This policy describes how AllHub collects, uses, stores and protects your personal data, and the rights you have under applicable law.
Last updated: April 19, 2026 · Effective from: April 19, 2026 · Next review: July 2026
Who is responsible for your data
The data controller responsible for your personal data is:
AllHub
Operating at allhub.io
Data Protection contact: privacy@allhub.io
Supervisory authority: Agencia Española de Protección de Datos (AEPD) — aepd.es
AllHub operates as a B2B SaaS platform. For data processed on behalf of store owners (e.g., buyer conversations within their store), AllHub acts as a Data Processor under the Data Processing Agreement (DPA) concluded with each store owner, who is the Controller for that processing.
Categories, sources and legal basis
We collect only the minimum data necessary to provide the service (data minimisation — GDPR Art. 5(1)(c)). The table below summarises each category.
Early-access & Waitlist Data
Prospective store owners who sign up for early accessExamples: Full name, work email address, e-commerce platform, store size, referral code, signup source
Legal basis: Consent (Art. 6(1)(a)) — you tick the checkbox on the form
Retention: 24 months from signup, or until you request deletion
Account & Identity Data
Store owners / team membersExamples: Full name, email address, password hash (via Clerk), profile settings
Legal basis: Contract (Art. 6(1)(b))
Retention: Duration of account + 30 days after deletion
Store Configuration Data
Store ownersExamples: Store name, Shopify/WooCommerce/PrestaShop credentials (encrypted), flows, knowledge base
Legal basis: Contract (Art. 6(1)(b))
Retention: 12 months after account closure
Buyer Interaction Data
End-user shoppers (pseudonymised)Examples: Chat messages, AI responses, buyer state (BROWSING / CART_REVIEW…), layer timings
Legal basis: Legitimate interest (Art. 6(1)(f)) — improving AI accuracy
Retention: 6 months — automatic Firestore TTL policy
Session Identifiers
End-user shoppersExamples: SHA-256 hash of session ID — the raw session ID is never stored
Legal basis: Legitimate interest (Art. 6(1)(f)) — security and fraud prevention
Retention: 6 months (tied to conversation log TTL)
Usage & Analytics Data
Store owners (aggregated)Examples: Conversation count, funnel events, catalog gap signals, conversion attribution
Legal basis: Legitimate interest (Art. 6(1)(f)) — platform improvement
Retention: 12 months
Voice Consent Data
Shoppers who opt in to AI voiceExamples: Voice consent status, consent token, revocation timestamp
Legal basis: Consent (Art. 6(1)(a))
Retention: 90 days from grant or until revoked
Billing & Financial Data
Store ownersExamples: Invoice amounts, subscription plan, last-4 card digits (Stripe)
Legal basis: Contract (Art. 6(1)(b)) + Legal obligation (Art. 6(1)(c))
Retention: 7 years — Spanish commercial law (Art. 30 C.Com.)
Technical & Security Logs
All usersExamples: API request logs, error traces, DLP block events
Legal basis: Legitimate interest (Art. 6(1)(f)) — security
Retention: 90 days
GDPR Art. 25 — Privacy by Design
All messages submitted through the AI chat widget pass through our Layer 0 Data Loss Prevention (DLP) scanner before reaching any AI model. The DLP system detects and blocks the following categories of personal data in real time:
Technical safeguard: Session identifiers are hashed with SHA-256 before any database write. The raw session ID never enters Firestore. This constitutes pseudonymisation under GDPR Recital 26.
Purposes of processing
Service delivery
Authenticate users, process subscriptions, operate the Cortex AI pipeline, and respond to buyer queries.
Basis: ContractAI model operation
Route buyer messages through our L0→L3 pipeline (DLP → intent matching → knowledge retrieval → LLM response generation).
Basis: Contract / Legitimate interestPlatform improvement
Analyse aggregated conversation quality, catalog gaps, and funnel signals to improve AI accuracy. No individual profiling.
Basis: Legitimate interestSecurity and fraud prevention
Monitor for abuse, rate-limit API calls, detect anomalous patterns, maintain audit trails.
Basis: Legitimate interestBilling and compliance
Issue invoices, process payments via Stripe, comply with Spanish commercial and tax law.
Basis: Contract / Legal obligationCommunication
Send transactional emails (account events, invoices). Marketing emails only with your explicit consent.
Basis: Contract / ConsentEU AI Act compliance
Maintain decision traces and audit logs for AI traceability and human oversight as required by Regulation (EU) 2024/1689.
Basis: Legal obligationWho we share data with
We work with the following sub-processors. We have Data Processing Agreements (DPAs) in place with all of them. Where data is transferred outside the EEA, we rely on European Commission Standard Contractual Clauses (SCCs).
