Privacy Policy

1. Who We Are

The Upgrade Shop (“we,” “our,” or “us”) is an AI-managed digital infrastructure platform for small and medium-sized businesses, registered in Israel under ח.פ. 300330123, with registered address at Har Hatzofim 11, Holon, Israel.

We provide business owners with a single platform covering website management, CRM, email marketing, WhatsApp Business messaging, social media automation, online store, digital courses infrastructure, funnels, dispatch management, and a personal AI agent — all accessible through our dashboard at app.upgradeshop.ai.

2. Scope of This Policy — Two Roles We Play

Depending on the context, we act in one of two legal roles with respect to personal data:

2.1 Data Controller — for our direct users

When a business owner creates an account on The Upgrade Shop and uses our dashboard, we are the data controller for that person’s data. This policy describes how we handle that data.

2.2 Data Processor — for our customers’ end users

When a business owner uses our platform to manage their own customers — storing contacts in the CRM, sending WhatsApp messages, running email campaigns, hosting a website, operating an online store, or managing course students — the business owner is the data controllerfor their customers’ personal data, and we act as their data processor.

In that capacity we process end-user data only on the business owner’s documented instructions and in accordance with our Data Processing Agreement. Business owners are responsible for having a lawful basis to collect their customers’ data and for providing their customers with an appropriate privacy notice.

3. Information We Collect About You (Dashboard Users)

3.1 Account and registration data

• Name, email address, and password (or OAuth token from Google sign-in)
• Business name, website URL, and contact details you provide during onboarding
• Profile picture if connected via Google

3.2 Billing and payment data

We use a third-party payment processor (SUMIT) to handle subscription billing. We do not store full card numbers on our servers. We retain:

• Subscription plan, billing cycle, and payment status
• Invoice history and transaction references
• Billing address if provided

3.3 Platform usage data

• Pages and features accessed inside the dashboard
• Actions taken (automations created, campaigns sent, content published)
• Error logs and performance diagnostics
• IP address, browser type, and device information

3.4 Support and communications

• Messages you send to our support team
• Feedback, bug reports, and feature requests
• Conversations with our AI agent (Max) during onboarding and support

4. Meta Platform Data (Facebook and Instagram)

The Platform integrates with Facebook and Instagram through the Meta Graph API so that you can manage your social presence, respond to customers, run and monitor ad campaigns, and analyse performance from one place. This section describes exactly what we access, how we use it, and how you can revoke our access.

4.1 What we access from Facebook

• Your Facebook profile ID, name, and email address (to identify the connecting user)
• The list of Facebook Pages you manage and a Page access token for each (only for Pages you select)
• Public content on connected Pages: posts, comments, reviews, ratings, and engagement metrics
• Messenger conversations sent to and from the connected Page
• Lead Ads form definitions and lead submissions delivered through those forms
• Ad campaign data, ad insights, ad creatives, and ad account metadata for the ad account you authorise
• Page-level insights: organic reach, impressions, and engagement metrics

4.2 What we access from Instagram

• Your Instagram Business or Creator account ID, username, display name, profile picture, and account type
• Your recent posts and their public metadata (media URLs, captions, timestamps)
• Comments on your posts and direct messages sent to and from your account
• Account-level insights: reach, views, impressions, and engagement metrics

4.3 How we use Meta Platform Data

• To display your connected Pages and accounts on your dashboard
• To show Facebook reviews and recommendations in your dashboard and optionally on your public website
• To execute comment auto-reply and DM automations you configure
• To surface inbound messages in your shared inbox so your team can respond
• To display ad campaign performance, spend, leads, and ROI in your Marketing module
• To allow you to pause, resume, or adjust ad campaign budgets from the dashboard
• To pull Lead Ads form submissions into your CRM automatically
• To publish images, reels, and carousels to your connected Instagram account at your direction
• To show organic reach and engagement alongside paid ad performance in one combined view

4.4 What we do NOT do with Meta Platform Data

• We do not sell, rent, or lease Meta Platform Data to any third party
• We do not use Meta Platform Data for advertising targeting other than as explicitly authorised by you
• We do not share Meta Platform Data across the accounts of different customers
• We do not use Meta Platform Data to train general-purpose AI or machine-learning models
• We do not retain Meta Platform Data after you disconnect the integration, except where required by law

4.5 How to revoke our access to Meta Platform Data

You can revoke access at any time in two ways:

• Inside the Platform: go to Social, find the connected Facebook or Instagram account, and click Disconnect. This invalidates the access token and stops all processing immediately.
• Inside Facebook:go to Settings & Privacy → Settings → Apps and Websites and remove The Upgrade Shop from the list of authorised apps.

