Realify.ai ("Realify," "we," "us," "our") is operated by Realify ai Inc, a Delaware corporation (File No. 10409872) with its principal place of business at 28 Geary St STE 650 494, San Francisco, CA 94108. Engineering and product development are performed by our affiliate, Realify AI India Private Limited (Mohali, Punjab, India), which acts only under our instruction and is bound by the data-protection terms in this Policy. Realify ai Inc is the controller and the contracting party for all platform integrations, including the Amazon Selling Partner API. This Policy is effective June 1st, 2026 and is incorporated into the Terms of Service. Inquiries: legal@realify.ai.

• Account dataName, business email, phone, company, job title, hashed password.
• Billing dataBilling address and payment method; full card numbers are held by our PCI-DSS processor, Stripe. Realify does not store full card numbers.
• Connected Platform dataOperational data accessed through each platform's API on your behalf — detailed in Section 5.
• Technical dataIP addresses, browser type, device identifiers, page views, feature interactions, and error logs.
• Marketing website dataWhen you visit realify.ai, cookies, pixels, and similar technologies from Google Ads, Google Analytics 4, and Meta Ads collect data to measure marketing performance and build remarketing audiences. Our cookie consent banner allows you to accept, reject, or customize these technologies. We implement Google Consent Mode v2 to respect your consent choices before sending data to Google. See Sections 5 and 11 for your rights.

We use information solely to: (a) provide, maintain, and improve the Services; (b) generate AI-driven recommendations and analytics; (c) send transactional and support communications; (d) run, measure, and optimize advertising campaigns on Google Ads and Meta Ads on our marketing website; (e) monitor for abuse and security threats; (f) fulfill billing and legal obligations. We do not sell Customer Data or use Customer Data for our own marketing.

• Sub-processorsAs listed in Section 6, under data protection agreements.
• Advertising (marketing site only)We share marketing-website visitor data with Google and Meta for advertising, analytics, and conversion measurement, as described in Section 11.
• Legal processTo comply with valid legal process or protect our legal rights, with notice to you where permitted.
• Business transfersIn a merger or asset sale, subject to equivalent data protection obligations.
• With consentFor any other purpose with your prior consent.
• Aggregated dataDe-identified data that does not identify you. Amazon Information is excluded from all aggregation.

This section governs all data accessed through Connected Platform APIs. Each platform's requirements are stated once and apply in full. In any conflict with another provision of this Policy, the applicable platform subsection controls.

5.1 Amazon Selling Partner API

Data Accessed

Catalog and listing data; order and shipment information (buyer PII limited to what is strictly necessary for authorized fulfillment); inventory positions; pricing and promotion data; advertising performance metrics; financial settlement data.

Authorized Use and Absolute Prohibitions

Amazon Information is used solely to provide the Services to you, the authorizing seller. We do not sell, rent, lease, or license Amazon Information to any third party. Absolute prohibitions:

• (a) No aggregation or benchmarking of Amazon Information across seller accounts in any form (DPP §4.4)
• (b) No use of Amazon Information to train, fine-tune, evaluate, or benchmark AI/ML models in any form — identifiable, de-identified, or aggregated (DPP §4.3)
• (c) No generation or disclosure of insights about Amazon's business, strategy, or marketplace economics for any commercial purpose (AUP §4.5)

Retention

All retention periods are hard limits from the date of collection. Sole exception: legal obligations only (order fulfillment, tax, legally required documents) consistent with Amazon DPP §§1.5 and 2.1.

Deletion

Request deletion by emailing legal@realify.ai (subject: "Amazon Data Deletion Request") or revoking access in Seller Central. We acknowledge within 24 hours, delete from live systems within 7 business days, purge backups within 30 days, and issue a written deletion certificate within 35 days. Deletion follows NIST SP 800-88 Rev. 1.

Data Attribution (DPP §1.8)

Amazon Information is stored in a dedicated, logically separate data store. Every record is tagged at ingestion with the seller account ID and a data origin marker, enabling record-level retention enforcement and scope reports on request.

