Is my data secure with ConvertMate?

Understanding ConvertMate's security measures, data protection, and privacy practices

Last updated: Oct 8, 2025

Yes, ConvertMate takes data security seriously and implements multiple layers of protection to keep your information safe. We're compliant with major privacy regulations and follow industry-standard security practices.

Security measures

Encryption

Data in transit:
  • All data transmitted between your browser and ConvertMate uses TLS 1.3 encryption
  • All API connections to your platforms use HTTPS with TLS 1.3
  • No unencrypted communication occurs
Data at rest:
  • Your data is encrypted in our databases using AES-256 encryption
  • Encryption keys are rotated regularly
  • Backups are also encrypted

Authentication

OAuth 2.0 for platform connections:
  • We use OAuth for Shopify, BigCommerce, Google services, Meta, and other platforms
  • Your platform passwords are never stored by ConvertMate
  • OAuth tokens are encrypted and stored securely
  • Tokens are automatically refreshed to maintain secure access
API keys for platform connections:
  • For platforms that use API keys (WooCommerce, Adobe Commerce)
  • Keys are encrypted at rest
  • Keys are never logged or exposed in error messages
  • You can regenerate keys anytime
User authentication:
  • Passwords are hashed using bcrypt
  • We never store plain-text passwords
  • Failed login attempts are rate-limited to prevent brute force attacks
  • Optional two-factor authentication available

Access control

Role-based permissions:
  • Owner, Admin, Editor, and User roles with different access levels
  • Team members can only access what their role allows
  • You control who can run agents, access billing, or manage team
Platform-specific permissions:
  • ConvertMate only requests necessary permissions for each platform
  • Read-only access when possible
  • Write access only for features you explicitly use
  • You can revoke access anytime through your platform's settings

What data we access

From e-commerce platforms

What we access:
  • Product information (titles, descriptions, images, prices)
  • Collection and category data
  • Store configuration and settings
  • Basic inventory levels
What we don't access:
  • Customer personal information (names, addresses, emails)
  • Payment information or credit card data
  • Order details or transaction history (unless you connect analytics separately)
  • Admin passwords or API keys (OAuth handles auth)

From Google services

What we access:
  • Search Console: Search performance data, keyword rankings, site issues
  • Analytics: Traffic data, page performance, aggregated user behavior
  • Merchant Center: Product feed data, performance metrics
What we don't access:
  • Your Google account password
  • Personal user data (we see aggregated metrics only)
  • Other Google services beyond what you explicitly connect
  • Any data from properties you didn't connect

From social platforms

What we access:
  • Ad performance metrics
  • Post engagement data
  • Audience demographics (aggregated)
What we don't access:
  • Personal messages or DMs
  • User personal information beyond aggregated demographics
  • Payment methods or billing information

Data storage

Where data is stored:
  • Primary data centers in the United States
  • EU data centers for European customers (when requested)
  • Backups in geographically diverse locations for redundancy
How long data is stored:
  • Active account data: Stored while your account is active
  • After account deletion: Retained for 30 days for recovery, then permanently deleted
  • Backups: Retained for 90 days, then automatically purged
Who can access your data:
  • Only you and your team members with appropriate permissions
  • ConvertMate engineers only during support requests (with your permission)
  • No third-party access without your explicit consent
  • No data selling or sharing for marketing purposes

Compliance

GDPR (General Data Protection Regulation)

ConvertMate is fully GDPR compliant:

  • Right to access your data (export anytime)
  • Right to deletion (delete account and all data)
  • Right to data portability (export in standard formats)
  • Data processing agreements available for enterprise customers
  • Privacy by design principles

CCPA (California Consumer Privacy Act)

ConvertMate is CCPA compliant:

  • Right to know what data we collect
  • Right to delete your data
  • Right to opt-out of data selling (we don't sell data)
  • Non-discrimination for exercising privacy rights

SOC 2 Type II

ConvertMate infrastructure meets SOC 2 Type II standards:

