SearchMatch Privacy Policy

SearchMatch - AI-Powered Search for Shopify

Last Updated: November 13, 2025

1. INTRODUCTION

This Privacy Policy ("Policy") describes how Alfa Marketing, an Israeli company with company registration number 215229766 and registered address at Achi Dakar 4, Israel ("MagicSearch," "we," "us," or "our") collects, uses, discloses, and protects information in connection with our AI-powered search service for Shopify stores (the "Service").

By installing, accessing, or using the MagicSearch application, you ("Merchant" or "End User") agree to the collection and use of information in accordance with this Policy. If you do not agree with this Policy, please do not use our Service.

1.1 Definitions

For purposes of this Policy:

• "Personal Data" means any information relating to an identified or identifiable natural person.

• "Processing" means any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, or deletion.

• "Merchant" means the Shopify store owner who installs the MagicSearch application.

• "End User" means customers and visitors who use the search functionality on a Merchant's store.

• "PII" means Personally Identifiable Information such as names, email addresses, phone numbers, or physical addresses.

• "Service" means the MagicSearch application, including all features, functionalities, and related services.
  
  

2. SCOPE AND APPLICATION

This Policy applies to:

1. Merchants who install and use MagicSearch on their Shopify stores

2. End Users who interact with the MagicSearch search functionality on Merchant stores
   
   

3. Visitors to the MagicSearch website and related properties

This Policy does not apply to third-party services, websites, or applications that may be accessed through links in our Service.

3. INFORMATION WE COLLECT

3.1 Information We DO NOT Collect

MagicSearch is designed with privacy by default. We explicitly do NOT collect or process:

• End User names (first name, last name)

• Email addresses

• Phone numbers

• Physical addresses (billing or shipping)

• Payment card information

• Government-issued identification numbers

• Social security numbers or tax IDs

• Any other Personally Identifiable Information (PII) as defined by GDPR, CCPA, or Israeli Privacy Protection Law

3.2 Information We Collect

We collect only the minimum information necessary to provide and improve our Service:

3.2.1 Anonymous Identifiers

We generate and store anonymous identifiers that do NOT contain PII:

• User ID: A randomly generated anonymous identifier created locally in the End User's browser

  • Format: user_[timestamp]_[random_string]

  • Example: user_1699876543_a8f3k2m9

  • Purpose: Enable personalized recommendations without identifying individuals

  • Storage: Browser localStorage only

• Session ID: A unique session identifier (UUID v4 format) generated for each browsing session

  • Example: 550e8400-e29b-41d4-a716-446655440000

  • Purpose: Track search conversion funnel and attribute purchases to searches

  • Storage: Browser localStorage and Shopify cart attributes

  • Lifespan: Session duration only

Important: These identifiers are:

• Generated client-side (in the browser)

• Not linked to any PII

• Cannot be reverse-engineered to identify individuals

• Compliant with GDPR, CCPA, and Israeli privacy law as non-personal data

3.2.2 Search Query Data

• Search queries: Text entered by End Users in the search bar

  • Example: "toys for 8 year old boy"

  • Purpose: Provide relevant search results and improve search accuracy

• Search results: Products displayed in response to queries

  • Purpose: Measure search effectiveness and relevance

• Product interactions: Clicks on search results

  • Purpose: Improve product ranking algorithms

• Search performance metrics:

  • Processing time

  • AI parsing success/failure

  • Number of results returned

3.2.3 Technical Information

• IP Address: Collected automatically when requests are made to our servers

  • Purpose: Security, fraud prevention, rate limiting, geographic analytics (country-level only)

  • Retention: 30 days in access logs

  • Note: Not used to identify individuals; analyzed only in aggregate

• Timestamp: Date and time of search queries and events

  • Purpose: Time-series analysis, performance monitoring

• HTTP Headers: Standard web request headers

  • User-Agent string (browser type - optional, not currently collected)

  • Referrer URL

  • Accept-Language

3.2.4 Conversion Tracking Data

• Add-to-Cart Events: When an End User adds a product to cart after searching

  • Data collected: Product ID, Session ID, Timestamp

  • Purpose: Calculate search-to-cart conversion rates

• Purchase Conversions: Whether a session resulted in a completed purchase

  • Data collected: Session ID, Timestamp, Transaction occurred (boolean)

  • NOT collected: Transaction amount, products purchased, payment method, customer details

  • Purpose: Calculate search-to-purchase conversion rates

Conversion Tracking Mechanism:

• Session ID is automatically added to Shopify cart attributes as magic_search_session_id

• When a purchase is completed, Shopify webhooks notify our system (session ID only)

• We record: "Session [ID] resulted in purchase: Yes/No"