Security

All Amazon Information is stored and processed exclusively within AWS infrastructure in the United States (us-east-1 and us-west-2 regions).Personnel from Realify’s technical affiliate, Realify AI India Private Limited, may be granted time-bound, monitored remote access to U.S. production infrastructure solely for critical system engineering, debugging, and operational maintenance. All such access is governed by role-based access control (RBAC) on a least-privilege basis, and by the following mandatory controls:

Organizational Changes and Violations (AUP §§1.3, 3.11)

Realify notifies Amazon SP-API Solution Provider Support within 30 days of any organizational change affecting how Amazon Information is processed. Realify discloses to Amazon any affiliated entities with access to Amazon Information. Where Realify reasonably suspects a customer is violating their Amazon agreements, Realify notifies Amazon at spapi-abuse@amazon.com and may suspend that customer's access (AUP §1.3).

5.2 Google Ads API

Realify.ai’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Data Accessed

Campaign structures and settings; keyword and bid data; budget and pacing data; impression, click, cost, and conversion metrics; audience definitions (within your accounts only); account configuration, billing settings, and user permissions.

Authorized Use and Required Disclosures

Google Ads API data is used solely to manage and report on your authorized Google Ads accounts. By enabling this integration, you acknowledge that Realify uses the Google Ads API and that use is subject to Google's Advertising Policies at https://policies.google.com. Realify provides Full Service (campaign creation, bid management, budget control, reporting, recommendations) or Reporting-only access, as disclosed at setup. Realify maintains compliance with Google's Required Minimum Functionality (RMF) standards for the service tier activated. You are responsible for all advertising content, targeting decisions, and policy compliance within your Google Ads accounts.

Prohibited Uses

We do not, and will not: (a) scrape targeting parameters, bid status, Traffic Estimator, or Bidstream data for any purpose other than managing your authorized accounts; (b) purchase scraped Google Ads data from any third party; (c) sync Google Ads campaign data to any platform competing with Google Ads or other Google advertising products. For the avoidance of doubt, when Realify's Conductor orchestrates multi-platform omnichannel strategies, Realify separates Google Ads attribution and reporting metrics from Google's proprietary bidding parameters, targeting signals, and keyword-level data. Attribution and performance metrics may be incorporated into cross-platform reporting dashboards; Google's proprietary bidding and targeting parameters are never exported to, replicated in, or used to inform configurations on any competing advertising platform; (d) circumvent Google's advertising policies, spending limits, billing systems, or quality controls; (e) allow fully automated Google Ads operation without human-configured guardrails (Terms Section 4.2); (f) label live advertiser accounts as demo or test accounts; (g) manage third-party Google Ads accounts without their knowledge, consent, and required Google disclosures; (h) use Google Ads API data to train, fine-tune, evaluate, or benchmark any AI or machine-learning model.

Token Security and 90-Day Deletion

• EncryptionGoogle Ads API credentials, including OAuth refresh tokens and developer tokens, are AES-256 encrypted at rest and TLS 1.2+ in transit, stored in an encrypted secrets vault on a least-privilege basis.
• 90-day inactivity deletionGoogle Ads API developer tokens not used commercially for 90 consecutive days are automatically deleted, per Google Ads API Terms of Service.
• RevocationAll Google Ads credentials are purged within 48 hours of account closure, integration revocation, or Google's revocation of Realify's API access.

Retention and Deletion

Google Ads API data is retained for the duration of the active integration. Upon revocation or account closure: deleted from live systems within 30 days; purged from backups within 90 days. Written deletion confirmation provided on request.

5.3 Meta Marketing API

Data Accessed

Ad account settings and billing configuration; campaign, ad set, and ad data; impression, click, reach, frequency, and spend metrics; conversion and attribution data; audience size information (aggregate, within your accounts only); creative performance data.

Authorized Use

Meta Ads API data is used solely to manage and report on your authorized Meta advertising accounts. We do not use Meta Ads API data to provide services to any party other than the authorizing advertiser. Realify will not take any action on your Meta accounts that violates Meta's Advertising Policies or Community Standards.

API access level and App Review: Realify has completed Meta's required App Review for all API permission scopes used in the Services, including Advanced Access permissions (such as ads_management and ads_read) where applicable. Advanced Access use is limited strictly to the approved purposes stated in Realify's App Review submission.

Meta Business Tools Terms: Where Realify uses the Meta Pixel or Meta Conversions API on the realify.ai marketing website (separate from the authenticated platform), that use is governed by Meta's Business Tools Terms in addition to the Developer Policies described in this section. The two frameworks are distinct: the Developer Policies govern the Marketing API integration used to manage your ad accounts; the Business Tools Terms govern Realify's own marketing-website pixel deployment. Both are complied with separately.

