Hi. Here is what we do with your data, in plain English.
Version 1.0 · Effective April 2026
We read your product listings from your selling platform so AI shopping agents can recommend them. We store your email address and the secure connection to your shop. We never see your buyers, their payment details, or their order information. You can delete everything by replying to any email from us and asking.
If you want the detail, this notice covers what we collect, why we collect it, how long we keep it, who we share it with, where it is stored, how we keep it safe, and the rights you have over your data. It also explains how this works if you live in the UK, EU, US, Canada, Australia, or somewhere else.
TokoSales Limited is the data controller for the information described in this notice. TokoSales is a company incorporated in England and Wales (company number 17158783) and registered with the UK Information Commissioner's Office (registration reference ZC136493). Our registered office is Blaisdon Court, Blaisdon, Longhope, GL17 0AG. Our website is tokosales.ai and our service connects your product catalogue to AI shopping agents such as ChatGPT, Google Gemini, Microsoft Copilot, and Perplexity.
A data controller is the company that decides what data gets collected and why. For everything in this notice, that company is us.
If you want to ask us anything about your data, email [email protected].
Our Data Protection Officer is Mr Nigel Hysom. You can contact the DPO at [email protected]. The DPO is your primary point of contact for any question about how we handle your personal data.
The DPO is responsible for advising us on data protection law, monitoring our compliance, handling your rights requests, and being your point of contact for any concern about how we use your personal data. You can also reach the DPO by post at our registered office above, marked for the attention of "The Data Protection Officer."
We collect five kinds of data. Each kind has a different purpose and a different legal basis. Here is the full list.
| What it is | Why we have it | Legal basis |
|---|---|---|
| Your product catalogue | Titles, descriptions, prices, images, variants, categories, tags, and shipping settings. We read this from your selling platform so AI agents can recommend your products. | Not personal data. This is commercial information about products, not people. |
| Your account | Your email address, your store name and URL, the country and city your shop is in (where supplied), your signup date, your subscription status, and any credential we hold to read your store data (a hashed plugin API token for WooCommerce, an Admin API token for Shopify if you chose that path, or none at all for the public-feed and CSV upload paths). | Contract performance. We need this to run the service you signed up for. |
| Your seller profile | A short description of what your shop sells, the product categories we detect, and your agent-readiness score. We generate this from your catalogue using AI so AI agents can match your shop to the right buyers. | Legitimate interest for the first 12 months. PECR soft opt-in for existing paying subscribers. You can object at any time. |
| Agent traffic analytics | How many times AI agents showed your products, clicked through, or reached checkout. These are aggregate counts with no personal information about the shoppers attached. | Not personal data. We never connect these counts to a named individual. |
| Buyer transactions | We never store this. When a shopper buys your product through an AI agent, they check out on your selling platform. The buyer's name, address, email, and payment details stay with your platform. We never see them. | Not collected. |
How we connect to your store depends on the platform. WooCommerce sellers install a plugin that handshakes with us using a per-site API token. Shopify sellers paste their store domain (we read the public products feed) or, if they prefer, paste a custom Admin API token. Big Cartel sellers paste their subdomain (we read the public API). Etsy sellers upload their listings CSV directly. In every case the access is read-only and you can revoke it at any time.
We keep data for as long as we need it, and no longer. Here are the specifics.
| What it is | How long we keep it |
|---|---|
| Your product catalogue | While your account is active. Deleted within 30 days of you closing your account or disconnecting your shop. |
| Your email address and store credential (where one exists) | While your account is active. Deleted within 30 days of account closure. Raw Etsy CSV uploads are deleted from S3 after 7 days; only parsed product records persist. |
| Your seller profile | While your account is active, then up to 12 months after closure. You can ask us to delete it sooner. |
| Agent traffic analytics | 24 months in aggregated form. After that it is deleted or retained only as anonymous totals. |
| Support email correspondence | Up to 2 years, so we can answer follow-up questions and resolve disputes. |
| Billing records | 6 years. UK tax law requires us to keep these. |
If you ask us to delete your data sooner than the periods above, we will do so unless the law requires us to keep it (for example, billing records).
We share data with a small number of service providers who help us run TokoSales. We do not sell your data to anyone, ever.
Hosts our servers, databases, and storage, and delivers our account emails. Your account data and product catalogue are processed there under a data processing agreement.
Generates product descriptions for AI agents from your product catalogue, and helps us triage emails you send to our support address. They process this data under a data processing agreement and do not train models on it.
Serves our marketing website and routes traffic to it. They process visitor IP addresses and request metadata under a data processing agreement.
Hosts our team's email accounts and routes emails you send to our support address. They process this data under a data processing agreement.
We publish your product catalogue as structured feeds so AI agents can discover and recommend your products. The current platforms are listed on our How it works page. The data published is your product information, not personal data about you.
When you subscribe to a paid plan, our payment processor handles your card details directly. We do not store card numbers.
We read your product catalogue from the store platform you connect — WooCommerce via a plugin you install yourself, Shopify or Big Cartel via the public products feed each platform exposes, or Etsy via a CSV file you upload yourself.
We will disclose data if we are legally required to do so, for example under a court order or a lawful information request.
We do not use advertising trackers, data brokers, or marketing resellers. Your data is not shared for advertising purposes.
Your account data and product catalogue are stored with our cloud infrastructure provider in the United States (Virginia). If you are in the UK or the EU, this means your personal data is transferred outside the UK and the European Economic Area.
We rely on two safeguards for that transfer.
