Yes, ConvertMate takes data security seriously and implements multiple layers of protection to keep your information safe. We're compliant with major privacy regulations and follow industry-standard security practices.
Security measures
Encryption
Data in transit:- All data transmitted between your browser and ConvertMate uses TLS 1.3 encryption
- All API connections to your platforms use HTTPS with TLS 1.3
- No unencrypted communication occurs
- Your data is encrypted in our databases using AES-256 encryption
- Encryption keys are rotated regularly
- Backups are also encrypted
Authentication
OAuth 2.0 for platform connections:- We use OAuth for Shopify, BigCommerce, Google services, Meta, and other platforms
- Your platform passwords are never stored by ConvertMate
- OAuth tokens are encrypted and stored securely
- Tokens are automatically refreshed to maintain secure access
- For platforms that use API keys (WooCommerce, Adobe Commerce)
- Keys are encrypted at rest
- Keys are never logged or exposed in error messages
- You can regenerate keys anytime
- Passwords are hashed using bcrypt
- We never store plain-text passwords
- Failed login attempts are rate-limited to prevent brute force attacks
- Optional two-factor authentication available
- Sign in with Google available (uses Google's OAuth for secure authentication)
- Google Sign In users are automatically verified without email confirmation
Access control
Role-based permissions:- Owner, Admin, Editor, and User roles with different access levels
- Team members can only access what their role allows
- You control who can run agents, access billing, or manage team
- ConvertMate only requests necessary permissions for each platform
- Read-only access when possible
- Write access only for features you explicitly use
- You can revoke access anytime through your platform's settings
What data we access
From e-commerce platforms
What we access:- Product information (titles, descriptions, images, prices)
- Collection and category data
- Store configuration and settings
- Basic inventory levels
- Customer personal information (names, addresses, emails)
- Payment information or credit card data
- Order details or transaction history (unless you connect analytics separately)
- Admin passwords or API keys (OAuth handles auth)
From Google services
ConvertMate's use of information received from Google APIs adheres to Google API Services User Data Policy, including the Limited Use requirements.
What we access:- Google Search Console: Website URL, search queries, impressions, clicks, ranking data, page URLs, and URL inspection data
- Google Analytics 4: Traffic data, sessions, users, page views, conversion data, and traffic source information
- Google Merchant Center: Product feed data (titles, descriptions, prices, images), product performance metrics, and feed health status
- Google Ads: Campaign structure, ad groups, keywords, performance metrics (impressions, clicks, conversions, costs), and search terms reports
- Google My Business: Business profile information, customer reviews, ratings, and business insights
- Google Sign-In: Google account ID, verified email address, and profile information (name and picture)
- Your Google account password
- Personal user data beyond what's needed for analytics (we see aggregated metrics)
- Other Google services beyond what you explicitly connect
- Any data from properties you didn't connect
- Display your Google data within ConvertMate's dashboard for monitoring
- Analyze data to generate AI-powered marketing insights and content suggestions
- Execute automated workflows based on your Google data
- Generate custom reports combining Google data with other platforms
- We never sell your Google data
- Google data is used exclusively to provide ConvertMate services to you
- You can disconnect Google services anytime through Settings → Platform Connections
- You can revoke access through Google Account permissions
For comprehensive details about Google API data handling, see the Google API Services section in our privacy policy.