• This allows attribution of conversions to searches while maintaining End User privacy

3.2.5 Merchant Store Data

When a Merchant installs MagicSearch, we access the following data via Shopify Storefront API (NOT Admin API):

• Product Catalog:

  • Product titles and descriptions

  • Product prices and currency

  • Product images and alt text

  • Product types and categories

  • Product tags

  • Inventory availability

  • Vendor names

• Store Configuration:

  • Store domain name

  • Store primary language

  • Currency settings

What We Do NOT Access:

• Customer data (names, emails, addresses, phone numbers)

• Order history or transaction details

• Customer lists or contact information

• Payment information

• Admin API protected customer data

API Permissions: We use only unauthenticated_read_products and unauthenticated_read_product_listings scopes, which do not grant access to protected customer data.

4. HOW WE USE INFORMATION

We process collected information solely for the following legitimate purposes:

4.1 Provide Core Service Functionality

• Search Processing: Parse search queries using AI to understand user intent (age, gender, category, interests)

• Product Matching: Rank and score products based on relevance to search queries

• Personalization: Generate customized search headlines and product recommendations

• Real-time Results: Deliver search results with sub-7-second response times

4.2 Personalized Recommendations

• Preference Learning: Build anonymous user preference profiles based on search history

  • Example: User searches for "LEGO for 8 year old" → System learns user is interested in age 8, toys, building sets

  • Profile stored: { interests: ["LEGO", "building"], age_preferences: {"8": 3}, category_preferences: {"toys": 5} }

• Future Recommendations: Use learned preferences to improve subsequent search results

  • Example: Future searches for "birthday gift" may prioritize LEGO sets based on past interests

Important: All preference profiles are:

• Linked only to anonymous User IDs

• Never shared across different Merchant stores

• Automatically deleted after 90 days of inactivity

4.3 Analytics and Insights for Merchants

We provide Merchants with aggregate analytics through a dashboard showing:

Metrics Provided:

• Total number of searches (7-day, 30-day, all-time)

• Top search queries (ranked by frequency)

• Zero-results rate (searches returning no products)

• Search-to-click conversion rate

• Search-to-purchase conversion rate

• Average search processing time

• Most searched age groups (e.g., "age 8", "age 6-10")

• Most searched categories (e.g., "toys", "books")

Privacy Protections:

• All analytics are aggregated and anonymized

• No individual End User data is displayed or accessible to Merchants

• Merchants cannot identify specific customers or their search history

• Minimum threshold: Metrics shown only when ≥10 searches to prevent identification

4.4 Service Improvement and AI Model Training

• Algorithm Optimization: Analyze search patterns to improve AI models

  • Query parsing accuracy

  • Product ranking relevance

  • Response time optimization

• Bug Detection: Identify and fix errors in search processing

• A/B Testing: Compare different algorithms to determine best performance

• Trend Analysis: Identify emerging search patterns and product demands

Data Minimization: Only non-PII data is used for model training. We do not sell, license, or share training data with AI providers (Anthropic, OpenAI, xAI) beyond real-time API requests.

4.5 Security and Fraud Prevention

• DDoS Protection: Detect and block malicious traffic patterns

• Spam Prevention: Identify and filter spam search queries

• Rate Limiting: Prevent abuse by limiting requests per IP/Session

• Access Monitoring: Log access to systems for security audits

• Incident Response: Investigate and respond to security incidents

4.6 Legal Compliance

• Comply with applicable laws and regulations

• Respond to legal requests (subpoenas, court orders) when legally required

• Enforce our Terms of Service and this Privacy Policy

• Protect our rights, property, or safety, and that of our users

Limitations on Use:

• We do NOT use collected information for direct marketing to End Users

• We do NOT sell, rent, or trade user data to third parties

• We do NOT use data for purposes beyond those disclosed in this Policy

5. INFORMATION SHARING AND DISCLOSURE

We share information only in the following limited circumstances:

5.1 AI Service Providers

To provide search functionality, we send data to third-party AI services in real-time:

Anthropic Claude (Primary AI Provider)

• Data Sent:

  • Search queries (text only)

  • Product information (titles, descriptions, prices, tags)

  • NOT sent: User IDs, Session IDs, IP addresses, PII

• Purpose:

  • Natural language query parsing

  • Product scoring and ranking

  • Personalized headline generation

• Data Retention by Anthropic:

  • According to Anthropic's API Data Usage Policy:

    • API inputs/outputs are NOT used to train Claude models

    • Data may be retained for 30 days for Trust & Safety review

    • After 30 days, data is permanently deleted

• Anthropic Privacy Policy: anthropic.com/privacy

• Legal Basis: Legitimate interest in providing AI-powered search

OpenAI GPT (Optional/Fallback Provider)

