Legal · Privacy

Privacy Policy

How Engineered Agents AI collects, uses, stores, and protects data across the BOS Platform, TierPilot for Shopify, and our marketing properties.

Effective
2026-04-28
Last updated
2026-04-28
Questions
privacy@engineeredagents.ai

1. Who we are

Engineered Agents AI ("EA", "we", "us", "our") is a Delaware company headquartered in Columbus, Ohio. We operate the BOS Platform at app.engineeredagents.ai, the TierPilot Shopify app, the marketing site at engineeredagents.ai, and supporting services.

For all privacy questions, contact privacy@engineeredagents.ai.

2. Scope of this policy

This policy covers personal data we process in two distinct roles:

  • As a controller — when a merchant signs up for BOS Platform, installs TierPilot, or contacts us through our marketing site. We decide what data to collect and how to use it.
  • As a processor — when our software handles end-customer data (for example, a Shopify shopper's email and order details) on a merchant's behalf. The merchant is the controller; we act on their instructions.

The relevant role determines which rights apply and who you should contact first. Sections 4 and 11 cover the processor case.

3. Data we collect from merchants

When you create an account, install our apps, or use our services, we collect:

3.1 Account data

  • Name, business email, business name, billing address
  • Password hash (we never store plaintext passwords)
  • Shopify shop domain and access token (encrypted at rest) for TierPilot installs
  • Plan, billing status, payment events from Stripe or Shopify Billing

3.2 Operational data

  • Application logs: which features you used, when, from which IP and user agent
  • Support tickets and email correspondence
  • Telemetry: error reports, performance metrics, feature engagement

3.3 Configuration data

  • Tier names, tier prices, tier assignments and overrides you create
  • Integration credentials for services you connect (encrypted, tenant-scoped)
  • Documents and content you upload to your tenant workspace

4. Data we process on behalf of merchants

When you install TierPilot, the app reads and stores limited data about your Shopify customers, strictly for the purpose of applying tier pricing:

  • customer_id and email — to assign tiers and to contact for support
  • Tags and company associations — to auto-tier customers
  • Tier assignments and per-customer override prices
  • Order history (read-only, summarized) — to surface tier impact in dashboards

We do not read customer payment details, addresses, or sensitive PII beyond what's listed above. We do not resell, advertise to, or profile end customers. We act only on the instructions of the merchant who installed TierPilot.

5. How we use the data

  • Provide the service — run the apps, apply discounts at checkout, sync metafields, send transactional email.
  • Support — investigate tickets, diagnose bugs, respond to your questions.
  • Billing — process payments via Stripe or Shopify Billing, send invoices, prevent fraud.
  • Improve the product — aggregate, anonymize usage trends to inform roadmap decisions.
  • Compliance — meet legal obligations, respond to lawful requests, enforce our terms.

We do not use merchant or end-customer data to train large language models. AI features in the BOS Platform are routed to providers (Anthropic, OpenAI, Google) under contracts that prohibit training on submitted content.

6. Legal basis for processing (GDPR)

If you are in the EU, UK, or another jurisdiction with similar laws, we rely on these bases:

  • Contract — to provide the service you signed up for.
  • Legitimate interests — to secure our systems, prevent fraud, and improve the product. Balanced against your rights.
  • Legal obligation — when required by tax, accounting, or law-enforcement obligations.
  • Consent — for optional cookies, marketing email, and any processing that requires it. Withdraw at any time.

7. When we share data

We share personal data only when one of the following applies:

  • With sub-processors we contract with to operate the service (see section 8).
  • With your direction — for example, when you connect an integration, we exchange data with that service.
  • With Stripe or Shopify for payment processing, if you pay through them.
  • For legal reasons — to comply with a subpoena, court order, or government request, where required.
  • In a corporate transaction — if EA is acquired or reorganized, data may transfer subject to this policy.

We do not sell personal data. We do not share data with advertisers.

