Privacy Policy — retailadvantage.ai
Last updated: 13 May 2026 Effective date: 13 May 2026
1. Who we are (Controller)
This Privacy Policy describes how Orange IT Services SA ("Orange IT", "we", "us", "our") processes personal data when you use the SaaS platform available at https://www.retailadvantage.ai (the "Platform" or "Service").
| Field | Value |
|---|---|
| Legal entity | Orange IT Services SA |
| Registered office | Corso San Gottardo 34, 6830 Chiasso, Switzerland |
| Swiss UID | CHE-274.020.172 |
| Contact | support@retailadvantage.ai |
| Data protection contact | support@retailadvantage.ai |
For users in the EU/EEA, Orange IT acts as the controller for personal data processed about its account-holders, website visitors, and usage of the Platform. Where Orange IT processes personal data on behalf of a Customer (e.g., contacts contained in the Customer's Google Ads, Meta Ads, Shopify, Google Analytics or TikTok Ads accounts), Orange IT acts as a processor under Art. 28 GDPR and Art. 9 FADP, and a separate Data Processing Addendum (DPA) governs that processing.
2. Scope
This Policy applies to:
- The marketing website at
retailadvantage.ai; - The authenticated Platform (web app and APIs);
- Sales, support, and billing communications with prospects and Customers.
It does not apply to third-party websites or services we integrate with (Google, Meta, Shopify, TikTok, etc.) — their own privacy policies apply when you authenticate with them.
3. What personal data we process
We process the following categories of personal data:
3.1 Account & identification data
- Name, business email, password hash, company, role/title.
- Billing address, VAT number, payment method tokens (we do not store full card numbers).
Example: when Anna from "Acme Shoes Srl" signs up, we store anna@acmeshoes.it, "Anna Rossi", "Head of Performance", "Acme Shoes Srl", VAT IT12345678901.
3.2 Connected-platform data (via OAuth / API tokens)
When you connect your advertising or e-commerce account, we receive and process data from:
- Google Ads — campaign structure, ad creatives, keywords, bidding, conversion and performance metrics.
- Meta Ads (Facebook/Instagram) — campaigns, ad sets, ads, audience identifiers (where applicable), performance metrics.
- TikTok Ads — campaign and performance metrics.
- Shopify — product catalogue, orders, SKU-level sales, customer counts (aggregated where possible).
- Google Analytics — traffic, conversions, session metrics.
This data may incidentally contain personal data of end-customers of the Customer (e.g., aggregated audience cohorts, conversion events tied to hashed identifiers). For such data, Orange IT acts as processor.
Example: if you connect Shopify, we read the last 24 months of orders to detect bestsellers and seasonality — order records may contain pseudonymous customer IDs or emails, which we treat as personal data of the Customer's end-customers.
3.3 Usage and technical data
- IP address, user-agent, device and browser characteristics, log timestamps, pages viewed, features used, credits consumed, errors.
3.4 Communications data
- Support tickets, emails sent to
support@retailadvantage.ai, in-app chat messages.
3.5 Cookies and similar technologies
See Section 11 below.
4. Purposes and legal bases
| # | Purpose | Categories used | Legal basis (GDPR Art. 6) |
|---|---|---|---|
| a | Provide the Service (accounts, dashboards, AI-generated feeds and campaign optimizations) | 3.1, 3.2, 3.3 | Contract (Art. 6(1)(b)) |
| b | Billing, credit-tracking, anti-fraud | 3.1, 3.3 | Contract; legal obligation (Art. 6(1)(b),(c)) |
| c | Customer support | 3.1, 3.4 | Contract |
| d | Service security, abuse prevention, audit logs | 3.3 | Legitimate interest (Art. 6(1)(f)) |
| e | Service improvement, aggregated analytics, model performance monitoring | 3.3 (aggregated/pseudonymous) | Legitimate interest |
| f | Marketing emails to existing Customers about similar features | 3.1 | Legitimate interest (with opt-out) |
| g | Marketing emails to prospects who opted in | 3.1 | Consent (Art. 6(1)(a)) |
| h | Compliance with legal obligations (tax, accounting — 10 years per Swiss CO Art. 958f) | 3.1 | Legal obligation |
We do not use Customer Connected-Platform Data (3.2) to train general-purpose AI models. AI processing is performed per-Customer for the Customer's own optimization.