• Data Sent: Same as Anthropic Claude

• Purpose: Alternative AI processing when Claude is unavailable

• Data Retention: Per OpenAI API terms (not used for training by default)

• Privacy Policy: openai.com/privacy

xAI Grok (Optional/Experimental Provider)

• Data Sent: Same as Anthropic Claude

• Purpose: Experimental AI processing capabilities

• Privacy Policy: x.ai/privacy

Important Safeguards:

• Only non-PII data is sent to AI providers

• All transmission is encrypted via HTTPS/TLS

• We do not send User IDs, Session IDs, or any identifiers

• We have reviewed each provider's privacy policy to ensure compliance

• We use API endpoints that do NOT retain data for model training

5.2 Shopify Platform

• Data Sent: API requests to retrieve product information

  • Requests: Product searches, product details queries

  • Transmitted via: Shopify Storefront API (HTTPS)

• Data Received: Product catalog data (titles, prices, images, availability)

• API Used: Shopify Storefront API ONLY

  • Scopes: unauthenticated_read_products, unauthenticated_read_product_listings

  • NO access to Shopify Admin API or protected customer data

• Shopify Privacy Policy: shopify.com/legal/privacy

• Webhooks: We receive webhooks for:

  • Product updates (to refresh our search index)

  • Purchase completions (session ID only, for conversion tracking)

5.3 Hosting and Infrastructure Providers

Render.com (Primary Hosting Provider)

• Data Stored:

  • Search logs (searches.jsonl)

  • User preferences (user-preferences.json)

  • Analytics aggregates

  • Access logs (security)

• Server Location: Render US West (Oregon, United States)

• Security Measures:

  • Data encrypted at rest: AES-256

  • Data encrypted in transit: TLS 1.3

  • Automated encrypted backups

  • Access restricted to authorized personnel only

  • ISO 27001 and SOC 2 Type II certified infrastructure

• Render Privacy Policy: render.com/privacy

• Data Processing Agreement: We have executed a DPA with Render that includes Standard Contractual Clauses (SCCs)

5.4 Circumstances Requiring Disclosure

We may disclose information when we believe in good faith that disclosure is necessary to:

1. Legal Obligations:

   • Comply with applicable law, regulation, legal process, or governmental request

   • Respond to valid subpoenas, court orders, or other legal demands

2. Rights Protection:

   • Enforce our Terms of Service or other agreements

   • Detect, prevent, or address fraud, security, or technical issues

   • Protect against harm to the rights, property, or safety of MagicSearch, our users, or the public

3. Business Transfers:

   • In connection with merger, acquisition, bankruptcy, dissolution, reorganization, or similar transaction or proceeding involving MagicSearch

   • In such cases, we will require the receiving party to honor this Privacy Policy

Notice Requirement: Where legally permitted, we will notify affected users before disclosing information to third parties (government, law enforcement, or private parties).

5.5 What We Do NOT Do

• NO data selling: We do not sell, rent, or trade user data

• NO marketing sharing: We do not share data with advertisers or marketers

• NO cross-store sharing: End User data from one Merchant is never shared with other Merchants

• NO public disclosure: We do not publicly disclose user-specific data

6. INTERNATIONAL DATA TRANSFERS

6.1 Cross-Border Data Flows

MagicSearch processes data globally. Information collected in Israel or the European Economic Area (EEA) may be transferred to, stored, and processed in the United States and other countries where our service providers operate.

Current Data Flow:

End User (Israel/EU/Worldwide) ↓ HTTPS/TLS MagicSearch Backend (Render US West - Oregon, USA) ↓ HTTPS/TLS AI Providers (Anthropic/OpenAI - USA)

6.2 Legal Mechanisms for International Transfers

We implement appropriate legal mechanisms to ensure lawful international data transfers:

For Transfers from the European Economic Area (EEA):

1. Standard Contractual Clauses (SCCs):

   • We have executed EU-approved Standard Contractual Clauses with our U.S.-based service providers (Render, Anthropic, OpenAI)

   • SCCs are legally binding contracts that require service providers to protect EU data according to EU standards

   • Reference: European Commission Implementing Decision 2021/914

2. Adequate Level of Protection:

   • All service providers implement technical and organizational measures ensuring data protection equivalent to GDPR requirements

   • Measures include: encryption, access controls, security audits, DPAs, and incident response procedures

For Transfers from Israel:

1. Adequacy Decision:

   • Israel benefits from an EU adequacy decision, recognizing Israeli data protection laws as essentially equivalent to GDPR

