Updated: March 24th, 2026
Latest March 24 2026 update in a nutshell:
We've updated our Privacy Policy to be more transparent about how your data is handled by the tools that power Autopilot:
New disclosures. We now explain exactly which third-party services process your data, what they receive, and why — covering authentication (WorkOS), customer support (ClearFeed), session replay and analytics (Fullstory), notifications (Knock), and error monitoring (Sentry).
Session replay. We use Fullstory to record how you interact with the product (clicks, scrolls, navigation). Sensitive inputs are masked. Recordings are used only to improve the product and are not shared or sold.
AI-assisted support. Our support platform may use AI to suggest responses and route your requests. A human is always in the loop for any consequential decisions.
Notifications. We now use Knock to send you emails, push notifications, SMS, and in-app messages. You can manage your preferences in your account settings.
Error monitoring. We use Sentry to catch bugs. It may collect technical data like device info and error logs. We configure it to minimize personal data collection.
Cross-border transfers. We've replaced outdated Privacy Shield references with the current EU-U.S. Data Privacy Framework and updated Standard Contractual Clauses.
Governing law. Now consistently New York across both our Terms of Service and Privacy Policy.
Your rights over your data haven't changed. Questions? Contact dpo@autopilotbrand.com.
---
Autopilot Inc. (together with its affiliates, “Autopilot”, “we”, “us” or “our”) is committed to protecting the privacy and the security of the personal information provided to us via our Products, while continuing to provide shoppers of our Store-based Clients, at the written direction of our Store-based Clients (defined below), with a merchant operations and financial accounting insights that are customized to the unique set of products of each Client. Insights and actions are tied to products offered by a store, meaningful, and dynamic, as well as to provide general market intelligence or financial or operational analysis based on aggregated information (the “Purpose”). While we accept personal information regarding shoppers from our Store-based Clients, any output of that information provided to those Store-based Clients, or any other third-party, is limited to aggregated, non-identifying, and non-personal information and, moreover, Autopilot will not sell, rent, lease, share or disclose any Personally-Identifying Information, except as permitted by this Privacy Policy. All capitalized terms used herein shall have the meaning as defined herein, or if not defined, the meaning as set forth in our Autopilot Terms of Service. The term “Shoppers” shall be used herein to mean those individuals that use our Store-based Clients’ webpages or other accessible platforms or portals and who may or may not provide their personal information.
This Privacy Policy is based on the following principles/requirements:
Autopilot provides its Services to help its approved and contracted store-based clients (hereinafter “Store-based Clients”) to achieve the Purposes, as defined above. Autopilot, at the written direction and authorization of our Store-based Clients, may obtain certain information regarding Shoppers as they use and provide information to our Store-based Clients. No matter who provides us with personal information, however, our commitment to privacy remains strong.
While Autopilot ensures that any collection and subsequent disclosure to Autopilot of any personal information via our Store-based Clients is in compliance with this Privacy Policy, we rely on and require our Store-based Clients to obtain Shoppers’ informed consent and to provide access to this policy.
In some cases, Shoppers using Autopilot may enable or authorize their access to a Store-based Client’s e-Commerce platform, and/or Autopilot Products operating therein, using a third-party tool or a social networking site (“Third-Party Platform”), such as Meta, Google or OpenAI. Accordingly, a Shopper must read and accept the terms of service and privacy policy of that Third-Party Platform, and Autopilot cannot assume liability for any Shopper’s failure to do so. Further, Autopilot may also process data previously, independently, or concurrently provided to the applicable Store-based Client by a Shopper (e.g. Autopilot may obtain data through a Store-Based Client’s accounting tool, CRM or another data repository, or from other third-parties with whom they interact in association with providing their services to a given Shopper). Autopilot takes reasonable administrative efforts to ensure that Store-based Clients provide an opportunity for Shoppers to have access to, and be given an opportunity to consent to, this Privacy Policy. Shoppers should also read and accept the terms of service and privacy policy of the Store-based Client. In some cases, Autopilot may use Cookies (as that term is defined below) in association with a Third-Party Platform (e.g. Meta, Google, Fullstory) in order to provide information to a Shopper via such Third-Party Platforms, particularly in the form of advertising, the content of which is selectively determined by such Shopper’s interaction with the Third-Party Platform in question. None of such Shopper’s personal information is copied by or transferred to Autopilot from any Third-Party Platform in this circumstance.