  • Security controls audited by independent third parties
  • Availability and confidentiality measures
  • Processing integrity verification
  • Regular audits and compliance reviews

PCI DSS

While ConvertMate doesn't directly handle credit cards:

  • Payment processing through Stripe (PCI DSS Level 1)
  • We never store or process credit card information
  • Payments handled entirely by certified payment processors

Security practices

Infrastructure security

Cloud hosting:
  • Hosted on AWS (Amazon Web Services)
  • Multi-availability zone deployment
  • Automatic failover and redundancy
  • Regular security patches and updates
Database security:
  • Encrypted databases
  • Regular backups (automated daily)
  • Point-in-time recovery capability
  • Access restricted to necessary services only
Network security:
  • Firewalls protecting all infrastructure
  • Intrusion detection and prevention systems
  • DDoS protection
  • Security monitoring 24/7

Application security

Code security:
  • Regular security audits
  • Dependency scanning for vulnerabilities
  • Secure coding practices
  • Input validation and sanitization
API security:
  • Rate limiting to prevent abuse
  • API authentication required
  • Request validation
  • Logging and monitoring for suspicious activity

Employee access

Internal policies:
  • Background checks for employees with data access
  • Security training for all team members
  • Least-privilege access principle
  • Access logging and auditing
Support access:
  • Support team can only access data when you request help
  • Access is logged and time-limited
  • Support never asks for your password
  • You can revoke support access anytime

Data breaches

Prevention:
  • Multiple security layers to prevent breaches
  • Regular security testing and audits
  • Continuous monitoring for threats
  • Incident response plan in place
In the unlikely event of a breach:
  • You'll be notified within 72 hours
  • Details about what data was affected
  • Steps we're taking to address it
  • Recommendations for protecting your account
  • Required regulatory notifications filed
Historical record:
  • ConvertMate has had zero data breaches since launch
  • We maintain transparent security posture

Your responsibilities

While we protect your data, you also play a role:

Account security:
  • Use a strong, unique password
  • Enable two-factor authentication
  • Don't share your account credentials
  • Log out on shared computers
  • Review team member access regularly
Platform security:
  • Secure your e-commerce platform properly
  • Use strong passwords for connected platforms
  • Review and audit OAuth app permissions regularly
  • Revoke access for unused integrations
Team management:
  • Only invite team members who need access
  • Assign appropriate roles (don't make everyone Owner)
  • Remove team members when they leave your organization
  • Review team access quarterly

Privacy commitment

What we do:
  • Use your data only to provide ConvertMate services
  • Protect your data with industry-standard security
  • Give you full control over your data
  • Be transparent about our practices
What we don't do:
  • Sell your data to third parties
  • Use your data to train AI models for other customers
  • Share your data without explicit consent
  • Mine your data for marketing purposes
  • Keep your data after account deletion

Transparency

Security updates:
  • We notify customers of significant security changes
  • Security policies updated regularly
  • Transparency reports available
Audit availability:
  • SOC 2 reports available upon request for enterprise customers
  • Security documentation provided during onboarding
  • Data processing agreements available

Questions and concerns

Reporting security issues:
  • Email security@convertmate.io for vulnerabilities
  • We have a responsible disclosure policy
  • Security researchers appreciated and credited
Privacy questions:
  • Email privacy@convertmate.io
  • Request data export or deletion
  • Ask about specific data handling practices
Data processing agreements:
  • Available for enterprise customers
  • Custom security requirements negotiable
  • Contact sales@convertmate.io

Additional resources

Read more: Manage your data: Support:
  • Email support@convertmate.io
  • Live chat in bottom-right corner
  • Security issues: security@convertmate.io

Summary

Your data is secure with ConvertMate. We use encryption, follow industry best practices, maintain compliance with major privacy regulations, and give you full control over your information. We're transparent about our practices and take security seriously at every level.

Read our complete privacy policy

Was this article helpful?

On This Page