Our cloud provider is certified under these frameworks, which the UK and EU recognise as providing adequate protection.
Our data processing agreement with our cloud provider incorporates the European Commission's Standard Contractual Clauses and the UK Addendum, as additional safeguards for transfers to the United States. Our cloud provider is also certified under the UK Extension to the EU-US Data Privacy Framework, which the UK Government recognises as providing adequate protection for personal data transferred to certified US organisations.
If TokoSales staff need to access your data from a country other than the United States or the United Kingdom for a technical support reason, we apply the same safeguards before doing so.
We continue to evaluate opening an EU region for UK and EU sellers. We will update this notice if that changes.
We take data protection seriously and build security into how the service works.
Every connection between your browser, our servers, and your selling platform uses TLS (the same encryption banks use).
Where we hold a store credential (Shopify Admin API token, hashed WooCommerce plugin token), it is encrypted with a key dedicated to your account in AWS Secrets Manager, using AWS KMS. Our databases, raw CSV upload bucket, and file storage are also encrypted at rest.
Our public website and APIs sit behind a content delivery network that filters malicious traffic, mitigates denial-of-service attacks, and enforces HTTPS.
Every webhook we accept from third parties is verified with a cryptographic signature, so nobody can fake events to our system.
Our legal and compliance team does not have access to seller personal data. Members of our engineering team can reach production systems only where there is a specific operational need, and access is granted at the minimum level required.
Every access to production systems is logged in AWS CloudWatch. We can see who did what, and when.
Our databases are backed up continuously with point-in-time recovery, so we can restore data to any second within the last 35 days if it is ever lost or corrupted.
Every service provider that processes personal data on our behalf is bound by a written data processing agreement. The categories are listed in "Who we share your data with" above.
We keep our software dependencies and underlying systems up to date so known vulnerabilities are patched quickly.
We do not run advertising pixels, analytics trackers, or third-party cookies on tokosales.ai.
We review security practices and access rights as TokoSales grows, and respond to new risks as they appear.
No system is perfectly secure. If we ever suffer a data breach that affects you, we will tell you promptly and tell the ICO within 72 hours, as UK GDPR requires.
Under UK GDPR you have seven rights over your personal data. You can exercise any of these by emailing [email protected]. We will respond within 30 days.
Ask for a copy of the personal data we hold about you.
Ask us to correct data that is wrong or incomplete.
Ask us to delete your personal data. We will do this within 30 days, unless the law requires us to keep something (for example, billing records).
Ask us to stop processing your data while we look into a concern you have raised.
Ask for your data in a format you can move to another service.
Object to our use of your seller profile data for service improvement. We will stop using it for that purpose.
We do not make automated decisions that have a legal or similarly significant effect on you. If we ever start doing so, we will tell you first and explain your rights.
You will not pay a fee for these requests. We will only refuse if a request is clearly unfounded or excessive, and we will explain why if we do.
Your local law gives you similar rights. Under the California Consumer Privacy Act (CCPA) you have the right to know what we hold, the right to delete it, the right to correct it, and the right to opt out of any sale of personal information (we do not sell personal information to anyone). Under Canadian PIPEDA you have the right to access and correct your personal information. Under Australia's Privacy Act and the Australian Privacy Principles you have equivalent rights of access and correction. Whichever country you are in, email [email protected] and we will handle your request the same way.
Our public marketing site at tokosales.ai does not set any cookies. No analytics cookies, no advertising cookies, no session cookies. You do not need to accept a cookie banner because there is nothing to accept.
Once you sign up and connect your shop, your seller dashboard will set one small cookie: a session cookie that keeps you logged in. This cookie only holds a random session ID. It is deleted when you log out or close your browser. We do not use this cookie to track you around the web.
We do not use Google Analytics, Facebook Pixel, or any similar tracker. We do not sell advertising or share cookie data with third parties.
We comply with the UK GDPR and, for EU sellers, the EU GDPR. The UK's Information Commissioner's Office (ICO) is our supervisory authority. If you believe we have mishandled your data, you have the right to complain to the ICO at ico.org.uk, or to the data protection authority in your EU country.
If you are in California, the CCPA gives you the right to know, delete, correct, and opt out of any sale of personal information. We do not sell personal information. Residents of other US states with comparable privacy laws (for example, Virginia, Colorado, Connecticut) have similar rights. Contact us at [email protected] to exercise them.
We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) for sellers in Canada. If you have a complaint, you can contact the Office of the Privacy Commissioner of Canada at priv.gc.ca.
We comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988 for sellers in Australia. If you have a complaint, you can contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
If you are in a country not listed above and have questions about how your data is protected, email [email protected] and we will explain what applies to you.
We will update this notice when the service changes, when the law changes, or when we find a clearer way to say something. If we make a change that materially affects your rights or how your data is used, we will tell you by email at least 14 days before the change takes effect. Small edits (like fixing a typo or reordering a paragraph) will just appear on this page with a new version number.
The version number and effective date at the top of this page always show the current version. If we have made changes, the updates will be summarised at the bottom of this section as we publish them.
For anything about your data, your rights, or this notice, email [email protected]. We aim to respond within two business days and will always respond within 30 days.
Our data protection contact is the TokoSales privacy team. We are not legally required to appoint a formal Data Protection Officer under UK GDPR Article 37 at our current scale, but we follow the same standards.
If you would rather complain to a regulator, you can contact the UK Information Commissioner's Office at ico.org.uk, or your local data protection authority.
For the contractual side of your relationship with us (pricing, cancellation, what we promise each other), see our Terms of use.