Privacy Policy

Last updated: May 2026 · Effective immediately upon account creation

    The short version: We collect only what we need to provide the Service. We do not sell your data. Your product page content is processed by AI to generate analysis results and is not used to train AI models. You can request deletion of your data at any time.
  

1. Who We Are

humarains is an AI-powered product page conversion optimisation platform operated by Ekambaram Saraswathi as a private individual ("we", "us", or "our"). As an individual operator, I am the data controller responsible for your personal data under applicable data protection law, including Singapore's Personal Data Protection Act (PDPA), the EU General Data Protection Regulation (GDPR), and other applicable jurisdictional laws.

Location: Singapore
Operating as: Sole proprietor (not a registered company)
Email: hello@humarains.com

For privacy enquiries or to exercise your data rights, contact me at hello@humarains.com.

2. Information We Collect

Account information: When you register, we collect your name, email address, and (if using email/password login) a bcrypt-hashed version of your password. We never store your password in plain text.

Google OAuth: If you sign in with Google, we receive your Google profile ID, name, email, and profile photo URL from Google. We do not access your Gmail, contacts, or other Google data.

Product page content: URLs and manual product page text (title, description, price, CTA) that you submit for analysis. This content is sent to our AI API to generate your analysis.

Analysis results: Scores, recommendations, and copy rewrites generated for your submissions are stored in our database so you can access them later.

Billing information: Payment is processed by Stripe. We store only your Stripe customer ID and subscription status. We never see or store your full card number.

Shopify data (Max plan): If you connect Shopify, we store your shop domain and access token to enable product reads and writes on your behalf.

Usage data: Number of analyses run, plan type, and timestamps. We do not use third-party analytics trackers.

Server logs: Standard HTTP request logs (IP address, URL, status code, timestamp) retained for up to 30 days for security and debugging purposes.

3. How We Use Your Information & Lawful Basis (GDPR Art. 6)

We process your personal data only where we have a valid lawful basis to do so. The table below identifies the basis for each processing activity:

Processing Activity	Lawful Basis
Account creation & authentication	Performance of a contract (Art. 6(1)(b))
Processing product page content for AI analysis	Performance of a contract (Art. 6(1)(b))
Billing & subscription management via Stripe	Performance of a contract (Art. 6(1)(b))
Sending transactional emails (billing receipts, account notices)	Performance of a contract (Art. 6(1)(b))
Server logs & security monitoring	Legitimate interests (Art. 6(1)(f)) — to protect the security and integrity of our systems
Fraud prevention & abuse detection	Legitimate interests (Art. 6(1)(f)) — to protect users and the Service
Essential cookies (authentication, CSRF protection)	Legitimate interests (Art. 6(1)(f)) — strictly necessary for the Service to function
Optional/functional cookies	Consent (Art. 6(1)(a))
Compliance with legal obligations (e.g. financial record-keeping)	Legal obligation (Art. 6(1)(c))

We do not use your data to train AI models. Product page content you submit is processed in real time by the Anthropic API and is subject to Anthropic's Privacy Policy.

4. Data Sharing & Sub-processors

We do not sell, rent, or share your personal data with third parties for their marketing purposes. We share data only with the following sub-processors, each bound by a Data Processing Agreement (DPA) under GDPR Article 28:

Anthropic: Product page content you submit is sent to our AI API for analysis. Anthropic does not use API inputs to train their models per their usage policies. DPA: Anthropic Privacy Policy.
Stripe: Your email and subscription status are shared with Stripe to process payments. DPA: Stripe Privacy Policy.
Supabase: Our database provider. Your data is stored in a Supabase-managed PostgreSQL instance with encryption at rest and in transit. DPA: Supabase Privacy Policy.
Render: Our hosting provider. Your application data is processed on Render's servers. DPA: Render Privacy Policy.
Law enforcement: If required by applicable law, court order, or to protect the rights and safety of users.

A full list of sub-processors is available on request by emailing hello@humarains.com.

5. Data Retention

We retain your account data and analyses for as long as your account is active. If you delete your account, your data is removed from our primary database within 30 days. Backups may retain data for up to 90 days before expiry.

Server logs are retained for up to 30 days. Billing records may be retained for up to 7 years to comply with financial record-keeping obligations.

6. Cookies & Session Storage

We use the following first-party cookies only. All fonts are self-hosted — we do not load resources from Google Fonts CDN or any third-party CDN that may set cookies.

bp_token (httpOnly, secure): Your JWT authentication token. Required for login. Expires after 24 hours. Lawful basis: legitimate interests (strictly necessary).
bp_csrf (non-httpOnly): A CSRF protection token read by our frontend to verify form submissions. Expires after 24 hours. Lawful basis: legitimate interests (strictly necessary).
connect.sid: A session cookie used for Google OAuth flow. Expires when the browser closes or after 24 hours. Lawful basis: legitimate interests (strictly necessary).
humarains_cookie_consent: Records your cookie consent choice. Expires after 365 days.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies.

