Our Privacy Policy

PRIVACY POLICY

Revenue Agent by Starforest

Last Updated: February 19, 2026
Effective Date: February 19, 2026

  1. Introduction

This Privacy Policy describes how Starforest Inc. ("Starforest," "we," "us," or "our"), located at 3449 Kenneth Drive, Palo Alto, CA 94303, collects, uses, stores, and shares information through our Shopify application, Revenue Agent by Starforest ("Revenue Agent" or the "App").

Revenue Agent is an AI-powered revenue optimization tool for Shopify merchants. The App analyzes store data to identify revenue opportunities, predict customer behavior, and recommend or execute store optimizations.

This policy applies to:
• Merchants who install and use Revenue Agent on their Shopify stores
• Customers of those merchants, whose data is processed through the App

If you are a customer of a merchant who uses Revenue Agent, please note that the merchant is the data controller for your personal data. We act as a data processor on the merchant's behalf. To exercise your privacy rights, please contact the merchant directly.

For privacy inquiries, contact us at: privacy@thestarforest.com

  1. Information We Collect

2.1 Information Collected via Shopify APIs

When a merchant installs Revenue Agent, we access the following data from their Shopify store through Shopify's GraphQL Admin API:

Customer data (purpose: segmentation, lifetime value prediction, churn risk scoring)
• Names, email addresses, order count, total spend, account creation date, tags

Order data (purpose: revenue analytics, discount effectiveness analysis, reorder cycle detection)
• Order amounts, line items, product quantities, dates, discount codes used, financial status

Product data (purpose: sell-through analysis, pricing optimization, markdown recommendations)
• Titles, descriptions, prices, compare-at prices, variant details, inventory levels

Discount data (purpose: discount incrementality analysis, stacking detection)
• Discount codes, usage counts, discount amounts, rules

Inventory data (purpose: days-of-inventory computation, slow-mover identification)
• Stock levels, location data

2.2 Information We Compute and Derive

Using the data above, we compute the following derived analytics. Under applicable privacy laws, derived data that relates to identifiable individuals is treated as personal data:

• RFM (Recency, Frequency, Monetary) segments — categorizing customers by purchase behavior (e.g., "champion," "loyal," "at-risk," "hibernating")
• Customer Lifetime Value (CLV) predictions — statistical estimates of future customer spending using BG/NBD and Gamma-Gamma probabilistic models
• Churn risk scores — probability that a customer will not return (low, medium, high)
• Reorder cycle estimates — predicted intervals between repeat purchases
• Product performance metrics — sell-through rates, revenue per product, markdown indicators
• Discount effectiveness scores — whether discounts drive incremental revenue or subsidize purchases that would have occurred anyway
• Bundle and cross-sell recommendations — product association patterns identified through basket analysis

2.3 Information Collected from Merchants

• Shopify store domain and store name
• Billing plan selection
• App configuration preferences (monitoring frequency, autonomy settings, guardrail thresholds)

2.4 Automatically Collected Information

• App usage events (page views within the App, features accessed)
• Error logs and performance data for debugging
• Webhook delivery records

  1. How We Use Information

3.1 Core Service Delivery

We use store data to:
• Compute analytics features (customer segments, product metrics, discount analysis)
• Generate revenue audit reports with actionable recommendations
• Produce daily monitoring summaries that identify new issues and opportunities
• Display insights on Shopify admin pages through admin block extensions
• Write summary insights back to Shopify as metafields (visible only to the merchant in their admin)

3.2 Automated Processing and Profiling

Revenue Agent performs automated profiling of customer and product data. This means we use algorithms and statistical models to categorize customers and predict behavior without manual review of each individual.

Types of profiling we perform:
• Customer segmentation based on purchase history (RFM analysis)
• Predictive modeling of customer lifetime value and churn probability
• Product categorization by sales performance and inventory risk
• Discount effectiveness assessment

Significance and consequences:
Profiling results may lead to automated actions on the merchant's store, such as tagging customers for marketing campaigns or adjusting product pricing. Merchants control which automated actions are enabled and can review, approve, or disable any action.

Your rights regarding profiling:
• Merchants can disable automated actions at any time through the App's settings
• Merchants can configure guardrails that limit the scope of automated actions
• Customers of merchants may exercise their right to object to profiling by contacting the merchant (the data controller)

3.3 Automated Actions

When enabled by the merchant, Revenue Agent may automatically execute certain store changes:
• Tag customers — adding descriptive tags to customer records (e.g., "reorder-overdue")
• Set compare-at prices — adding strikethrough pricing to products
• Deactivate discount codes — disabling underperforming or wasteful promotions

Price reductions (markdown actions) are never auto-executed and always require explicit merchant approval.