8. Sub-processors

We use the following sub-processors. Each is bound by a data-processing agreement that meets GDPR requirements:

  • Amazon Web Services (US) — hosting, database, object storage, secrets management.
  • Shopify (Canada / US) — for TierPilot, the platform on which the app runs.
  • Stripe (US) — payment processing for the BOS Platform.
  • Anthropic (US) — primary LLM provider for AI features in BOS Platform.
  • OpenAI (US) — fallback LLM provider for some BOS Platform features.
  • Google (US) — Workspace integration, optional Gemini routing in BOS Platform.
  • Sentry (US) — error reporting for production services.
  • Postmark / SES (US) — transactional email delivery.

An up-to-date list is available on request: privacy@engineeredagents.ai.

9. Retention

  • Account data — retained for the life of the account, deleted within 90 days of cancellation unless we have a legal obligation to retain longer.
  • Application logs — 90 days, then aggregated.
  • Backups — 30 days rolling.
  • Billing records — 7 years (US tax requirement).
  • TierPilot install records — deleted within 48 hours of receiving a shop/redact webhook from Shopify.

10. Security

We protect data in transit and at rest:

  • TLS 1.2+ for all network traffic.
  • AES-256 encryption at rest for databases and object storage.
  • AES-GCM envelope encryption for sensitive credentials in our secrets store.
  • PostgreSQL Row-Level Security to isolate tenant data — no merchant can read another merchant's rows.
  • Principle of least privilege for staff access; access logged and reviewed.
  • Routine vulnerability scanning, dependency monitoring, security patches applied within 30 days of disclosure (sooner for critical CVEs).

No security program eliminates risk entirely. If you suspect a breach, contact security@engineeredagents.ai.

11. Your rights

If you are an end customer of a merchant who uses our software, please contact the merchant first — they are the controller of your data. We will assist them in fulfilling your request.

If you are a merchant or directly interact with EA, you may:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Delete your data, subject to legal retention requirements.
  • Export your data in a portable format.
  • Object to or restrict certain processing.
  • Withdraw consent where consent was the basis.
  • Lodge a complaint with your local data protection authority.

Email privacy@engineeredagents.ai with the subject line Privacy request. We respond within 30 days.

12. Shopify GDPR webhooks

TierPilot honors Shopify's three mandatory GDPR webhooks:

  • customers/data_request — when a Shopify customer asks the merchant for their data, we compile every TierPilot record tied to that customer and email it to the merchant within 30 days.
  • customers/redact — 10 days after a customer is deleted in Shopify (or sooner if requested), we hard-delete every tier assignment, override, and audit-log entry tied to that customer.
  • shop/redact — 48 hours after a shop uninstalls TierPilot, we hard-delete the entire shopify_app_installs record and all associated tier configuration.

13. Cookies and tracking

We use a small number of cookies:

  • Strictly necessary — session cookies, CSRF tokens, JWT auth. Cannot be disabled without breaking the service.
  • Analytics — first-party page-view counters only. No cross-site tracking, no advertising pixels.

Our embedded Shopify app uses Shopify's session token mechanism, which does not set third-party cookies.

14. International transfers

Our infrastructure is hosted in the United States (AWS us-east-2). If you access our services from the EU, UK, Canada, or elsewhere, your data is transferred to and processed in the US under Standard Contractual Clauses. Sub-processors that hold EU data have committed to equivalent protections.

15. Children

Our services are for businesses, not for individuals under 18. We do not knowingly collect data from children. If you believe we have, contact us and we will delete it.

16. Changes to this policy

We will post material changes here and email account holders. The "Last updated" date at the top reflects the most recent change. Continued use after a change indicates acceptance.

17. Contact

Privacy questions, data requests, breach reports — privacy@engineeredagents.ai.

For TierPilot support: support@engineeredagents.ai.

Postal: Engineered Agents AI, Columbus, Ohio, United States.