Privacy Policy

This Privacy Policy describes how MageCopilot ("we", "us", "our") handles information in connection with the use of the MageCopilot module ("the Software"). By using the Software, you agree to the practices described in this policy.

1. What MageCopilot Does — and Does Not — Collect

MageCopilot is a self-hosted Magento 2 module. It runs entirely on your own server infrastructure. We do not operate a central data collection server, analytics platform, or data warehouse.

MageCopilot does not collect, transmit to us, or store on our servers:

• Personal data of your store's customers (names, emails, addresses, payment details).
• Your store's order history, product catalog, or financial data.
• Admin credentials, passwords, or API keys.
• Audit logs or chat histories generated by the module.

2. Data Sent to Third-Party AI Providers

To generate AI responses, MageCopilot may transmit system context data — such as indexer status, cache state, cron job results, and log excerpts — to the AI provider you configure. Currently supported providers include:

• Google Gemini (Google LLC)
• OpenAI (OpenAI, L.L.C.)
• Anthropic (Anthropic, PBC)
• Google Vertex AI (Google Cloud)
• Microsoft Azure OpenAI (Microsoft Corporation)
• Ollama (local, self-hosted — no data leaves your server)

Each provider operates under its own privacy policy and terms of service. You are responsible for reviewing and accepting the applicable provider's policies before configuring it in MageCopilot. MageCopilot is not responsible for how third-party AI providers process data you send through your own API keys.

3. Data Sanitization Before AI Transmission

Before any context is sent to an external AI provider, MageCopilot applies an automatic sanitization layer (DataSanitizer) that strips or masks:

• Passwords and authentication tokens.
• API keys and secret credentials.
• Customer PII (names, email addresses, phone numbers, billing addresses).
• Payment card data and financial account numbers.

This sanitization is active by default and cannot be disabled by end users, providing a baseline level of data protection regardless of the configured AI provider.

4. Strict Privacy Mode (Ollama)

If you configure Ollama as your AI provider, all AI processing occurs locally on your own server. No store data is transmitted to any external service. For organizations with strict data sovereignty requirements, we recommend running Ollama in this configuration.

Additionally, administrators can enable Strict Privacy Mode in the module settings to completely disable all outbound context transmission, regardless of the configured provider.

5. Audit & Security Logs

All actions performed by MageCopilot — including executed CLI commands, workflow triggers, AI queries, and admin interactions — are logged in the Security Audit Log stored locally on your server's database. These logs:

• Remain exclusively on your infrastructure.
• Are never transmitted to MageCopilot or any third party.
• Can be reviewed, exported, or deleted by your administrators at any time.

6. Subscription & Billing Data

When you purchase a Pro or Enterprise subscription, billing and payment processing is handled by our payment processor (Paddle). We do not store full credit card or payment account details on our systems. Paddle's handling of your payment information is governed by Paddle's Privacy Policy.

We retain your name, email address, and purchase history for subscription management and support purposes. This information is stored securely and used only for billing, license management, and support communications.

7. Website Analytics & Cookies

The MageCopilot website (magecopilot.com) is a static site hosted on GitLab Pages. We do not use tracking analytics tools, advertising pixels, or third-party cookies on this website. The only cookies that may be set are those strictly necessary for the operation of the site.

8. GDPR & Your Rights

If you are located in the European Economic Area (EEA) or United Kingdom, you have the following rights with respect to any personal data we hold about you:

• Access — Request a copy of the personal data we hold about you.
• Rectification — Request correction of inaccurate or incomplete data.
• Erasure — Request deletion of your personal data ("right to be forgotten").
• Portability — Request your data in a structured, machine-readable format.
• Objection — Object to processing based on legitimate interests.
• Restriction — Request restriction of processing in certain circumstances.

To exercise any of these rights, contact us at support@magecopilot.com. We will respond within 30 days.

9. Data Retention

We retain subscription and billing data for as long as your account is active and for a minimum of 5 years thereafter, as required by applicable financial regulations. Upon a valid erasure request, we will delete personal data that is not required to be retained by law.

10. Data Security

We implement industry-standard technical and organizational measures to protect the personal data we hold. However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee its absolute security.

11. Children's Privacy

MageCopilot is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected such information, please contact us immediately.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify active subscribers of material changes via email. Continued use of the Software after changes take effect constitutes acceptance of the updated policy. The "Last updated" date at the top of this page reflects the most recent revision.

13. Contact & Data Controller

If you have questions, concerns, or requests regarding this Privacy Policy, please contact us:

MageCopilot
Email: support@magecopilot.com