Prohibited Uses

We do not, and will not: (a) sell, rent, license, or transfer Meta Ads API data to any third party; (b) build Custom Audiences or Lookalike Audiences for any party other than you as the authorizing advertiser, and only within your own accounts; (c) combine Meta Ads data with other sources to profile Meta users without valid lawful basis and consent; (d) scrape auction pricing, bid landscape, or targeting parameters; (e) facilitate content violating Meta's Community Standards; (f) reverse engineer Meta's products, APIs, algorithms, or ranking systems; (g) interfere with Meta's platforms or advertising systems; (h) use Meta Ads API data to train, fine-tune, evaluate, or benchmark any AI or machine-learning model; (i) contact Meta users identified through the API outside the authorized advertising workflow; (j) retain Meta user-level data beyond what is required or ignore a Meta-originated deletion request.

Token Security

• EncryptionMeta API tokens are AES-256 encrypted at rest and TLS 1.2+ in transit, stored in an encrypted secrets vault on a least-privilege basis.
• Permission scopesRealify requests only the minimum Meta API permission scopes required for the features you enable and maintains current Meta App Review approvals for all permissions used.
• RevocationAll Meta API tokens are purged within 48 hours of account closure, integration revocation, or Meta's revocation of Realify's app access.

Retention and Deletion

Meta Ads API data is retained for the duration of the active integration. Upon revocation or account closure: deleted from live systems within 30 days; Meta user-level data purged immediately upon a Meta-originated deletion request; backups purged within 90 days. Written deletion confirmation on request.

5.4 Amazon Advertising API

Data Accessed

Campaign structures and settings for Sponsored Products, Sponsored Brands, Sponsored Display, and DSP; advertising performance metrics (impressions, clicks, spend, attributed sales, ROAS, ACOS); audience and targeting data within your authorized accounts; budget and bid data; Amazon Attribution measurement data. All such data constitutes "Program Materials" under the Advertising License Agreement.

Authorized Use — Licensed Country Restriction

Amazon Advertising API access is authorized only for the "Licensed Countries" designated in your Advertising License Agreement. Realify uses Amazon Advertising API data solely to provide the authorized advertising management and optimization services to you, the Amazon Advertising Participant, through the infrastructure and functionality we designate. Use of the API is authorized only as permitted by the Advertising License Agreement, the Amazon Program Policies, the Amazon Data Protection Policy, and any other applicable Amazon program policies.

Absolute Prohibitions

With respect to Amazon Advertising API data, Realify does not, and will not:

• (a) Use Amazon Advertising data to identify, target, or benchmark individual sellers or competitors, or combine Advertising API data with SP-API data or other Amazon data services for cross-seller competitive intelligence, without Amazon's prior written permission
• (b) Sublicense, sell, resell, transfer, assign, or make available the Amazon Advertising API or Program Materials to any third party
• (c) Use Amazon Advertising data for any purpose other than authorized advertising transactions on behalf of the authorizing Amazon Advertising Participant
• (d) Issue any press release, make any public statement, or publish any blog, case study, or marketing material that references Amazon Advertising data or the Amazon Advertising API without Amazon's prior written consent
• (e) Combine Amazon Advertising API data with data from any other Amazon data service unless Amazon separately grants permission in writing
• (f) Use Amazon Advertising data to train, fine-tune, evaluate, or benchmark any AI or machine-learning model — absolute prohibition in all forms

Confidentiality of Amazon Advertising Data

All Amazon Advertising API data is treated as strictly confidential under the Advertising License Agreement. Realify maintains Amazon Advertising data with the same confidentiality standards as Amazon Information under Section 5.1, including AES-256 encryption at rest, TLS 1.2+ in transit, RBAC, mandatory MFA, and comprehensive audit logging. Amazon Advertising data is stored exclusively in U.S.-based AWS infrastructure and is never transmitted outside the United States.

Credential Security and Deletion

• CredentialsAmazon Advertising API credentials (OAuth tokens, access keys) are AES-256 encrypted at rest and TLS 1.2+ in transit, stored in an encrypted secrets vault with least-privilege access controls.
• Revocation and deletionUpon account closure or integration revocation, all Amazon Advertising API credentials are purged within 48 hours and all associated data deleted from live systems within 30 days and from backups within 90 days. Written deletion confirmation provided on request.

No Agency Relationship and Upstream Liability Cap

Nothing in Realify's use of the Amazon Advertising API creates a partnership, joint venture, or agency relationship between Realify and Amazon. Realify has no authority to make or accept any offers, representations, or agreements on Amazon's behalf.