Autopilot relies upon its Store-based Client to obtain informed consent regarding the use of Autopilot Products on their e-Commerce Platforms, including providing access to this Privacy Policy prior to acquiring consent. Autopilot is not responsible for any act or omission of a Store-Based Client if the client fails to acquire, or is deficient in any way in acquiring such informed consent. To the extent that the client’s collection, use, or disclosure of personal information provided to Autopilot, prior to, independently of, or concurrently with the provision of Shopper data to Autopilot fails to comply with this Privacy Policy or applicable data protection or other laws, Autopilot has no ability to control, manage, or indeed identify such non-compliance. Any inquiries regarding independent acts or omissions involving a Shopper’s personal information by our Store-based Client must be directed to that Store-based Client.
Directly From a Store-based Client Site: Shoppers engage Autopilot Products or Services when a Store-based Client installs one of our Plug-ins, Apps or other Product in association with its e-Commerce Platform. This incorporates functionality through the Autopilot API Platform. Using the Autopilot API, or other similarly installed Product, through a Shopper’s interaction with one of our Store-based Client’s e-commerce platforms, we collect certain information that is provided to such e-commerce platforms about Shoppers, Shoppers’ interest in product offerings, Shoppers’ historical and new orders, Shoppers’ details that are provided to the e-commerce platform, and Shoppers’ behavior and interactions while visiting the e-commerce platform. By engaging in any of the foregoing activities and/or providing consent to provide such information by accepting the terms of this Privacy Policy (as required by applicable law, and which should be incorporated into our Store-based Client’s privacy or data protection policies), Shoppers, by virtue of such engagement or consent, authorize Autopilot to collect, store and use any such data that comprises personal information in accordance with this Privacy Policy.
Through a Third-Party Platform and/or Store CRM: In some cases, Shoppers may authenticate themselves within your Autopilot-enabled store by signing on using a Third-Party Platform, or a Store-based Client may provide Autopilot access to some other form of Shopper identification pursuant to such Store-based Client’s privacy policy (e.g. an eCommerce Platform’s accounting and operations tools or CRM). This information is necessary to carry out the Purpose. This information may vary and may be affected by the privacy settings Shoppers establish with the applicable Third-Party Platform and/or the Store-based Client. Shoppers should be able to control and find out more about these settings at the Third-Party Platform used to access or use Autopilot Products or Services, and/or through the terms and/or privacy policy of the applicable Store-Based Client or its CRM tool if there is one. By using or accessing any of our products or software through a Third-Party Platform login, and/or a store CRM, Shoppers, pursuant to the terms of the applicable Third-Party Platform and/or e-Commerce Platforms (including their CRM), authorize us to process such information in accordance with this Privacy Policy and the corresponding privacy terms and settings of the applicable Third-Party Platform and/or e-Commerce Platform.
We collect two types of information. Both types of information are required to provide the Autopilot Purposes that are offered via a Autopilot-enabled Store-based Client’s eCommerce platform, or through related channels (e.g. Emails, Messages, Advertising, etc.).
The first type of information is Personally-Identifying Information (“PII”). The other type of information is Non-Personally Identifying Information (“NPII”).
PII includes information that is uniquely associated with an identifiable Shopper, or that identifies a Shopper, and may specifically include age, gender, location, email address, phone number, and, in some cases, IP address. PII may also include authentication credentials and identity-provider profile data (such as name, email address, and organizational affiliation) transmitted to us by third-party authentication services when you log in via single sign-on or social login, as well as phone numbers provided for the purpose of receiving SMS notifications.
NPII may include information that is collected directly from a Shopper, during a Shopper’s interaction with the site, or from information provided to a third-party, and which does not identify, or is not uniquely associated with, an identifiable Shopper. NPII includes, but is not limited to, a Store-based Client’s name and location, Store-based Client product and collections information, non-identifying order information, Store-based Client CRM/Loyalty programs, age range, association with a geographical or network area, Shoppers’ general interests as indicated by their interaction with an e-Commerce Platform (such as selections thereon), Shoppers’ shopping behavior, and Shoppers’ choices within Autopilot’s enabled e-Commerce Platforms. NPII may also include information that is non-personally identifying but was generated from PII, such as by aggregation with other PII or anonymization. NPII may also include: (i) digital experience and behavioral data, such as session recordings, click and scroll patterns, mouse movements, page interaction data, heatmap data, device type, operating system, browser type and version, screen resolution, and session duration, collected through digital experience analytics tools; (ii) application diagnostic data, such as error logs, stack traces, performance metrics, request and response metadata (including URL paths and query parameters), and software environment information, collected through application monitoring tools; (iii) notification delivery and engagement data, such as message delivery status, open and click events, notification preferences, and channel-specific identifiers (e.g., push tokens), collected through notification delivery services; and (iv) support interaction metadata, such as timestamps, channel identifiers, ticket status, and response times, collected through customer support platforms. Note that certain diagnostic data (such as IP addresses) may constitute PII under applicable law and will be treated accordingly.
