Privacy Policy

Effective date: June 14, 2026

Amaretta LLC dba Visibility Mesh ("we") provides this Privacy Policy for visibilitymesh.com, our web application, and our Shopify application.

1. Information we collect

  • Account data: name, email, company, password hash, plan and billing state. Payments are processed by Shopify; we do not store full card numbers.
  • Scan data: URLs you submit, publicly accessible page content we retrieve from them, files you upload (e.g., structured-data files, catalog exports), and the scores, findings, and reports we generate. Scan data may incidentally include personal information present on the scanned pages or in uploaded files; you are responsible for your authority to submit it.
  • Shopify app data (if installed): shop identifier, product/content/theme data within granted read-only scopes, access tokens (encrypted).
  • Usage data: log data, device/browser type, pages viewed, feature usage. We use privacy-respecting analytics (Shopify's native analytics) and only consent-gated cookies beyond strictly necessary ones (see Cookie Policy).
  • Communications: support messages, survey responses, review/case-study consents.

2. How we use information

To provide and improve the Service (run scans, generate reports, compute progress over time); to provision purchases; to send transactional messages (scan complete, re-scan reminders) and, with consent, marketing; to prevent abuse; to comply with law. We retain scan history to power progress tracking. This is a core feature, disclosed here deliberately.

Aggregated and benchmarking data. We create de-identified, aggregated statistics from scans, for example how stores in a category tend to score on legibility, schema coverage, or answerability. If you provide an optional industry or vertical, such as on the free scan, we use it only to place your results in the right benchmark group. Aggregated and de-identified data does not identify you, your store, or any person, and we may retain, use, and publish it indefinitely, including in category benchmarks and research, and after your account closes. We do not attempt to re-identify this data or link it back to you, and we maintain it as aggregated and de-identified within the meaning of applicable privacy law.

3. AI processing disclosure

Scan analysis is performed using third-party large-language-model APIs (currently Anthropic). Page content and uploaded data are transmitted to these processors to generate assessments. Our agreements with these processors do not permit them to train their models on your data, consistent with their published API terms. We review these terms periodically and update this statement to keep it accurate.

4. Sharing

We share data only with: service providers/sub-processors listed in the DPA Annex (hosting, database, AI processing, email, automation, payments); professional advisers; authorities when legally required; a successor in a business transfer. We do not sell personal information and do not share it for cross-context behavioral advertising (CCPA/CPRA definitions).

5. Retention

Free-tier scan data: 24 months from last activity. Paid accounts: life of the account plus 90 days after closure, then deletion or de-identification. Backups age out on a rolling 30-day cycle. Legal/billing records retained as required by law. De-identified and aggregated data is not personal information and may be retained indefinitely.

6. Your rights

  • California (CCPA/CPRA): right to know, delete, correct, and opt out of sale/sharing (we do not sell/share); no discrimination for exercising rights. Submit requests to privacy@visibilitymesh.com; we verify and respond within statutory windows. Authorized agents accepted per law.
  • EEA/UK visitors (GDPR, to the extent applicable): access, rectification, erasure, restriction, portability, objection; legal bases are contract performance (Art. 6(1)(b)) and legitimate interests (6(1)(f)); complaints to your supervisory authority. These rights apply to the extent the GDPR governs a given processing activity; we currently provide the Service primarily to customers in the United States, and where we serve EEA or UK customers the transfer mechanisms in our Data Processing Agreement apply.

7. Security

We apply layered, defense-in-depth controls, including: encryption in transit and at rest; default-deny row-level security isolating each customer’s data; least-privilege access with multi-factor authentication on administrative systems; signed, short-lived URLs for private report storage; rate limiting and spend caps on scanning; protection of our scan fetcher against server-side request forgery; append-only audit logging; monitoring and alerting on anomalies; authenticated sending domains (SPF, DKIM, DMARC); regular dependency patching; and a documented incident-response runbook with tested backups. No method of transmission or storage is completely secure, and we do not claim otherwise; we will notify affected users and regulators of breaches as and when required by law.

8. Children

The Service is not directed to anyone under 18 and we do not knowingly collect their data.

9. Changes and contact

Material changes notified by email and in-product, 30 days before effect. Contact: privacy@visibilitymesh.com, Amaretta LLC, 4590 MacArthur Blvd, Suite 500, Newport Beach, CA 92660.

--- ---