Governing Law — Amazon Advertising API

Disputes specifically relating to the Amazon Advertising API License Agreement are governed by the laws of the State of Washington, without conflict-of-law principles, with exclusive jurisdiction in the Federal District Court for the Western District of Washington at Seattle, or if federal jurisdiction does not exist, in King County Superior Court, Seattle, Washington.

5.5 Shopify API

Data Accessed

Store configuration and settings; product catalog, inventory, and pricing data; order and fulfillment data; customer records (name, email, shipping address, order history) to the extent required for the activated features; advertising and analytics integrations linked to the Merchant's Shopify store.

Authorized Use

Shopify API data is used solely to operate the Realify features you, as the Merchant, have activated for your Shopify store. Realify does not use Shopify API data to provide services to any party other than the authorizing Merchant. Realify complies with Shopify's Partner Program Agreement and all applicable Shopify policies in connection with this integration.

Merchant and Customer Data — Privacy Obligations

Personal information obtained from Merchants or their customers through the Shopify API ("Shopify Personal Information") is used solely for the functionality of the Realify application as authorized by the Merchant. Realify does not:

• (a) Use Shopify Personal Information for any purpose beyond operating the activated Realify features
• (b) Disclose Shopify Personal Information to any third party except sub-processors bound by equivalent data protection obligations
• (c) Use Merchant data for competitive benchmarking against other Merchants or disclose such data in a manner that could identify an individual Merchant to a competitor
• (d) Combine Shopify Personal Information with data from other sources to build profiles of Merchants or their customers beyond what is necessary for the activated features

Merchants are responsible for ensuring they have provided adequate privacy notices to their customers describing the data collected and used through the Realify application, as required by Shopify's Partner Program Agreement.

No Competing Use

Realify does not use the Shopify API to build, offer, or improve any product or service that competes with Shopify's Platform Services or any of Shopify's core commerce capabilities.

Security

Realify maintains industry-standard security controls for all Shopify API data, consistent with the standards described in Section 7 of this Policy: AES-256 encryption at rest, TLS 1.2+ in transit, RBAC with least-privilege access, MFA, quarterly access reviews, comprehensive audit logging, and annual third-party penetration testing.

Upstream Liability Cap

Deletion — 48-Hour Merchant and Shopify Request

Realify deletes all Shopify Merchant data and associated customer data: (a) within 48 hours of a Merchant's or Shopify's written request, subject to any active customer data export wind-down period under Terms of Service Section 11 (customers retain read-only access for up to 60 days post-termination to export data; Shopify API data required for that export will be retained until the export period expires or the customer completes export, whichever is earlier); (b) within 48 hours of Realify determining the data is no longer required to operate the activated features and no export wind-down period is active; or (c) upon account closure where no export wind-down period is active, with backup copies purged within 90 days. Written deletion confirmation provided on request.

Breach Notification

In the event of a security incident involving Shopify API data, Realify notifies the affected Merchant and Shopify within 72 hours of confirmed discovery, consistent with Shopify's Partner Program Agreement breach notification requirements. Notification includes: nature and scope of the incident; categories and approximate number of affected records; likely consequences; measures taken or proposed. Realify cooperates with Shopify's incident review process.

Governing Law — Shopify API

Disputes specifically relating to the Shopify Partner Program Agreement and API Terms are governed by the laws of the Province of Ontario, Canada, without conflict-of-law principles, with exclusive jurisdiction in the courts of Ontario. The United Nations Convention on Contracts for the International Sale of Goods does not apply.

5.6 All Other Connected Platforms

For WooCommerce, Magento, Walmart, eBay, Etsy, TikTok Shop, Klaviyo, Stripe, Recharge, Gorgias, Zendesk, Postscript, and others: data is used solely to operate the features you have activated. No data is sold, used for Realify's marketing, or shared with third parties beyond sub-processors. No data from any Connected Platform is aggregated or benchmarked across customer accounts. Credentials are secured per Section 4.5 of the Terms of Service. Retention follows Section 9 of this Policy.

Current list: realify.ai/legal/subprocessors. We provide 30 days' advance notice of new sub-processors handling Amazon Information, with your right to object. Before sharing Amazon Information with any sub-processor, we conduct documented due diligence and require written obligations covering retention limits, aggregation prohibition, AI/ML training restriction, and 24-hour breach notification (Amazon DPP §4.7). Annual risk assessments are conducted for all sub-processors with access to Customer Personal Data.