Third-Party Service Providers. Autopilot may employ or engage other companies and individuals to perform tasks on our behalf and may need to share information with them to provide our Products and Services. These third-party service providers receive only the information necessary to perform their designated functions and are contractually prohibited from using it for any other purpose. Our current categories of third-party service providers include:
We may update the specific providers within each category from time to time, with reasonable advance notice as described in our Terms of Service. An up-to-date list of our sub-processors is available upon request by contacting dpo@autopilotbrand.com.
Autopilot Products, and our store customers may use “cookies” and other technologies such as pixel tags and web beacons in our Products. In some cases, these may also be incorporated into a store customer’s website, app, or platform, and/or they may be implemented by a Autopilot Product specifically. These technologies help us better track and understand Shopper behavior, measure the effectiveness of advertisements, and generate recommendations, and generally carry out the Purpose. To the extent information is collected by cookies and/or other technologies includes personal information, it will be treated as such under this Privacy Policy. For example, to the extent that Internet Protocol (IP) addresses or similar identifiers are considered personal information by local law, we will also consider such information as personal information.
Autopilot and its Store-based Clients may also use cookies and other technologies to remember personal information when Shoppers use Store-based Clients’ websites, online services, and apps, as well as to collect and store information related to such use. We may use this to make a Shopper’s experience with Autopilot-enabled eCommerce platforms more convenient, personal, and useful. This may include combining such information across different stores in order to generate information related to the Purpose (though no PII collected from one store will ever be shared with another store). For example, knowing a Shopper’s country and language helps us provide a customized and more useful shopping experience. Knowing someone using a given Shopper’s computer or device has shopped for a certain product or used a particular service helps us and our Store-based Clients, including different Store-based Clients from those on whose website (or other eCommerce platform) a cookie or other technology was used to remember or collect information; or to make advertising, permitted email communications, or recommendations more relevant to your and other Shoppers’ interests. Lastly, we may use cookies or other such technology, and information collected therefrom, to improve our services.
Session Replay and Digital Experience Analytics. In addition to cookies and similar technologies, we use digital experience analytics tools (currently Fullstory, Inc.) that record and replay user sessions on our Products. Session replay technology captures user interactions with the Products, which may include clicks, taps, scrolls, mouse movements, page navigation, form interactions, and the visual layout of pages as rendered in your browser or app. These recordings are used to understand how users interact with our Products, diagnose usability issues, identify software errors, and improve overall product quality. Session data is captured automatically when you use the Products. We configure our session replay tools to mask or exclude sensitive content such as form inputs, text fields, and personally identifying page elements from capture by default; however, the specific masking behavior depends on our implementation configuration and may be updated from time to time. Session replay data is stored by the analytics provider in accordance with the data retention period specified in our agreement with them and is accessible only to authorized Autopilot personnel. Session replay data is not sold, rented, or shared with third parties except as described in this Privacy Policy.
Application Performance Monitoring. We use application monitoring tools (currently Functional Software, Inc. d/b/a Sentry) to detect, log, and diagnose software errors, crashes, and performance issues in our Products. When an error or performance event occurs, the monitoring tool may collect technical diagnostic data, which may include stack traces, error messages, HTTP request and response metadata (including URL paths and query parameters), device and browser information (type, version, operating system), IP addresses, and in some cases a snapshot of the source code surrounding the error. We configure these tools to minimize the collection of personally identifiable information, including by disabling default PII transmission and applying server-side data scrubbing to detect and remove common sensitive data patterns (such as credit card numbers and passwords) where available. Diagnostic data is used solely for the purpose of maintaining, debugging, and improving the Products and is retained in accordance with our agreement with the monitoring provider.
Certain features of our Products and Services use artificial intelligence and automated processing to improve service quality and efficiency. These uses currently include: (i) AI-assisted customer support, in which incoming support queries may be analyzed by AI systems to suggest relevant responses, detect sentiment, identify urgency, and route requests to appropriate team members; and (ii) AI-assisted session analysis, in which session replay data may be summarized by AI systems to identify key user interactions, frustration signals, and behavioral patterns. These AI features are designed to assist human operators and do not independently make decisions that produce legal or similarly significant effects on you. No AI system used in our Products makes decisions about your access to services, account standing, or eligibility for any benefit without human review. If you have questions or concerns about automated processing of your data, please contact us at dpo@autopilotbrand.com.