Cookieless, privacy-first web analytics (no cookies, no personal data)
User authentication and identity management
Database, storage and real-time infrastructure
Large language model inference for conversational AI
Payment processing and subscription billing
Transactional email delivery
Cookie consent management platform
AI-powered web search enrichment (optional)
EU-first infrastructure: All primary data storage runs on Google Firebase europe-west1 (Frankfurt) and eur3 (Frankfurt + Warsaw). No personal data is stored outside the European Economic Area by default.
We do not sell, rent or trade personal data to third parties. We do not use personal data for advertising profiling.
Detailed information at /legal/cookies
We use cookies and similar technologies for authentication, security, analytics and consent management. We use CookieFirst as our Consent Management Platform (CMP) — you can manage or withdraw your cookie preferences at any time.
View Cookie PolicyEU AI Act Regulation (EU) 2024/1689
AllHub operates four AI systems as described in our AI Transparency page. The following AI-specific data processing applies:
Decision Traces
Every AI pipeline execution is logged with the reasoning path (layers invoked, intent confidence, DLP outcome) for Art. 14 human oversight. Logs are pseudonymised and deleted after 6 months.
No High-Risk AI Systems
None of our AI systems are classified as High Risk under Annex III of the EU AI Act. We do not use AI for biometric identification, credit scoring, employment, education or law enforcement.
Human Escalation
The Cortex Sales Agent and Demand Simulator include human escalation paths. No decision with significant legal effect is made solely by automated means without human oversight.
No Individual Profiling
Buyer conversation analysis is performed on aggregated, pseudonymised session data. We do not build profiles of individual end users.
GDPR Chapter III · LOPD-GDD Arts. 15–22
Under GDPR and Spain's Organic Law 3/2018 (LOPD-GDD), you have the following rights regarding your personal data. You may exercise them by contacting privacy@allhub.io.
Right of Access
Obtain a copy of your personal data and information about how it is processed.
Right to Rectification
Request correction of inaccurate or incomplete personal data without undue delay.
Right to Erasure
Request deletion of your data ("right to be forgotten") where no legal basis for continued retention exists.
Right to Restriction
Request that we limit the processing of your data in certain circumstances.
Right to Data Portability
Receive your personal data in a structured, machine-readable format and transmit it to another controller.
Right to Object
Object to processing based on legitimate interest at any time on grounds relating to your particular situation.
Right re: Automated Decisions
Not be subject to decisions based solely on automated processing with significant legal effects.
Response timeline
We will respond to your request within 30 calendar days (GDPR Art. 12(3)). In complex cases, we may extend this by up to 60 additional days, notifying you within the first 30 days. Requests are free of charge.
If you believe your rights have been violated, you may lodge a complaint with the AEPD at aepd.es (Art. 77 LOPD-GDD) without prejudice to other judicial remedies.
GDPR Art. 5(1)(e) — Storage Limitation
We keep personal data only as long as necessary for the purpose for which it was collected, and no longer than required by applicable law. Specific retention periods are listed in Section 2.
When a store owner requests account deletion, we permanently erase all associated personal data within 30 days, except financial records required for Spanish commercial and tax law obligations (7 years, Art. 30 Código de Comercio). For those records, we nullify any personal identifiers (sessionIdHash → null) while retaining the financial data skeleton.
GDPR Art. 32 — Security of processing
We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. Measures include:
LOPD-GDD Art. 7 · GDPR Art. 8
AllHub's platform services (dashboard, API access) are intended for adults. We do not knowingly collect personal data from individuals under 16 years of age. The AI chat widget embedded in stores may be accessed by minors as general members of the public, but it collects only pseudonymised interaction data subject to the DLP protections described above. Store owners are responsible for complying with age verification requirements applicable to their stores.
We may update this Privacy Policy to reflect changes in our practices, technology or applicable law. We will notify registered store owners of material changes by email at least 14 days before they take effect. The “Last updated” date at the top of this page indicates when it was last revised. We encourage you to review this policy periodically.
Contact us
Questions about this policy or your personal data? privacy@allhub.io
Regulatory basis: Regulation (EU) 2016/679 (GDPR) · Organic Law 3/2018 of December 5 (LOPD-GDD) · Regulation (EU) 2024/1689 (EU AI Act) · Directive 2002/58/EC (ePrivacy) · Ley 34/2002 de Servicios de la Sociedad de la Información (LSSI-CE).
AllHub infrastructure: Google Cloud europe-west1 (Frankfurt) + eur3 (Frankfurt / Warsaw). No personal data stored outside the EEA.