Enterprise customers may request the penetration test executive summary under NDA. Contact legal@realify.ai.

All Realify personnel and operations are located in the United States. Customer Data is stored and processed in the United States. Amazon Information is stored exclusively in AWS us-east-1 (N. Virginia) and AWS us-west-2 (Oregon). Google Ads and Meta Ads data uses the same U.S. AWS infrastructure. Non-Amazon ML training uses GCP us-central1 (Iowa). No Amazon Information is transmitted to, processed in, accessed from, or stored in any location outside the United States, by any Realify personnel, contractor, sub-processor, or system.

All deletion follows NIST SP 800-88 Rev. 1. Written deletion certificates issued on request.

Proprietary models are trained on synthetic data, publicly available data, and customer data only where explicit opt-in has been granted via Settings > Privacy > AI Data Use (default: off). Amazon Information is never used for model training — absolute, unconditional prohibition. Non-Amazon Connected Platform data requires explicit opt-in. Opt-out via the platform toggle or by emailing legal@realify.ai (subject: "AI Training Opt-Out"); processed within 5 business days. Historical data already in training datasets cannot be retroactively removed.

Third-party LLMs: certain natural-language features use third-party LLM APIs (including OpenAI) under enterprise agreements prohibiting use for the LLM provider's own training. Only necessary data snippets are transmitted; Amazon Information is never sent to any third-party LLM. All AI outputs are subject to the disclaimer and verification obligations in Terms of Service Section 4.3.

For California Residents. Realify.ai is headquartered in San Francisco, California. This section describes your rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CPRA).

Important disclosure: advertising on our marketing website. Realify operates two distinct data domains with different advertising practices:

• Realify Marketing Website (realify.ai)We use Google Ads, Google Analytics 4 (including Enhanced Conversions and Customer Match), the Meta Pixel, and the Meta Conversions API (including Advanced Matching and Custom Audiences) on our marketing website. Under the CPRA, this constitutes "sharing" of personal information for cross-context behavioral advertising. Information shared with these advertising partners includes IP address, device identifiers, page-view events, and hashed contact information (email, phone) for advanced matching and conversion measurement.
• Realify Platform (authenticated Services)We do not use advertising cookies, tracking pixels, or remarketing technologies within the authenticated platform. We do not sell or share Customer Data or Amazon Information for advertising purposes, ever.

California residents have the following rights:

• (a) KnowCategories and specific pieces of personal information collected, sources, purposes, and third parties.
• (b) DeletePersonal information we hold, subject to legal exceptions.
• (c) CorrectInaccurate personal information.
• (d) Opt Out of Sale or SharingTo opt out of the sharing of your personal information for cross-context behavioral advertising on our marketing website, click the "Do Not Sell or Share My Personal Information" link in our website footer, email legal@realify.ai, or enable Global Privacy Control (GPC) in your browser (honored automatically).
• (e) Limit Sensitive PIWe do not use sensitive personal information beyond CPRA-permitted purposes without additional consent.
• (f) Non-DiscriminationExercising rights will not affect your Services.

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other states with comprehensive privacy laws have substantially similar rights. Submit requests to legal@realify.ai (subject: "California Privacy Request"). We verify identity before processing and respond within 45 days (extensions possible with advance notice). Authorized agents may submit requests with proof of authorization.

US-Only Customer Base. Realify currently serves customers exclusively in the United States and does not actively process personal data of EEA, UK, or Swiss data subjects. The transfer mechanisms below are documented for regulatory completeness and future use. They are not currently operative but will be activated if and when Realify expands to serve EU, UK, or Swiss customers.

For future customers subject to GDPR, UK GDPR, or the Swiss FADP, Realify will offer: (a) EU-US Data Privacy Framework (DPF) — where Realify is self-certified (verify at https://www.dataprivacyframework.gov); or (b) EU Standard Contractual Clauses (Commission Decision 2021/914, Module 2), UK International Data Transfer Addendum, and Swiss adaptations, incorporated by reference and executed on request; supplementary Schrems II measures (encryption, access controls, audit logging, documented government-access-request procedures) apply to all transfers. Contact legal@realify.ai to execute the appropriate mechanism.

We notify you of material changes by email or in-platform notice at least 14 days before they take effect. Continued use constitutes acceptance. Contact: legal@realify.ai