From social platforms
What we access:- Ad performance metrics
- Post engagement data
- Audience demographics (aggregated)
- Personal messages or DMs
- User personal information beyond aggregated demographics
- Payment methods or billing information
Data storage
Where data is stored:- Primary data centers in the United States
- EU data centers for European customers (when requested)
- Backups in geographically diverse locations for redundancy
- Active account data: Stored while your account is active
- After account deletion: Retained for 30 days for recovery, then permanently deleted
- Backups: Retained for 90 days, then automatically purged
- Only you and your team members with appropriate permissions
- ConvertMate engineers only during support requests (with your permission)
- No third-party access without your explicit consent
- No data selling or sharing for marketing purposes
Compliance
GDPR (General Data Protection Regulation)
ConvertMate is fully GDPR compliant:
- Right to access your data (export anytime)
- Right to deletion (delete account and all data)
- Right to data portability (export in standard formats)
- Data processing agreements available for enterprise customers
- Privacy by design principles
CCPA (California Consumer Privacy Act)
ConvertMate is CCPA compliant:
- Right to know what data we collect
- Right to delete your data
- Right to opt-out of data selling (we don't sell data)
- Non-discrimination for exercising privacy rights
PCI DSS
While ConvertMate doesn't directly handle credit cards:
- Payment processing through Stripe (PCI DSS Level 1)
- We never store or process credit card information
- Payments handled entirely by certified payment processors
Security practices
Infrastructure security
Cloud hosting:- Hosted on AWS (Amazon Web Services)
- Multi-availability zone deployment
- Automatic failover and redundancy
- Regular security patches and updates
- Encrypted databases
- Regular backups (automated daily)
- Point-in-time recovery capability
- Access restricted to necessary services only
- Firewalls protecting all infrastructure
- Intrusion detection and prevention systems
- DDoS protection
- Security monitoring 24/7
Application security
Code security:- Regular security audits
- Dependency scanning for vulnerabilities
- Secure coding practices
- Input validation and sanitization
- Rate limiting to prevent abuse
- API authentication required
- Request validation
- Logging and monitoring for suspicious activity
Employee access
Internal policies:- Background checks for employees with data access
- Security training for all team members
- Least-privilege access principle
- Access logging and auditing
- Support team can only access data when you request help
- Access is logged and time-limited
- Support never asks for your password
- You can revoke support access anytime
Data breaches
Prevention:- Multiple security layers to prevent breaches
- Regular security testing and audits
- Continuous monitoring for threats
- Incident response plan in place
- You'll be notified within 72 hours
- Details about what data was affected
- Steps we're taking to address it
- Recommendations for protecting your account
- Required regulatory notifications filed
- ConvertMate has had zero data breaches since launch
- We maintain transparent security posture
Your responsibilities
While we protect your data, you also play a role:
Account security:- Use a strong, unique password
- Enable two-factor authentication
- Don't share your account credentials
- Log out on shared computers
- Review team member access regularly
- Secure your e-commerce platform properly
- Use strong passwords for connected platforms
- Review and audit OAuth app permissions regularly
- Revoke access for unused integrations
- Only invite team members who need access
- Assign appropriate roles (don't make everyone Owner)
- Remove team members when they leave your organization
- Review team access quarterly
Privacy commitment
What we do:- Use your data only to provide ConvertMate services
- Protect your data with industry-standard security
- Give you full control over your data
- Be transparent about our practices
- Sell your data to third parties
- Use your data to train AI models for other customers
- Share your data without explicit consent
- Mine your data for marketing purposes
- Keep your data after account deletion
Transparency
Security updates:- We notify customers of significant security changes
- Security policies updated regularly
- Transparency reports available
- Security documentation provided during onboarding
- Data processing agreements available
Questions and concerns
Reporting security issues:- Email security@convertmate.io for vulnerabilities
- We have a responsible disclosure policy
- Security researchers appreciated and credited
- Email privacy@convertmate.io
- Request data export or deletion
- Ask about specific data handling practices
- Available for enterprise customers
- Custom security requirements negotiable
- Contact sales@convertmate.io
Additional resources
Read more:- Full privacy policy
- Terms of service
- Data processing agreement (enterprise)
- Security documentation (enterprise)
- Email support@convertmate.io
- Live chat in bottom-right corner
- Security issues: security@convertmate.io
Summary
Your data is secure with ConvertMate. We use encryption, follow industry best practices, maintain compliance with major privacy regulations, and give you full control over your information. We're transparent about our practices and take security seriously at every level.
Read our complete privacy policy