5. AI processing — what to know
The Platform uses third-party large-language and machine-learning models (see Section 8) to:
- Analyse Connected-Platform Data;
- Generate optimized product feeds, audience suggestions, bid adjustments, ad copy and campaign recommendations.
Key points:
- Inputs to the AI providers are scoped to the data necessary for the task and are sent without account credentials.
- We have agreements with our AI subprocessors prohibiting them from using Customer data to train their foundational models. Where a provider's standard terms do not give this protection, the integration is configured to disable training (e.g., zero-data-retention or no-training settings).
- AI outputs are suggestions, not deterministic guarantees. The Customer is responsible for reviewing and approving any changes before they are applied to its ad accounts.
- Aggregated, irreversibly de-identified usage statistics may be used to improve the Service. Google user data is never used for this purpose (see Section 7.1).
6. Where we store and process data
Primary hosting:
- Switzerland — application and database infrastructure on NetCup (Swiss region).
- European Union — backup and large-scale compute on AWS (Frankfurt, eu-central-1).
Sub-processors providing AI capabilities (OpenAI, Anthropic) process limited prompt data in the United States.
7. Third-party platform policies and "Limited Use" commitments
Because the Platform integrates with major advertising and e-commerce APIs, we make the following commitments on top of GDPR/FADP obligations:
7.1 Google user data — Google API Services User Data Policy
Where the Customer connects a Google service (Google Ads, Google Analytics, or any other Google API), our use of Google user data complies with the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- We access Google user data only with the Customer's explicit OAuth consent and only to the scopes required for the Platform's documented features (campaign analysis, AI-generated optimizations, performance reporting).
- We do not sell Google user data.
- We do not transfer Google user data except to sub-processors (Section 8) that are strictly necessary to provide or improve user-facing features, and only after due diligence and contractual protections.
- We do not use Google user data for advertising, retargeting, or to train, fine-tune, or evaluate generalized or third-party AI/ML models.
- Humans access Google user data only (a) with the Customer's explicit consent for a specific support case, (b) for security investigations, (c) when required by law, or (d) on data that has been irreversibly aggregated and anonymised for performance monitoring.
- The Customer (or any Authorised User) may revoke our access at any time via the Google Account permissions page; on revocation, the associated Google user data is deleted from our active systems within 30 days, except where retention is required by law.
7.2 Meta platform data
For data obtained via the Meta (Facebook/Instagram) Marketing API, we comply with the Meta Platform Terms and Developer Policies. We do not use Meta data to build profiles unrelated to the Customer's own advertising, do not transfer Meta data outside the Service, and respect Meta's retention and deletion requirements.
7.3 TikTok platform data
For data obtained via the TikTok Marketing API, we comply with the TikTok for Business Commercial Terms of Service and Developer Terms. We use the data only for the Customer's campaign analysis and optimization purposes.
7.4 Shopify data
For data obtained via Shopify, we comply with the Shopify Partner Program Agreement and the Shopify API Terms of Use. We process order, product, and customer-cohort data solely to provide the Service to the Customer.
8. Sub-processors
We engage the following sub-processors. An up-to-date list is available on request from support@retailadvantage.ai.
| Sub-processor | Role | Location |
|---|---|---|
| Amazon Web Services EMEA SARL (AWS) | Cloud infrastructure, storage, compute | EU (Frankfurt) |
| NetCup GmbH | Cloud infrastructure | Germany |
| OpenAI, L.L.C. | Large-language-model inference for AI outputs | USA |
| Anthropic, PBC | Large-language-model inference for AI outputs | USA |
We notify Customers of new or replacement sub-processors at least 30 days before they are engaged (via email or in-app notice), giving Customers the opportunity to object.
9. International transfers
Where personal data is transferred outside Switzerland or the EU/EEA — in particular to the United States for AI inference — we rely on:
- EU Standard Contractual Clauses (SCCs) Module 2 or 3 as applicable, supplemented for Switzerland by the Swiss FDPIC recognition of the SCCs;
- The EU-US Data Privacy Framework and Swiss-US Data Privacy Framework where the recipient is self-certified;
- Supplementary technical and organisational measures (encryption in transit and at rest, access controls, minimisation).
You may request a copy of the relevant transfer mechanism by writing to support@retailadvantage.ai.