   • Israeli Privacy Protection Law (1981) provides robust protections comparable to GDPR

2. U.S. Service Providers:

   • For Israel → USA transfers, we rely on SCCs and contractual protections with service providers

   • All providers commit to GDPR-equivalent data protection standards

6.3 Additional Safeguards

To further protect international data transfers, we implement:

• Encryption: All data encrypted in transit (TLS 1.3) and at rest (AES-256)

• Data Minimization: Only non-PII data transferred to minimize risk

• Access Controls: Strict authentication and authorization for system access

• Monitoring: Continuous monitoring for unauthorized access or data breaches

• Contractual Obligations: DPAs with all service providers requiring GDPR/CCPA-level protections

6.4 Your Rights Regarding International Transfers

If you are located in the EEA or Israel, you have the right to:

• Object to international data transfers

• Request a copy of the safeguards we use (e.g., SCCs)

• Lodge a complaint with your local data protection authority

To exercise these rights, contact us at: office@lemonedia.co.il

7. DATA SECURITY

7.1 Technical and Organizational Measures

We implement industry-standard security measures to protect information from unauthorized access, alteration, disclosure, or destruction:

7.1.1 Encryption

• In Transit:

  • TLS 1.3 encryption for all data transmission

  • HTTPS enforced on all endpoints

  • Certificate pinning for API communications

• At Rest:

  • AES-256 encryption for all stored data

  • Encrypted database storage

  • Encrypted file systems

• Backups:

  • All backups encrypted with AES-256

  • Secure backup storage with restricted access

  • Regular backup integrity testing

7.1.2 Access Controls

• Authentication:

  • Multi-factor authentication (MFA) required for all administrative access

  • Strong password requirements (minimum 16 characters, complexity rules)

  • Regular password rotation policy

• Authorization:

  • Role-based access control (RBAC)

  • Principle of least privilege (users granted minimum necessary access)

  • Separation of duties for sensitive operations

• Access Logging:

  • All access to systems and data logged

  • Logs retained for 30 days

  • Regular log review for suspicious activity

  • Tamper-proof log storage

7.1.3 Network Security

• Firewall Protection: Web application firewall (WAF) protecting all endpoints

• DDoS Mitigation: Cloudflare/Render DDoS protection active

• Rate Limiting: Automatic throttling of excessive requests

• IP Whitelisting: Administrative access restricted to authorized IP ranges

7.1.4 Application Security

• Secure Coding Practices:

  • Input validation and sanitization

  • Protection against OWASP Top 10 vulnerabilities

  • Regular dependency updates and vulnerability patching

• API Security:

  • API key rotation policy

  • Webhook signature verification

  • Request size limits

  • Timeout protection

7.1.5 Data Loss Prevention (DLP)

• Monitoring: Continuous monitoring for data exfiltration attempts

• Anomaly Detection: AI-based detection of unusual data access patterns

• Alerting: Immediate alerts for suspected security incidents

• Data Segregation: Production and test environments strictly separated

7.2 Organizational Security Measures

• Employee Training: Regular security awareness training for all staff

• Background Checks: Background screening for employees with data access

• Confidentiality Agreements: All employees sign NDAs and data protection agreements

• Limited Personnel Access: Only authorized personnel access production systems

  • Current authorized staff: 2 persons (CEO + Lead Developer)

7.3 Third-Party Security

• Vendor Assessment: All service providers undergo security review before engagement

• Certifications Required: ISO 27001, SOC 2 Type II, or equivalent

• Contractual Security Requirements: DPAs mandate specific security controls

• Regular Audits: Periodic review of third-party security practices

7.4 Incident Response

We maintain a Security Incident Response Plan:

1. Detection: Automated monitoring and manual review

2. Containment: Immediate isolation of affected systems (within 4 hours)

3. Investigation: Root cause analysis and impact assessment

4. Notification:

   • Internal escalation: Immediate

   • Affected users: Within 72 hours of discovery (GDPR requirement)

   • Regulatory authorities: As required by applicable law (72 hours for GDPR)

5. Remediation: Fix vulnerabilities and restore services (target: 5 business days)

6. Post-Incident Review: Lessons learned and security improvements

Incident Notification: In the event of a data breach affecting Personal Data, we will:

• Notify affected Merchants via email

• Provide details of the breach, affected data, and remediation steps

• Offer assistance and guidance to affected parties

• Report to relevant data protection authorities as legally required

7.5 Limitations

No System is 100% Secure: While we implement robust security measures, no method of transmission or storage is completely secure. We cannot guarantee absolute security of information.