Merchants choose their autonomy level:
• Manual — all actions require merchant approval before execution
• Supervised — actions are proposed and await approval
• Autopilot — safe, reversible actions execute automatically; merchants are notified and can undo any action

3.4 What We Do Not Use Data For

• We do not sell personal data to any third party
• We do not use merchant or customer data to train, fine-tune, or improve artificial intelligence or machine learning models
• We do not use data from one merchant's store to benefit another merchant
• We do not contact a merchant's customers directly
• We do not use data for advertising, ad targeting, or marketing purposes unrelated to the merchant's own store
• We do not share individual merchant data in competitive benchmarking or aggregated industry reports without explicit merchant consent

  1. How We Share Information

4.1 With Shopify

We write computed insights back to the merchant's Shopify store as app-owned metafields. These metafields are only visible to the merchant within their Shopify admin and are not exposed to storefront visitors. We also interact with Shopify's APIs to execute merchant-approved actions (e.g., updating product prices, tagging customers).

4.2 With AI Service Providers (Sub-Processors)

To generate natural-language audit reports and monitoring summaries, we send aggregated store analytics context to the following AI service providers:
• Anthropic, Inc. — Claude API (Sonnet) — daily monitoring analysis and action recommendations
• Google LLC — Gemini API — full revenue audit report generation

Important safeguards:
• Inference only — we send data for analysis and receive a response; neither provider uses this data to train, fine-tune, or improve their models under commercial API terms
• Data minimization — we send aggregated statistics and computed features, not raw customer personally identifiable information such as names or email addresses, except where necessary for the analysis
• No retention — neither provider retains prompt data or responses beyond the duration of the API call
• Contractual protections — we maintain Data Processing Agreements with both providers that include Standard Contractual Clauses for international data transfers

4.3 Infrastructure Providers

• Amazon Web Services (AWS) — cloud hosting and database infrastructure (US regions)
• Shopify Inc. — application platform, billing, and authentication

4.4 Legal and Safety Disclosures

We may disclose information if required to do so by law, regulation, legal process, or governmental request, or when we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Starforest, our users, or the public.

  1. Data Storage and Security

5.1 Where Data Is Stored

Merchant and customer data is stored in our MySQL database hosted on Amazon Web Services in the United States. Data in transit between Shopify, our servers, and AI service providers is encrypted using TLS 1.2 or higher.

5.2 Security Measures

Starforest maintains a comprehensive security program that includes:
• Encryption at rest — AES-256
• Encryption in transit — TLS 1.2 or higher
• Encrypted backups
• Access controls — role-based access with least privilege
• Environment separation — test and production environments separated
• Access logging
• Strong authentication — strong passwords and multi-factor authentication
• Regular security reviews

5.3 SOC 2 Compliance

Starforest has achieved SOC 2 Type I certification, which verifies that our security controls are suitably designed at a point in time. We are currently undergoing SOC 2 Type II assessment, which evaluates the operating effectiveness of these controls over a sustained period. Copies of our SOC 2 report are available to merchants upon request under NDA.

5.4 Incident Response

We maintain a security incident response policy. In the event of a data breach that affects merchant or customer data:
• We will notify affected merchants within 72 hours of becoming aware of the breach
• We will notify Shopify in accordance with our Partner Program Agreement obligations
• We will cooperate with merchants' obligations to notify supervisory authorities and affected individuals as required by applicable law

  1. Data Retention and Deletion

6.1 Retention Periods

• Customer analytics data (segments, CLV, churn scores) — duration of app installation plus 30 days
• Order and transaction data — duration of app installation plus 30 days
• Product and inventory features — duration of app installation plus 30 days
• Audit reports and monitoring results — duration of app installation plus 30 days
• App configuration and settings — duration of app installation plus 30 days
• Error logs and debugging data — 30 days
• AI service interaction logs — not retained (processed in real time, not stored)

6.2 Merchant Uninstallation

When a merchant uninstalls Revenue Agent:

  1. Shopify sends us a shop/redact webhook 48 hours after uninstallation

  2. Upon receiving this webhook, we delete all data associated with that merchant's store from our database

  3. Deletion is completed within 30 days of receiving the webhook

  4. Session data stored within Shopify's infrastructure is deleted immediately upon uninstallation

6.3 Customer Deletion Requests

When Shopify sends us a customers/redact webhook, we delete all data associated with that specific customer from our database within 30 days, including computed analytics and any tags or metafields we have written.

6.4 Customer Data Access Requests

When Shopify sends us a customers/data_request webhook:

  1. We compile all data we hold about that customer

  2. We provide it to the merchant within 30 days

  3. The merchant is responsible for delivering this data to the requesting customer

6.5 Legal Retention Exceptions

We may retain data beyond the stated periods only where required by law, and only for the minimum period required. Data is deleted promptly thereafter.

  1. Merchant Rights

As a merchant using Revenue Agent, you have the right to:
• Access — request a copy of all data we hold about your store and customers
• Correction — request correction of inaccurate data
• Deletion — request deletion of your data at any time (in addition to automatic deletion upon uninstallation)
• Export — receive your data in a portable, machine-readable format
• Object — object to specific types of data processing
• Restrict — request that we limit how we process your data
• Withdraw consent — uninstall the App at any time to cease all data processing

To exercise these rights, contact: privacy@thestarforest.com. We will respond within 30 days.

