ToShop.
  • Encryption at rest (AES-256-GCM) for sensitive credentials such as third-party access tokens and stored API keys.
  • Authentication and session management through our identity provider, including support for OAuth, WebAuthn / passkeys, and TOTP-based two-factor authentication.
  • Workspace-level isolation in our database, including row-level access controls.
  • Audit logging of agent and user actions inside a workspace.
  • Webhook signing and verification for incoming events from connected services.

No system is perfectly secure. You are responsible for keeping your account credentials and any API keys you upload safe. If you believe you have found a security vulnerability in ToShop, please report it to security@toshop.ai.

14. Establishment And International Data Transfers

ZULER TECHNOLOGY PTE. LTD. is established in Singapore. ToShop is not established in the European Economic Area or the United Kingdom.

ToShop's primary production infrastructure is hosted in the United States on Amazon Web Services. As a result, when you use ToShop, the information described in this policy — including data accessed through connected services such as Shopify — is transferred to, stored, and processed in the United States, and may also be processed in other locations where our service providers operate (for example, the AI model provider used to generate agent responses).

If you access ToShop from the European Economic Area, the United Kingdom, or another jurisdiction with cross-border transfer rules, your information will be transferred outside that jurisdiction. Where required by law, we rely on appropriate safeguards (for example, Standard Contractual Clauses or equivalent transfer mechanisms) for such transfers.

15. Your Rights

Depending on where you live, you may have rights regarding your personal information, including the right to access, correct, delete, restrict or object to processing, and port your data. You may also have the right to lodge a complaint with a data protection authority.

To exercise these rights, contact us at support@toshop.ai. If your data is held by ToShop on behalf of a Merchant (for example, you are an End User whose data was imported from a Merchant's Shopify store), please contact the Merchant first; we will support the Merchant in responding.

16. Notice To European Users

This section provides additional information for users in the European Economic Area, the United Kingdom, and Switzerland.

Controller. For personal information processed about you as a ToShop user, ZULER TECHNOLOGY PTE. LTD. is the controller. For personal information that ToShop processes on behalf of a Merchant (for example, customer records returned by a Shopify store the Merchant has connected), the Merchant is the controller and ToShop acts as a processor.

Lawful bases for processing. We rely on the following lawful bases under the GDPR and UK GDPR:

  • Performance of a contract — to provide the Service to you, run the AI agents you invoke, and process your subscription.
  • Legitimate interests — to keep the Service secure, prevent abuse, maintain audit logs, debug and improve the Service, and communicate service-related notices. We balance these interests against your rights.
  • Consent — where we ask for it (for example, before enabling an optional feature). You may withdraw consent at any time.
  • Legal obligation — to comply with applicable laws and respond to lawful requests.

Your rights. You have the right to access, rectify, erase, restrict the processing of, and port your personal information, and to object to processing based on legitimate interests. To exercise these rights, contact us at support@toshop.ai. You also have the right to lodge a complaint with your local data protection authority.

International transfers. As described in Section 14, ToShop is established in Singapore and its primary infrastructure is hosted in the United States. When personal information is transferred outside the EEA, the United Kingdom, or Switzerland, we rely on appropriate safeguards (for example, the European Commission's Standard Contractual Clauses or the UK International Data Transfer Addendum) where required by law.

EU / UK representative. If we are required to designate a representative in the EU or UK under Article 27 of the GDPR or the UK GDPR, the representative's contact details will be published in this policy or on our website.

17. Children's Privacy

ToShop is not directed to children under 18, and we do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact us at support@toshop.ai and we will take appropriate action.

18. Changes To This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Effective date" at the top of this page and, where appropriate, give additional notice (for example, by email or through the Service). Continued use of the Service after the change becomes effective means you accept the updated policy.

19. Contact

ZULER TECHNOLOGY PTE. LTD.

  • General support and privacy / data subject requests: support@toshop.ai
  • Security vulnerability reports: security@toshop.ai
  • Business address: 991D Alexandra Rd, #02-17, Singapore 119972