Privacy Policy

Ocean is a visual Shopify theme editor for merchants and agencies, available at oceaneditor.com. The service is operated by a company registered in Romania (EU), acting as the data controller for the personal data described in this policy.

As an EU-registered entity, we are subject to the General Data Protection Regulation (GDPR) and supervised by Romania's data protection authority, ANSPDCP.

For any privacy-related requests or legal correspondence, contact us at support@oceaneditor.com. We will provide full registered company details upon request for legitimate legal purposes.

We only collect data that is necessary to provide the service. Here is what we collect and where it comes from:

Account data

• Email address — used for authentication, transactional emails, and workspace invitations
• First and last name — displayed in your profile and workspace
• Profile photo URL — optional, displayed in the editor UI

Shopify store data

• Shop domain and shop name — to identify and display your connected stores
• Encrypted Shopify access token — stored using AES-256-GCM encryption to sync theme files on your behalf. We access your Shopify store only as directed by your actions in the editor.

Usage and technical data

• IP address and browser user agent — logged for security purposes (detecting suspicious access, new device sign-ins)
• Product usage events — features used, editor interactions, AI usage counts — collected to improve the product
• AI conversation history — prompts you send and AI responses received within the editor, stored to maintain conversation context

Billing data

• Subscription status and plan tier — your current subscription plan
• Lemon Squeezy customer ID and subscription ID — for managing your subscription
• We do not store credit card numbers, bank details, or any raw payment data. All payment processing happens on Lemon Squeezy's hosted checkout pages.

Communications

• Email addresses of colleagues you invite to your workspace
• Support messages you send to us
• Waitlist email address, if you signed up before launch

Under GDPR, we must have a lawful basis for every processing activity. Here is what we do with your data and why:

Where we rely on legitimate interest (Art. 6.1.f), we have determined that our interest in operating a secure, improving product does not override your rights — particularly because: (a) we are a B2B service, so users are business professionals with a reasonable expectation that the tools they use to run their business collect operational data; (b) we limit collection to what is necessary; and (c) you can object at any time by contacting us.

We do not sell your data. We share it only with the processors necessary to run Ocean:

• Supabase (EU region) — our database and authentication provider. Your data is stored in Supabase's EU infrastructure.
• Lemon Squeezy — payment processing. Receives your email address to create a billing customer record. Does not receive your theme files or store data.
• Resend — transactional email delivery. Receives your email address to send authentication and notification emails.
• Google (Gemini API) — powers our AI editor features. When you use AI in the editor, your prompts and relevant theme context are sent to Google's Gemini API for processing. See the AI Features section for more detail.
• PostHog — product analytics. Receives usage events and a pseudonymous identifier. Proxied through our servers to minimize unnecessary data exposure.
• Vercel — our hosting provider. Processes traffic data and Core Web Vitals.
• Upstash — Redis cache for rate limiting and session state. Does not receive PII beyond what is technically necessary.
• Trigger.dev — background job infrastructure used for screenshot generation.

Some of our processors are based outside the European Economic Area (EEA). Where this is the case, we rely on appropriate safeguards:

• Supabase — EU region. No transfer outside EEA.
• PostHog — EU cluster. No transfer outside EEA.
• Google (Gemini API) — US-based. Google's Data Processing Addendum and Standard Contractual Clauses (SCCs) apply.
• Resend — US-based. SCCs apply.
• Lemon Squeezy — US-based. SCCs apply.

You can request a copy of the applicable transfer mechanisms by contacting us at support@oceaneditor.com.

As an EU data subject, you have the following rights. To exercise any of them, email support@oceaneditor.com. We will respond within 30 days.

• Right to access — request a copy of all personal data we hold about you
• Right to rectification — request correction of inaccurate data
• Right to erasure — request deletion of your data (subject to legal retention obligations)
• Right to restriction — request that we limit how we use your data while a dispute is resolved
• Right to data portability — request your data in a machine-readable format
• Right to object — object to processing based on legitimate interest
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time

You also have the right to lodge a complaint with Romania's supervisory authority: ANSPDCP — Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal.

Strictly necessary cookies

We use HTTP-only session cookies issued by Supabase to keep you signed in. These are essential to provide the service and do not require your consent.

Analytics

On our marketing website, we use PostHog and Vercel Analytics to understand traffic and improve the site. These require your consent and are only initialized after you accept via our cookie banner.

Inside the authenticated editor, we use PostHog to understand how the product is used (which features are used, where users get stuck). This is based on legitimate interest and is disclosed here.

We also use Vercel Speed Insights to monitor Core Web Vitals. This collects anonymous performance metrics only.

No advertising cookies

We do not use advertising networks, retargeting pixels, or social media tracking cookies.

Cookie consent

Analytics on our public marketing site (oceaneditor.com) requires your consent. We rely on consent as the legal basis for analytics cookies placed before you sign in.

Inside the authenticated editor, analytics are collected under legitimate interest — you have an established business relationship with us and a reasonable expectation that a professional SaaS tool monitors usage to improve the product.

You may block analytics cookies at any time using your browser settings without affecting core product functionality.

Ocean's AI editor features are powered by Google Gemini. When you use AI in the editor:

• Your prompts and relevant Shopify theme code context are sent to Google's Gemini API for processing
• Conversation history is stored in our database to maintain context across sessions
• We use anonymized, aggregated AI usage data to improve our prompting and product experience

Important: Do not include sensitive personal data of your customers or third parties in AI prompts. Theme code and store configuration are appropriate inputs; customer PII is not.

Google's processing of data via the Gemini API is governed by their Data Processing Addendum and Standard Contractual Clauses.

We take reasonable technical and organizational measures to protect your data:

• Shopify access tokens are encrypted at rest using AES-256-GCM before storage
• All data in transit is encrypted via TLS
• Our database enforces Row-Level Security (RLS) — queries are automatically scoped to your account
• Security events (new device sign-ins, suspicious access attempts) are logged and monitored
• Access to production data is limited to authorized personnel only

No system is 100% secure. If you believe your account has been compromised, contact us immediately at support@oceaneditor.com.

We may update this policy as our product and legal obligations evolve. For material changes, we will notify you by email at least 14 days before the change takes effect.

The "Last updated" date at the top of this page reflects when the current version was published. Continued use of Ocean after a change takes effect constitutes acceptance of the updated policy.

For any questions, requests, or complaints about this policy:

• Email: support@oceaneditor.com
• Response time: We aim to respond within 5 business days for general queries, and within 30 days for formal GDPR requests as required by law.

To lodge a complaint with Romania's supervisory authority: www.dataprotection.ro