  1. Customer Rights

If you are a customer of a Shopify store that uses Revenue Agent, the merchant (store owner) is the data controller responsible for your personal data. We process your data solely on the merchant's behalf and according to their instructions.

To exercise your privacy rights (access, correction, deletion, objection to profiling, or any other right), please contact the merchant directly. The merchant can instruct us to take action on your data, and we will comply.

Regarding automated profiling:
• You have the right to not be subject to decisions based solely on automated processing that produce legal effects or similarly significantly affect you
• You may request information about the logic involved through the merchant
• You may object to automated profiling through the merchant, who can adjust their Revenue Agent settings accordingly

  1. International Data Transfers

Our servers are located in the United States. If you or your customers are located outside the United States, your data will be transferred to and processed in the United States.

For transfers of personal data from the EEA, the UK, or Switzerland, we rely on:
• Standard Contractual Clauses (SCCs) as approved by the European Commission, incorporated into our DPAs with merchants and sub-processors
• Data Processing Addendums (DPAs) with each sub-processor that include appropriate safeguards

A copy of our Data Processing Agreement is available upon request at: privacy@thestarforest.com.

  1. Jurisdiction-Specific Disclosures

10.1 European Economic Area and United Kingdom (GDPR)

Legal basis for processing:
• Providing the App's analytics services — performance of contract with the merchant
• Computing customer segments and CLV — legitimate interests of the merchant
• Automated profiling and action execution — legitimate interests, subject to merchant configuration
• Security and fraud prevention — legitimate interests
• Legal compliance — legal obligation

Data protection contact: privacy@thestarforest.com.

Right to lodge a complaint: You may lodge a complaint with your local supervisory authority.

10.2 California (CCPA / CPRA)

Categories of personal information collected:
• Identifiers (names, email addresses)
• Commercial information (purchase history, order details)
• Internet or electronic network activity (app usage data)
• Inferences drawn from the above (customer segments, CLV predictions, churn scores)

We do not sell or share personal information as defined under the CCPA/CPRA.

Opt out of automated decision-making: Revenue Agent performs automated decision-making through customer segmentation and predictive scoring. Merchants may disable automated actions through the App's settings page. Consumers may request that merchants opt them out of automated profiling by contacting the merchant directly.

Retention: See Section 6 for specific retention periods.

Non-discrimination: We do not discriminate against any individual for exercising privacy rights.

10.3 Canada (PIPEDA)

We collect and process personal information with the knowledge and consent of the merchant. The merchant is responsible for obtaining any required consents from customers for third-party app processing.

You may access and challenge the accuracy of your personal information by contacting: privacy@thestarforest.com.

10.4 Brazil (LGPD)

For merchants and customers located in Brazil, we process personal data on the legal basis of the contractual relationship with the merchant and legitimate interests. Data subjects may exercise rights by contacting the merchant or contacting us at: privacy@thestarforest.com.

  1. Cookies and Tracking Technologies

Revenue Agent operates as an embedded Shopify application within the Shopify admin interface. We do not place third-party cookies on merchant storefronts or customer-facing pages.

Within the Shopify admin, we use only:
• Session cookies required for authentication and app functionality, managed by Shopify's platform
• No analytics tracking cookies are placed by Revenue Agent
• No advertising or retargeting pixels are used

  1. Children's Privacy

Revenue Agent is a business-to-business application designed for use by Shopify merchants. We do not knowingly collect personal information from children under the age of 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete such information promptly.

  1. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes:
• We will update the "Last Updated" date at the top of this policy
• For significant changes, we will notify merchants through the App or via email
• Continued use of Revenue Agent after changes take effect constitutes acceptance

We encourage merchants to review this policy periodically.

  1. Contact Information

Starforest Inc.
3449 Kenneth Drive
Palo Alto, CA 94303
United States

Email: privacy@thestarforest.com

We will acknowledge receipt of your inquiry within 5 business days and provide a substantive response within 30 days.

Appendix A: Sub-Processor List

• Anthropic, Inc. — AI-powered analytics (Claude API) — aggregated store analytics context — United States
• Google LLC — AI-powered analytics (Gemini API) — aggregated store analytics context — United States
• Amazon Web Services, Inc. — cloud hosting and database — all App data — United States
• Shopify Inc. — application platform, billing, auth — store data and session data — Canada / United States

We will update this list and notify merchants before engaging new sub-processors that handle personal data.

Appendix B: Data Processing Agreement

A Data Processing Agreement (DPA) governing our processing of personal data on behalf of merchants is available upon request. The DPA includes:
• Scope and purpose of data processing
• Obligations of the processor (Starforest) and the controller (merchant)
• Sub-processor engagement terms
• Data security requirements
• Audit rights
• Data breach notification procedures
• Standard Contractual Clauses for international transfers
• Data return and deletion procedures

To request a copy, contact: privacy@thestarforest.com.

Last Updated on Dec 3, 2025