Privacy policy
TEMPLATE — subject to legal review before production use. This policy covers catail.xyz (marketing site) and the Catail AI storefront analytics product used by Shopify merchants.
Who we are and our roles
Catail AI provides storefront analytics and design-token tooling for Shopify merchants. For marketing site visitors, Catail is the data controller. For storefront visitor analytics, the merchant is the controller and Catail acts as a processor on the merchant's instructions. Merchant console users (ai.catail.xyz) are covered by Catail as controller for account data.
What we collect — marketing site
On catail.xyz we may collect standard web server logs, page views, referral source, and information you submit via forms or email (name, email address, message content).
What we collect — storefront analytics
On merchant storefronts, Catail collects page URLs, navigation paths, device and browser class, viewport size, locale, truncated IP address (IPv4 /24 or IPv6 /48), and an opaque per-tab session key stored in sessionStorage. We do not set HTTP analytics cookies and we do not assign a persistent cross-session visitor ID in audience-only mode.
Analytics tiers
Audience-only analytics (Tier 1) collect aggregated navigation and session metrics without behavioral signals such as pointer streams or session replay. Behavior-capable analytics (Tier 2) collect pointer metrics, scroll depth, hesitation signals, and session replay data only after the shopper has granted explicit consent via the storefront consent popup or equivalent CMP. Merchants choose which tier is active for their store.
Storage technology
Catail does not set HTTP cookies for analytics. Session identifiers use browser sessionStorage (per-tab, cleared when the tab closes). Shoppers may opt out permanently via the localStorage killswitch key adaptive_analytics_do_not_study, which stops all Catail tracking for that browser.
Legal bases
Marketing site data: legitimate interests and consent where required (e.g., contact forms). Storefront Tier 1: legitimate interests or applicable statutory audience-measurement exemptions where permitted (e.g., CNIL audience exemption in France). Storefront Tier 2: explicit consent. US visitors with Global Privacy Control (GPC) enabled are treated as opted out of behavioral analytics.
Retention and location
Event-level analytics data is retained for 24 months. Consent log records are retained for 25 months. Page layout snapshots are retained for 24 months. Data is stored in EU-hosted infrastructure (Supabase EU region). Automated retention pruning runs monthly.
Sub-processors
We use Supabase (EU-hosted PostgreSQL database) and Vercel (application hosting and CDN) to operate the service. Both are bound by data processing agreements with appropriate transfer safeguards where applicable.
Your rights
Depending on your jurisdiction, you may have rights to access, rectify, erase, restrict, object to, or port your personal data, and to lodge a complaint with a supervisory authority. Storefront visitors should contact the merchant (controller) first. Catail assists merchants with erasure requests via the merchant console DSAR purge tool.
Contact and DSAR
Privacy and data subject requests: privacy@catail.xyz (preferred for DSAR) or hello@catail.xyz. We aim to acknowledge requests within 72 hours and respond within 30 days. For storefront visitor data, include the merchant store URL so we can route your request to the correct controller.
Last updated: 2026-06-22