Privacy Policy – ValidUCP

1. Who We Are

ValidUCP is an Agentic Commerce Optimization platform operated from Tunis, Tunisia. We provide audit services that score e-commerce stores and digital businesses for AI agent readiness.

For questions about this Privacy Policy, contact us at [email protected].

2. Data We Collect

2.1 Account Data

When you create an account, we collect:

Email address
Name (optional)
Company name (optional)
Password (stored as a hashed value — we never store plaintext passwords)

2.2 Usage Data

When you use the Platform, we automatically collect:

URLs you submit for scanning
Scan results, scores, and reports associated with your account
IP address and approximate location (country/region level)
Browser type, device type, and operating system
Pages visited, features used, and time spent on the Platform

2.3 Payment Data

We use third-party payment processors (such as Stripe) to handle billing. We do not store your credit card number, CVV, or full payment details on our servers. Our payment processor's privacy policy applies to payment data.

2.4 Communications

If you contact us by email, we retain the content of that communication to respond to and track your inquiry.

3. How We Use Your Data

We use your data to:

Provide and operate the ValidUCP service
Generate your Agentic Maturity Score and audit reports
Send transactional emails (account confirmations, scan completions, invoices)
Improve our scoring methodology and AI models (using anonymized, aggregated data)
Detect and prevent fraud, abuse, and security threats
Comply with legal obligations
Send product updates and new feature announcements (you can opt out at any time)

We do not use your data for automated decision-making that produces legal or similarly significant effects on you.

4. Data Sharing & Third Parties

We do not sell, rent, or trade your personal data. We may share data with:

Infrastructure providers (cloud hosting, database services) who process data on our behalf under data processing agreements
Payment processors (e.g. Stripe) for billing purposes
AI providers (e.g. Anthropic) for semantic scoring — only anonymized store content is sent, never your personal account data
Analytics tools — we use privacy-respecting analytics (no Google Analytics by default)
Legal authorities — only when required by law or valid legal process

All third-party service providers are contractually required to protect your data and use it only for the purposes we specify.

5. Cookies & Tracking

We use the following types of cookies:

Essential cookies: Required for authentication and core functionality. Cannot be disabled.
Preference cookies: Store your language and UI preferences (e.g. EN/FR toggle).
Analytics cookies: Help us understand how the Platform is used. These are anonymized and do not track you across other websites.

We do not use third-party advertising cookies or cross-site tracking. You can manage cookie preferences in your browser settings.

6. Data Retention

We retain your data for as long as your account is active or as needed to provide the service. Specifically:

Account data: retained until account deletion + 90 days
Scan results and reports: retained for the duration of your subscription + 90 days post-cancellation
Anonymized scan data (used to improve scoring): may be retained indefinitely in aggregate form
Billing records: retained for 7 years as required by applicable accounting law

You may request deletion of your personal data at any time (see Your Rights below).

7. Security

We implement industry-standard security measures to protect your data, including:

Encryption in transit (TLS 1.3) and at rest (AES-256)
Hashed and salted password storage
Role-based access controls for internal staff
Regular security reviews and vulnerability assessments

No system is completely secure. If you suspect a security incident affecting your account, contact us immediately at [email protected].

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

Right of Access

Request a copy of all personal data we hold about you.

Right to Rectification

Request correction of inaccurate or incomplete data.

Right to Erasure

Request deletion of your personal data ("right to be forgotten").

Right to Portability

Receive your data in a structured, machine-readable format.

Right to Object

Object to processing for direct marketing or legitimate interests.

Right to Restrict

Request that we limit how we process your data in certain situations.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

If you are in the European Union or EEA, you also have the right to lodge a complaint with your local data protection authority.

9. Children's Privacy

ValidUCP is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a minor, please contact us immediately and we will delete it.

10. Changes to This Policy

We may update this Privacy Policy periodically. We will notify registered users by email and update the "Last updated" date at the top of this page. Material changes will be communicated with at least 14 days' notice before taking effect.

11. Contact Us

For any privacy-related questions, data requests, or concerns:

📧 [email protected]

Subject line: "Privacy Request — [Your Name]"

V