Where we rely on your consent for optional cookies, you may withdraw consent at any time by clicking the cookie preferences link in the page footer or emailing hello@humarains.com. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

7. Security

We take security seriously:

Passwords are hashed with bcrypt (12 rounds) — never stored in plain text
All connections are encrypted via TLS/HTTPS
Database connections use SSL
Authentication tokens are stored in httpOnly cookies to prevent XSS theft
CSRF protection on all state-changing API requests
Rate limiting on authentication and analysis endpoints

No security measure is perfect. If you discover a security vulnerability, please report it to hello@humarains.com.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

Access: Request a copy of the data we hold about you
Correction: Update incorrect or incomplete data via your account settings
Deletion: Request deletion of your account and associated data
Portability: Request an export of your analyses in JSON format
Objection: Object to processing based on legitimate interests
Restriction: Request that we restrict processing of your data in certain circumstances
Withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing
Lodge a complaint: You have the right to lodge a complaint with your local data protection authority at any time. EU residents can find their national authority at edpb.europa.eu. UK residents can contact the Information Commissioner's Office at ico.org.uk.

To exercise any of these rights, email hello@humarains.com. We will respond within 30 days (or within one month, as required by GDPR).

9. Data Localization & International Transfers

Primary data location: Your personal data is processed and stored in the United States via our sub-processors (Supabase — PostgreSQL hosted on US servers, Render — US-based infrastructure, Anthropic — US API processing).

Singapore residents: Under Singapore's PDPA, transfers of personal data to foreign countries are permitted provided appropriate safeguards are in place. I have ensured all sub-processors maintain security standards equivalent to Singapore's PDPA requirements.

EU/EEA and UK residents: Your data may be transferred to and processed in the United States. These transfers are made in compliance with applicable law using the following safeguards:

EU Standard Contractual Clauses (SCCs): Transfers to Supabase, Anthropic, and Render are covered by the EU Standard Contractual Clauses (Commission Decision 2021/914/EU). I have executed or rely on applicable SCCs with each sub-processor.
Stripe: Stripe is certified under applicable data transfer frameworks and publishes its own transfer mechanisms at stripe.com/privacy.

You may request a copy of the applicable transfer safeguards or SCCs by emailing hello@humarains.com.

10. Children's Privacy

The Service is not directed at children under 13 (or 16 in certain jurisdictions). We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice in the dashboard. Continued use of the Service after notice constitutes acceptance of the updated policy.

12. Singapore Personal Data Protection Act (PDPA) Compliance

For users in Singapore or those whose data is processed in Singapore, humarains complies with the Personal Data Protection Act (PDPA). Under PDPA, you have the following rights:

Access: You may request access to the personal data held about you
Correction: You may request correction of inaccurate personal data
Withdrawal of Consent: You may withdraw consent for processing (though this may limit your ability to use the Service)
Protection from Marketing: You may opt out of marketing communications

Personal data is collected, used, and disclosed in accordance with PDPA's requirements for legitimate purposes (contract performance, legal obligations, and legitimate interests). Your data will not be disclosed to third parties except where necessary to provide the Service or as required by law.

To exercise your PDPA rights, contact hello@humarains.com with "PDPA Request" in the subject line. I will respond within 30 days.

13. California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collection, and the categories of third parties with whom we share it.
Right to Delete: Request deletion of personal information we have collected, subject to certain exceptions.
Right to Correct: Request correction of inaccurate personal information.
Right to Opt-Out of Sale or Sharing: humarains does not sell or share personal information with third parties for cross-context behavioural advertising. No opt-out action is required, but you may confirm this by emailing us.
Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information beyond what is necessary to provide the Service.
Right to Non-Discrimination: We will not discriminate against you for exercising any of these rights.

Categories of personal information collected: Identifiers (name, email, IP address); commercial information (subscription plan, billing history); internet or other electronic network activity (usage data, analyses run); inferences drawn from usage data.

To exercise your California rights, submit a verifiable consumer request to hello@humarains.com. We will respond within 45 days. You may also designate an authorised agent to make a request on your behalf.

14. Shopify Integration — Data Scope Disclosure (Max Plan)

If you connect your Shopify store on the Max plan, we request access using Shopify OAuth with the following permission scopes:

read_products: To read your product titles, descriptions, prices, images, and metadata for analysis.
write_products: To push AI-generated copy rewrites back to your Shopify product listings at your explicit request.

We store only your Shopify shop domain and OAuth access token, encrypted at rest. We do not access orders, customers, payments, or any data beyond the scopes listed above. You may revoke our access at any time from your Shopify Admin under Apps > Manage private apps, or from your humarains dashboard under Settings > Integrations. Upon disconnection, your access token is deleted from our database within 24 hours.

15. Sole Proprietor Liability & Personal Responsibility

humarains is operated by an individual sole proprietor, not a registered company or corporate entity. As the operator, I assume full personal liability for compliance with all applicable laws, including data protection, consumer protection, tax, and regulatory requirements in all jurisdictions where the Service is offered.

In the event of breach or liability, claimants should direct claims to the operator at hello@humarains.com. There is no separate corporate shield or limited liability company structure.

Users acknowledge this structure and agree that the Service is provided on an individual basis by a sole proprietor in Singapore.

16. Contact

For privacy questions, data requests, or to report a concern, contact us at hello@humarains.com. For formal data protection requests, please include "Data Protection Request" in the subject line.