After revocation we delete the relevant access tokens immediately and purge stored Meta Platform Data within 30 days, except where retention is required by law.

5. WhatsApp Business Data

The Platform integrates with the WhatsApp Business API (operated by Meta Platforms, Inc.) to enable business messaging. When you connect a WhatsApp Business number, we access and process:

• Your WhatsApp Business Account ID and phone number
• Message templates you create and submit for Meta approval
• Inbound and outbound messages between your business number and your customers
• Delivery and read status of messages
• Contact phone numbers and names of people who message your business

We use this data to operate the shared inbox, run broadcast campaigns, power AI agent conversations with your customers, and trigger automation workflows.

You are responsible for ensuring that your customers have opted in to receive WhatsApp communications from your business. Message history is retained for the period necessary to provide the service and support your inbox, after which it is deleted according to our retention schedule.

6. Google Integration Data

If you connect Google services, we access the following with your authorisation:

• Google Analytics: aggregated website traffic metrics (sessions, users, bounce rate, top pages) for your connected website. We do not access individual visitor identities.
• Google Search Console:search performance data (impressions, clicks, average position, top queries) for your website’s domain.

This data is fetched on demand and displayed in your Analytics module. We do not store raw Google Analytics data in our database; aggregated metrics are cached temporarily for performance. You can disconnect Google integrations at any time from your dashboard settings.

7. Payment and Billing Data

Subscription billing is handled by our payment processor, SUMIT. When you subscribe, SUMIT processes your payment details directly under their own privacy policy. We receive and store only:

• A tokenised customer reference from SUMIT (no raw card data on our servers)
• Transaction IDs, amounts, dates, and statuses
• Subscription plan, billing cycle, and renewal dates
• Invoices issued to your business

We retain billing records for the period required by Israeli tax and accounting law (currently 7 years). Subscription payment data for your own customers (if you use the Store module for your business) is processed on your behalf as described in Section 9.

8. AI Agent and Conversation Data

Every account includes a personal AI agent that can communicate with you via WhatsApp and the dashboard. Additionally, your customers may interact with your own AI agent (configured by you) through your WhatsApp Business number.

• Your conversations with our platform’s AI agent (Max): logged and used to improve response quality, provide onboarding support, and maintain context across sessions.
• Your customers’ conversations with your AI agent:processed on your behalf (see Section 9). Your customers’ message content is used to generate responses and may be stored in a knowledge graph to maintain conversational context over time.

AI responses are generated using large language models provided by third-party AI providers (see Sub-processors in Section 11). Conversation data sent to these providers is subject to our data processing agreements with them and is not used to train their public models.

You can request deletion of AI conversation history by emailing [email protected].

9. Data We Process on Your Customers’ Behalf

When you use The Upgrade Shop to run your business, you entrust us with your customers’ personal data. You are the data controller; we are your data processor. The categories of data we process on your behalf include:

9.1 CRM — Contacts and Companies

• Names, phone numbers, email addresses, and business details of your contacts
• Pipeline stage, lead source, and activity history
• Custom fields you define for your business
• Tags, notes, and communication logs

9.2 Messaging and Inbox

• WhatsApp, Facebook Messenger, and Instagram DM conversations with your customers
• Message content, timestamps, and delivery status
• Broadcast campaign recipient lists and engagement data

9.3 Email Marketing

• Email addresses and names of your mailing list subscribers
• Subscription preferences, opt-in/opt-out status, and consent timestamps
• Campaign open rates, click-through rates, and bounce data

9.4 Website Visitors

• Form submissions made on websites we host for you
• Analytics events collected on your website (depending on your tracking configuration)

9.5 Online Store

• Order details, product purchases, and transaction history of your customers
• Subscription plan and billing status of your customers’ recurring orders
• Shipping addresses if collected

9.6 Digital Courses Infrastructure

If you run digital courses through our platform, we process data about your enrolled students on your behalf:

• Student names and email addresses
• Enrollment status, progress through course content, and completion records
• Video watch progress and assessment results

You are responsible for including appropriate disclosures about this data processing in your own privacy policy presented to your students.