Your Responsibility: You are responsible for:

• Maintaining confidentiality of your MagicSearch account credentials

• Using secure networks when accessing the Service

• Promptly notifying us of any suspected unauthorized access

8. DATA RETENTION

We retain information only as long as necessary to fulfill the purposes outlined in this Policy, unless a longer retention period is required or permitted by law.

8.1 Retention Periods

Data Type Retention Period Purpose Deletion Method Search Query Logs 90 days Analytics, AI model improvement Automatic purge after 90 days User Preference Profiles 90 days from last activity Personalized recommendations Automatic purge after 90 days inactivity Session Data End of session Conversion tracking Deleted when session expires or after 24 hours Conversion Data 90 days Attribution analysis Automatic purge after 90 days Analytics Aggregates 12 months Long-term trend analysis Rolled up into annual summaries Access Logs (Security) 30 days Security audits, incident response Automatic purge after 30 days Backup Data 30 days Disaster recovery Encrypted backups purged after 30 days Merchant Account Data Until app uninstall + 30 days Service provision Manual deletion upon uninstall request

8.2 Automatic Deletion

• Scheduled Purges: Automated scripts run daily to delete expired data

• Soft Delete: Data first moved to "deleted" status, then hard deleted after 7 days (allows recovery from accidental deletion)

• Verification: Monthly audits to ensure retention policies are enforced

8.3 Exceptions to Retention Periods

We may retain information longer than specified periods when:

1. Legal Obligation: Required by law, regulation, or court order

   • Example: Tax records, legal dispute documentation

2. Legitimate Interest: Necessary for fraud prevention or security investigation

   • Example: Evidence of Terms of Service violations

3. Consent: User explicitly consents to longer retention

4. Aggregated Data: Fully anonymized, aggregated data (no longer Personal Data) may be retained indefinitely for research and analytics

8.4 Data Deletion Upon Request

You may request deletion of your data at any time (see Section 9.2). Upon receipt of a valid deletion request, we will:

• Delete data within 14 calendar days

• Confirm deletion via email

• Delete data from active systems, backups, and archives

• Exception: Data we are legally required to retain

9. YOUR RIGHTS AND CHOICES

Depending on your location and applicable law, you may have the following rights regarding your information:

9.1 Right to Access (GDPR Art. 15, CCPA § 1798.110)

What: You have the right to request confirmation of whether we process your Personal Data and obtain a copy of that data.

How to Exercise:

• Email: office@lemonedia.co.il

• Subject: "Data Access Request"

• Provide: User ID or Session ID (if known), approximate dates of use

Response Time: 30 days (may extend to 60 days for complex requests)

Format: We will provide data in JSON or CSV format

9.2 Right to Deletion / "Right to be Forgotten" (GDPR Art. 17, CCPA § 1798.105)

What: You have the right to request deletion of your Personal Data.

How to Exercise:

• Email: office@lemonedia.co.il

• Subject: "Data Deletion Request"

• Provide: User ID, Session ID, or description of searches performed

Response Time: 14 calendar days

Scope: We will delete all data linked to your identifiers, including:

• Search history

• User preference profiles

• Session data

• Conversion records

Exceptions: We may retain data if:

• Required by law (e.g., tax records, legal compliance)

• Necessary for fraud prevention or security investigation

• Aggregated/anonymized data (no longer identifies you)

9.3 Right to Rectification (GDPR Art. 16, CCPA § 1798.106)

What: You have the right to correct inaccurate Personal Data.

How to Exercise:

• Email: office@lemonedia.co.il

• Subject: "Data Correction Request"

• Specify: Data to be corrected and accurate information

Response Time: 14 calendar days

Note: Since we collect minimal data, correction requests are rare. Most applicable to Merchant account information.

9.4 Right to Data Portability (GDPR Art. 20)

What: You have the right to receive your Personal Data in a structured, commonly used, and machine-readable format.

How to Exercise:

• Email: office@lemonedia.co.il

• Subject: "Data Portability Request"

Response Time: 30 days

Format: JSON or CSV file containing all your data

9.5 Right to Object / Opt-Out (GDPR Art. 21, CCPA § 1798.120)

What: You have the right to object to processing of your Personal Data for certain purposes.

How to Exercise:

• Personalized Recommendations: Clear browser localStorage to reset User ID

• Analytics: Contact us to exclude your data from analytics

• All Processing: Email data deletion request (Section 9.2)

Effect: We will cease processing your data for the specified purpose, except where we have compelling legitimate grounds that override your interests.

9.6 Right to Restrict Processing (GDPR Art. 18)

What: You have the right to request limitation of processing in certain circumstances (e.g., while disputing accuracy).