We use a third-party notification infrastructure service (currently Knock Labs, Inc.) to send you transactional, product, and marketing communications through various channels, including email, SMS, push notifications, in-app messages, and chat. To deliver these communications, we share your contact information (such as email address and, where applicable, phone number), notification preferences, and relevant event or trigger data with the notification provider. The notification provider processes this information solely to deliver messages on our behalf and in accordance with our instructions. You may manage your notification preferences, including opting out of non-essential communications, through the preference center available in your Account settings. Where required by applicable law, we will obtain your prior consent before sending marketing communications or SMS messages. Transactional communications (such as account confirmations, security alerts, and service updates) may be sent without separate consent as they are necessary for the operation of your Account.
Data processed by our third-party service providers on our behalf is retained in accordance with the terms of our agreements with those providers and for no longer than is necessary to fulfill the purposes described in this Privacy Policy. We periodically review the data retention practices of our service providers to ensure they remain consistent with applicable law and our obligations to you. Upon termination of our agreement with a service provider, or upon your request for deletion of your personal information, we will instruct the applicable provider to delete or return your data in accordance with the terms of our agreement with them and applicable law.
The security of Shopper information is important to us. We implement reasonable security measures to protect the security of your information both online and offline, and we are committed to the protection of Shopper information. Only those individuals at Autopilot that have an obligation to maintain confidentiality may access Shopper PII.
When we handle Shopper information on the Internet we encrypt the transmission of that information using secure socket layer technology (“SSL”). Shopper information is pseudonymized and rendered as NPII. Autopilot has redundant and distributed systems, and other system measures, that provide for ongoing confidentiality, integrity, availability, and resilience. Our systems are routinely tested or assessed for their measures to ensure the security of Shopper Data.
However, no method of transmission over the Internet, or method of electronic storage, is 100% secure. Therefore, while we strive to use commercially acceptable means to protect Shopper information, we cannot guarantee that unauthorized access, hacking, data loss or other breaches will never occur.
We will notify the Store-based Client, who is ultimately the data controller, from whom we obtain information in the event of unauthorized access or disclosure of such information. We will take reasonable administrative steps, by making it a condition of our Terms of service with them, to ensure that such Store-based Client takes steps to inform the affected Shopper to the extent that it is required under applicable law.
If you have any questions about how we strive to keep information secure, you can contact us at dpo@autopilotbrand.com.
We may transfer, store and process Shoppers’ information, both PII and NPII, to or on computers and servers located in the United States or Europe. Accordingly, such information may be subject to the laws of these relevant jurisdictions.
Autopilot’s technical infrastructure relies on data centers and cloud service providers that are located in the United States and in Europe on Amazon’s AWS and Google Cloud platform.
Google and Amazon appear on the Department of Commerce’s list of Privacy Shield certified entities and are certified under the EU-US Privacy Shield Framework since 2016. The European Commission adopted the EU-US Privacy Shield Framework on July 12th, 2016, replacing the International Safe Harbor Privacy Principles as the mechanism for allowing companies in the EU and the US to transfer personal data across the Atlantic in a manner compliant with the EU data protection requirements, as stated on PrivacyShield.gov.
There is no fixed period for storage of Shoppers’ PII. We will remove Shoppers’ PII upon any of the following:
The storage period for any NPII that does not relate to, or uniquely identify, a Shopper is indefinite.
Autopilot supports Shoppers’ rights in the following ways:
Our business practices change constantly and this Privacy Policy may change accordingly. We reserve the right to modify this Privacy Policy at any time. It is the responsibility of Store-based Clients, and/or Shoppers, to ensure that they are aware of the contents of this Privacy Policy, so it should be reviewed periodically. We may e-mail or post to Store-based Clients periodic reminders of our notices and conditions and any changes thereto, but are not required to do so, and so we recommend that www.autopilotbrand.com/privacy-policy be referred to regularly. Unless stated otherwise, our current Privacy Policy applies to all PII that we have about Shoppers who use Autopilot-enabled eCommerce platforms.
This Privacy Policy, and any associated dispute, is subject to the laws of the State of New York and the federal laws of the United States of America applicable therein, without regard to conflict-of-law principles. Any claims or disputes arising out of or related to this Privacy Policy may only be brought in a court of competent jurisdiction in New York City, New York, and you irrevocably consent to the jurisdiction of such courts. If a Store-based Client or a Shopper using an Autopilot-enabled eCommerce platform has any concerns about privacy concerning Autopilot, they may contact us at dpo@autopilotbrand.com with a thorough description and we will try to resolve them.