10. Retention
| Data | Retention period |
|---|---|
| Account data | For the duration of the subscription + 90 days after termination |
| Connected-Platform Data (3.2) | While the integration is active + 30 days after disconnection or account closure |
| Billing and tax records | 10 years (Swiss Code of Obligations Art. 958f) |
| Support communications | 24 months after case closure |
| Server and security logs | 12 months |
| Cookies | Per Section 11 below |
After the relevant period, data is deleted or irreversibly anonymised, except where retention is required by law.
11. Cookies and similar technologies
We use:
- Strictly necessary cookies — for authentication, session security, and load-balancing. No consent required.
- Functional cookies — for remembering UI preferences (language, dashboard layout).
- Analytics cookies — to understand usage patterns via a privacy-friendly web-analytics tool. The current list of analytics providers is disclosed in the cookie banner.
- Marketing cookies — on the public website, to measure campaign performance. Only set after consent.
You can manage your preferences at any time via the cookie banner on the website or your browser settings. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.
12. Your rights and how to exercise them
Depending on where you live, you have the following rights regarding your personal data:
Under the Swiss FADP and EU/UK GDPR
- Access — obtain confirmation that we process your data and a copy of it.
- Rectification — have inaccurate data corrected.
- Erasure ("right to be forgotten") — have your data deleted where conditions are met.
- Restriction — limit how we process your data.
- Portability — receive your data in a structured, machine-readable format.
- Objection — object to processing based on legitimate interests or direct marketing.
- Withdraw consent — at any time, without affecting prior lawful processing.
- Complaint to a supervisory authority — Swiss FDPIC (https://www.edoeb.admin.ch), or your local EU/UK data-protection authority.
Under California CCPA/CPRA (residents of California)
- Right to know, delete, correct, opt out of "sale"/"sharing" of personal information, limit use of sensitive personal information, and non-discrimination.
- We do not "sell" personal information for money. We do not knowingly process the personal information of minors under 16.
- To exercise rights, email
support@retailadvantage.ai.
How to exercise your rights
Email support@retailadvantage.ai with subject line "Privacy request — [right]" (e.g., "Privacy request — Erasure"). We will respond within 30 days (extendable by 60 days for complex requests) and may need to verify your identity.
If you are an end-customer of one of our Customers (e.g., you bought from a Shopify store using our Platform), please contact that Customer directly — they are the controller of your data. We will assist them as their processor.
Data deletion — shortcut
To request deletion of all your personal data held by Orange IT as controller, email support@retailadvantage.ai with subject line "Request Data Deletion". We will delete data from active systems within 30 days, except for records we are legally required to retain (e.g., tax invoices). If you connected a Google account and then revoke our OAuth access via your Google Account Permissions, the associated Google user data is removed from active systems automatically.
13. Security
We implement appropriate technical and organisational measures, including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256);
- Role-based access control and least-privilege for staff;
- Multi-factor authentication for admin access;
- Regular backups, with backups encrypted and stored separately;
- Logging and monitoring of access to production systems;
- Vendor risk assessments and contractual data-protection clauses (DPAs/SCCs) with all sub-processors;
- Annual review of security policies and incident-response plan.
No system is perfectly secure. We will notify the FDPIC, competent EU supervisory authorities, and/or affected individuals of personal-data breaches in line with applicable law (e.g., 72 hours for GDPR breach notifications where required).
14. Children
The Platform is a B2B service intended for businesses and their authorised users. It is not directed to individuals under 16, and we do not knowingly collect their personal data. If you believe a minor has provided us with personal data, please contact support@retailadvantage.ai and we will delete it.
15. Automated decision-making
The Platform makes algorithmic recommendations (e.g., bid adjustments, audience suggestions, feed enrichments). These recommendations are suggestions only and require Customer review/approval before they are applied. The Platform does not make decisions producing legal or similarly significant effects on individuals solely by automated means within the meaning of Art. 22 GDPR / Art. 21 FADP.
16. Changes to this Policy
We may update this Policy from time to time. The "Last updated" date at the top reflects the most recent version. Material changes will be notified by email to Customer admins and/or by an in-app notice at least 30 days before they take effect.
17. Contact
Questions, requests, or complaints:
Orange IT Services SA Corso San Gottardo 34 6830 Chiasso, Switzerland UID: CHE-274.020.172 Email: support@retailadvantage.ai
Swiss supervisory authority: Federal Data Protection and Information Commissioner (FDPIC) — https://www.edoeb.admin.ch