How to Exercise:

• Email: office@lemonedia.co.il

• Subject: "Processing Restriction Request"

• Specify: Reason for restriction

Response Time: 14 calendar days

9.7 Right to Withdraw Consent (GDPR Art. 7(3))

What: Where processing is based on consent, you may withdraw consent at any time.

How to Exercise:

• Stop using MagicSearch service

• Request data deletion (Section 9.2)

• Merchant: Uninstall the MagicSearch app

Effect: We will cease processing, but past processing remains lawful.

9.8 Right to Lodge a Complaint

What: You have the right to lodge a complaint with a data protection authority.

Relevant Authorities:

• Israel: Privacy Protection Authority - gov.il/privacy

• EU: Your national Data Protection Authority - edpb.europa.eu/members

• California: California Privacy Protection Agency - cppa.ca.gov

9.9 Automated Decision-Making and Profiling (GDPR Art. 22)

MagicSearch's Position:

• We use AI for product ranking and recommendations

• This does NOT constitute automated decision-making with legal or similarly significant effects

• Our AI assists with search; it does not make decisions about credit, employment, housing, or other legally significant matters

Your Right: If you believe our processing involves impactful automated decision-making, you have the right to human review and to contest the decision.

9.10 How to Exercise Your Rights

Contact Information:

• Email: office@lemonedia.co.il

• Subject Line: Specify right being exercised (e.g., "Data Access Request")

• Attention: Alon Mesika, Privacy Officer

Identity Verification: To protect your privacy, we may request information to verify your identity before processing requests (e.g., User ID, recent search queries, email associated with Merchant account).

No Fee: Exercising your rights is free of charge, unless requests are manifestly unfounded or excessive (in which case we may charge a reasonable fee or refuse the request).

Response Time:

• Standard: 30 days

• Complex requests: Up to 60 days (we will inform you of any extension)

10. COOKIES AND TRACKING TECHNOLOGIES

10.1 What We Use

MagicSearch uses browser localStorage (not cookies) to store:

• User ID: Anonymous identifier for personalized recommendations

• Session ID: Unique session identifier for conversion tracking

localStorage vs. Cookies:

• localStorage data is stored only on your device

• localStorage does not transmit to servers with each request (unlike cookies)

• localStorage is accessible only by MagicSearch code on the specific domain

10.2 Third-Party Tracking

We do NOT use:

• Advertising cookies

• Cross-site tracking cookies

• Third-party analytics cookies

Shopify Tracking: Merchants may use Shopify's own analytics and tracking, which is governed by Shopify's Privacy Policy, not ours.

10.3 Your Control

How to Clear localStorage:

• Chrome/Edge: Settings → Privacy → Clear browsing data → Cookies and site data

• Firefox: Settings → Privacy → Clear Data → Cookies and Site Data

• Safari: Settings → Privacy → Manage Website Data → Remove All

Effect of Clearing:

• Your User ID and Session ID will be deleted

• You will receive a new User ID on next visit

• Personalized recommendations will reset

• Past search history will no longer be linked to you

10.4 Do Not Track (DNT)

Currently, there is no industry standard for responding to Do Not Track signals. MagicSearch does not respond to DNT signals because:

• We do not track users across websites

• We do not share data with advertisers

• Our tracking is limited to anonymous identifiers within a single Merchant's store

11. CHILDREN'S PRIVACY

11.1 Age Restrictions

MagicSearch is not directed to children under the age of 16. We do not knowingly collect Personal Data from children under 16.

Note: The Service is used by End Users of Merchant stores. Many Merchants sell products for children, and parents may search for "toys for 8 year old." This does NOT mean we collect data from children—we collect only anonymous search queries from the adult user.

11.2 Parental Rights

If you are a parent or guardian and believe your child under 16 has provided us with Personal Data:

• Contact us immediately: office@lemonedia.co.il

• We will: Delete the data within 14 days

11.3 Compliance

• COPPA (USA): We comply with Children's Online Privacy Protection Act

• GDPR (EU): We comply with GDPR requirements for processing children's data (consent from holder of parental responsibility for children under 16)

• Israeli Law: We comply with Israeli Privacy Protection Law regarding children

12. CHANGES TO THIS PRIVACY POLICY

12.1 Right to Modify

We reserve the right to modify this Privacy Policy at any time. Changes may be necessary due to:

• Changes in applicable law

• Introduction of new features or services

• Feedback from users or regulators

• Best practice updates

12.2 Notification of Changes

Material Changes: If we make material changes that affect how we collect, use, or share Personal Data, we will:

• Update the "Last Updated" date at the top of this Policy

• Send email notification to Merchants at their registered email address

• Display a prominent notice in the MagicSearch dashboard

• Provide 30 days' notice before changes take effect

Non-Material Changes: For minor changes (e.g., clarifications, formatting), we will update the Policy without notification.