9.7 Dispatch and Field Service

• Customer names and contact details associated with service jobs
• Job details, status history, and technician assignments
• Scheduling and appointment data

10. How We Use Your Information

We process your personal data to:

• Provide, operate, and improve the Platform and its features
• Process payments and manage your subscription
• Send service notifications, billing alerts, and product updates
• Provide customer support and respond to enquiries
• Power the AI agent features on your account
• Detect, investigate, and prevent fraud, abuse, and security incidents
• Comply with our legal obligations
• Enforce our Terms of Service

10.1 Lawful Basis for Processing (GDPR and Israeli Privacy Law)

We rely on the following lawful bases under the GDPR where applicable, and the Israeli Privacy Protection Law 5741-1981:

• Contract performance — processing necessary to deliver the Platform services you subscribed to
• Legitimate interests — platform security, fraud prevention, service improvement
• Legal obligation — retaining billing records as required by law
• Consent — where you have opted in to marketing communications or connected a third-party integration

11. Sub-processors and Data Sharing

We do not sell your personal data. We share it only with trusted sub-processors required to operate the Platform, and only to the extent necessary:

We also share data when required by law, court order, or governmental authority, and in connection with a merger, acquisition, or sale of assets (in which case we will notify you).

12. Data Retention

• Account data — retained for the duration of your subscription and for 30 days after cancellation (to allow data export), then deleted.
• Billing records — retained for 7 years as required by Israeli law.
• Meta Platform Data — deleted within 30 days of disconnecting the integration, except where legally required.
• WhatsApp message history — retained while your account is active; deleted within 30 days of account closure unless you request an export.
• AI conversation logs — retained to maintain context and improve responses; deletable on request via [email protected].
• Customer data processed on your behalf — retained in accordance with your instructions or until account closure, whichever comes first.

13. Security

We implement industry-standard technical and organisational measures to protect personal data, including:

• Encrypted connections (HTTPS/TLS) for all data in transit
• Encrypted storage for sensitive credentials and access tokens
• Access controls limiting data access to authorised personnel
• Regular automated database backups
• Monitoring for unusual activity and security incidents

No method of transmission over the internet is 100% secure. If we become aware of a data breach affecting your personal data, we will notify you as required by applicable law.

14. Your Rights

Depending on your jurisdiction, you have the right to:

• Access the personal information we hold about you
• Correct or update inaccurate information
• Request deletion of your information
• Object to or restrict certain processing
• Withdraw consent at any time, where consent is the basis
• Receive your information in a portable, machine-readable format
• Lodge a complaint with a supervisory authority — in Israel, the Privacy Protection Authority (gov.il); in the EU, your local data protection authority; in the UK, the ICO

To exercise any of these rights, email [email protected]. We will respond within 30 days (or sooner where required by law).

15. International Data Transfers

We are based in Israel. Israel has been recognised by the European Commission as providing an adequate level of data protection under GDPR Article 45.

Some of our sub-processors are located in the United States and other jurisdictions. Where required, we rely on the European Commission’s Standard Contractual Clauses or equivalent transfer mechanisms. A list of sub-processors and their locations is in Section 11.

16. Children’s Privacy

The Platform is intended for business use by adults. We do not knowingly collect personal data from anyone under 18 years of age. If we become aware that we have inadvertently collected such data, we will delete it promptly.

17. Changes to This Policy

We may update this policy from time to time. When we make material changes, we will notify you by email or by a prominent notice on the Platform at least 14 days before they take effect. The “Last updated” date at the top of this page reflects the most recent revision.

18. Contact Us

For privacy-related questions, data requests, or complaints:

• The Upgrade Shop
• ח.פ. 300330123
• Har Hatzofim 11, Holon, Israel
• Privacy enquiries: [email protected]
• General contact: [email protected]