12.3 Your Consent to Changes

Continued use of the Service after changes take effect constitutes acceptance of the updated Privacy Policy.

If You Disagree: If you do not agree with changes, you must:

• Stop using the Service

• Merchants: Uninstall the MagicSearch app

• Request deletion of your data (Section 9.2)

12.4 Version History

We maintain a changelog of Privacy Policy versions. To request prior versions, contact: office@lemonedia.co.il

13. MERCHANT-SPECIFIC PROVISIONS

13.1 Merchant as Data Controller

Merchants are independent data controllers for Personal Data collected through their Shopify stores. MagicSearch acts as a data processor on behalf of Merchants.

Data Processing Agreement (DPA): By installing MagicSearch, Merchants agree to our Data Processing Agreement which specifies:

• Scope and nature of processing

• Merchant and MagicSearch obligations

• Data subject rights procedures

• Security requirements

• Sub-processor list

• Data breach notification procedures

13.2 Merchant Responsibilities

Merchants are responsible for:

• Privacy Policy: Maintaining their own privacy policy that discloses use of MagicSearch

• User Consent: Obtaining necessary consents from End Users (e.g., cookie banners if using cookies)

• Data Subject Requests: Forwarding End User data requests to us for processing

• Legal Compliance: Ensuring their use of MagicSearch complies with applicable law

• Data Accuracy: Ensuring product data in Shopify is accurate and up-to-date

13.3 Merchant Data

We collect and process the following data about Merchants:

• Account Information:

  • Shopify store domain

  • Shopify account ID

  • Contact email

  • Installation date

• Usage Data:

  • Number of searches processed

  • API requests made

  • Feature usage statistics

• Billing Information (if applicable):

  • Subscription tier

  • Payment status

  • Note: Payment processing handled by Shopify; we do not store credit card information

Retention: Merchant data is retained for the duration of the subscription plus 30 days after uninstall.

13.4 Merchant Rights

Merchants have all the rights listed in Section 9, plus:

• Dashboard Access: View all analytics and data related to their store

• Data Export: Request export of all data related to their store

• Sub-processor Information: Request list of sub-processors (Section 14)

• Security Documentation: Request details of our security measures

14. SUB-PROCESSORS AND THIRD PARTIES

As a data processor, we engage sub-processors to assist in providing the Service. Below is the complete list:

14.1 Sub-Processor List

Sub-Processor Service Provided Data Shared Location Safeguards Render (render.com) Hosting, infrastructure All data processed by MagicSearch USA (Oregon) DPA, SCCs, ISO 27001, SOC 2 Anthropic AI query parsing, product scoring Search queries, product info (no PII) USA DPA, API Terms prohibit training on customer data OpenAI (optional) AI query parsing (fallback) Search queries, product info (no PII) USA DPA, API Terms prohibit training on customer data xAI (optional) AI query parsing (experimental) Search queries, product info (no PII) USA API Terms Shopify E-commerce platform API requests for product data Global Shopify Terms of Service

14.2 Sub-Processor Changes

Notification: We will notify Merchants at least 30 days before engaging a new sub-processor or changing an existing one.

How to Object: Merchants may object to a new sub-processor by:

• Emailing: office@lemonedia.co.il within 14 days of notification

• If objection is not resolved, Merchant may terminate the Service without penalty

14.3 Sub-Processor Obligations

All sub-processors are contractually bound to:

• Process data only per our instructions

• Implement appropriate security measures

• Maintain confidentiality

• Assist with data subject requests

• Notify us of data breaches

• Delete data upon termination

15. LEGAL BASIS FOR PROCESSING (GDPR)

For users in the European Economic Area, our legal bases for processing Personal Data are:

Processing Activity Legal Basis GDPR Article Search functionality Legitimate interest (providing service) Art. 6(1)(f) Personalized recommendations Legitimate interest (service improvement) Art. 6(1)(f) Analytics Legitimate interest (business optimization) Art. 6(1)(f) Conversion tracking Legitimate interest (measuring effectiveness) Art. 6(1)(f) Security measures Legitimate interest (protecting systems and users) Art. 6(1)(f) Legal compliance Legal obligation Art. 6(1)(c) Contract with Merchants Contract performance Art. 6(1)(b)

Legitimate Interest Assessment:

• Our interest: Providing effective AI-powered search service

• User benefit: Improved search experience, relevant results

• Balance: Minimal data collected (no PII), strong security, user rights respected

• Alternative: Without processing, service cannot function

Right to Object: You may object to processing based on legitimate interest (Section 9.5).

16. CALIFORNIA PRIVACY RIGHTS (CCPA/CPRA)

16.1 Information for California Residents

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide additional rights:

Categories of Personal Information Collected (last 12 months):

• Identifiers: User ID (anonymous), Session ID (anonymous), IP address

• Internet Activity: Search queries, product clicks, browsing history on Merchant stores

• NOT collected: Name, email, phone, address, social security number, payment info

Business Purpose: Provide AI-powered search service (see Section 4)

Sale or Sharing: We do NOT sell or share Personal Information

Sensitive Personal Information: We do NOT collect sensitive Personal Information

16.2 Your California Privacy Rights

• Right to Know: Request disclosure of Personal Information collected (Section 9.1)

• Right to Delete: Request deletion of Personal Information (Section 9.2)

• Right to Correct: Request correction of inaccurate information (Section 9.3)

• Right to Opt-Out: Opt-out of sale/sharing (N/A - we don't sell)

• Right to Limit Use: Limit use of Sensitive Personal Information (N/A - we don't collect)

• Right to Non-Discrimination: We will not discriminate for exercising CCPA rights

16.3 How to Exercise California Rights

• Email: office@lemonedia.co.il

• Subject: "California Privacy Rights Request"

• Verification: We may request information to verify your identity

• Authorized Agent: You may designate an authorized agent to make requests on your behalf (requires written authorization)

Response Time: 45 days (may extend to 90 days for complex requests)

17. DATA PROTECTION OFFICER / PRIVACY CONTACT

For all privacy-related inquiries, requests, or complaints:

Privacy Officer: Alon Mesika
Company: Alfa Marketing (MagicSearch)
Email: office@lemonedia.co.il
Address: Achi Dakar 4, Israel
Response Time: We aim to respond within 5 business days

18. CONTACT INFORMATION

18.1 General Inquiries

Email: office@lemonedia.co.il
Subject Line: "Privacy Policy Inquiry"

18.2 Data Protection Requests

Email: office@lemonedia.co.il
Subject Line: Specify request type (e.g., "Data Access Request", "Data Deletion Request")

18.3 Security Incidents

If you discover a security vulnerability or data breach:

Email: office@lemonedia.co.il
Subject: "URGENT: Security Incident Report"
Response Time: We will acknowledge within 4 hours and investigate immediately

18.4 Mailing Address

Alfa Marketing
Achi Dakar 4
Israel
Company Registration: 215229766

19. GOVERNING LAW AND JURISDICTION

19.1 Governing Law

This Privacy Policy is governed by the laws of the State of Israel, without regard to conflict of law principles.

19.2 Jurisdiction

Any disputes arising from this Privacy Policy shall be subject to the exclusive jurisdiction of the courts of Tel Aviv, Israel.

19.3 International Users

If you access the Service from outside Israel, you are responsible for compliance with local laws regarding online conduct and data privacy.

20. SEVERABILITY

If any provision of this Privacy Policy is found to be unenforceable or invalid by a court of competent jurisdiction, the remaining provisions will remain in full force and effect.

21. ENTIRE AGREEMENT

This Privacy Policy, together with our Terms of Service and Data Processing Agreement, constitutes the entire agreement between you and MagicSearch regarding privacy and data protection.

22. LANGUAGE

This Privacy Policy is provided in English. In case of conflict between English and any translated version, the English version shall prevail.

ACKNOWLEDGMENT AND ACCEPTANCE

By using MagicSearch, you acknowledge that you have read, understood, and agree to this Privacy Policy.

Last Updated: November 13, 2025
Version: 1.0
Effective Date: November 13, 2025

END OF PRIVACY POLICY

QUICK REFERENCE SUMMARY

What Data We Collect

• Anonymous User ID and Session ID

• Search queries and product interactions

• IP address (for security)

• Conversion events (add-to-cart, purchase)

What Data We DON'T Collect

• Names, emails, phone numbers, addresses

• Payment information

• Government IDs

• Any Personally Identifiable Information (PII)

How We Use Data

• Provide AI-powered search

• Personalized recommendations

• Analytics for store owners

• Improve AI models

• Security and fraud prevention

How We Protect Data

• AES-256 encryption at rest

• TLS 1.3 encryption in transit

• Access controls and authentication

• Regular security audits

• 90-day data retention (auto-delete)

Your Rights

• Access your data

• Delete your data

• Correct your data

• Export your data

• Object to processing

• Lodge a complaint with authorities

Contact Us

Email: office@lemonedia.co.il
Company: Alfa Marketing, Israel

© 2025 Alfa Marketing. All rights reserved.