Privacy Policy

Privacy Policy

Last updated: 9th August 2025

Who we are

RAPTOR Commerce (“we”, “us”, “our”) provides ecommerce advertising analytics and optimisation services for our own agency clients.

Registered address: Foord House, Chalk Road, Brandon, Suffolk, IP270SD. UK
Contact: privacy@raptor.uk

We act as the data controller for personal data collected via this website and as a data processor (or independent controller, per contract) for certain advertising data we process on behalf of clients.

We do not offer public or client logins to the internal tool at this time. Any future client-facing portal will be read-only initially and launched only after Google approves a “tool change” request.

What this policy covers

  • Data collected via our website (e.g., contact form, server logs, cookies/analytics).
  • Data processed by our internal analytics tool that connects to clients’ Google Ads and Google Merchant Center to generate reports and optimise campaigns.

Data we collect

1) Website data

  • Contact form: name, email, message (and any information you include).
  • Server logs: IP address, user-agent, timestamps; used for security and diagnostics.
  • Cookies & analytics: we use essential cookies and analytics cookies (e.g., first-party analytics such as Google Analytics 4) to understand aggregated site usage and improve the site. Where required, we present a consent banner and honour your choices.

Legal basis: legitimate interests (responding to enquiries; site security) and consent where applicable (e.g., analytics cookies in certain regions).

2) Advertising & ecommerce data (agency clients only)

Pulled from Google Ads and Google Merchant Center (Content API v2.1 today; planning migration to Merchant API when generally available):

  • Account identifiers: Google Ads customer IDs, Merchant IDs.
  • Product metadata: product IDs, titles, brand, price, availability/stock, labels, product type/category, image/link URLs.
  • Performance metrics: impressions, clicks, cost, conversions, conversion value, ROAS/CPA, derived aggregates.
  • Diagnostics/benchmarks: policy/issue codes, disapprovals, and (future) competitiveness metrics where available.

We do not store: ad text/creative, search queries, user-level identifiers, audiences/remarketing lists, or personal data about end users.

Legal basis: legitimate interests and/or performance of a contract with the client (campaign management, reporting, optimisation).

How we use the data

  • Operate our services: ingest Ads & Merchant data, classify products, generate reports/charts, monitor performance, and (where authorised) take optimisation actions.
  • Client reports: provided only to the client that owns the underlying accounts. We do not disclose their data to third parties.
  • Security & reliability: logs and alerts to keep the system healthy and secure.
  • Communications: respond to website enquiries.

We do not sell data or use client data for unrelated purposes.

Cookies & analytics

We use:

  • Essential cookies for basic site functionality and security.
  • Analytics cookies (e.g., Google Analytics 4) to measure aggregated traffic and usage. Where supported, we enable IP anonymisation and avoid storing precise identifiers. We do not combine website analytics with client Ads/Merchant data.

Your choices: you can accept/decline analytics cookies via our banner (here), adjust settings anytime by clicking the icon at the bottom/right of the screen or here. You can also manage cookies in your browser. View our Cookie Declaration.

Sharing and disclosures

  • No resale or third-party sharing.
  • Client reporting: We provide clients with aggregated performance reports derived from their own metrics; reports do not include user identifiers or raw search queries.
  • Processors/sub-processors: currently none beyond Google APIs accessed directly. If/when we migrate to Google Cloud (Cloud SQL/Run/Secret Manager), we’ll update this page and list those services with regions. Google LLC (Google Analytics 4) for aggregated website analytics; IP anonymisation enabled; consent respected via our cookie banner.
  • Legal: we may disclose where required by law or to protect rights, safety, or security.

Security

  • Workstation: full-disk BitLocker encryption; Windows Firewall; OS/AV current; no inbound ports exposed.
  • Database: MySQL on localhost; least-privilege access; automation run logs.
  • Secrets & tokens: service-account JSON and .env stored in an NTFS-encrypted folder with ACL-based read-only access for the automation user. Google Ads refresh tokens are AES-encrypted at rest in our database.
  • Transport: all Google API calls use TLS.

If we become aware of a data incident, we will investigate promptly and notify you and/or regulators where required.

Data Retention & Deletion

  • Website enquiries: up to 12 months unless you request deletion sooner.
  • Advertising metrics & product metadata: typically up to 24 months for reporting/trends (plan-dependent lookback windows may apply).
  • Automation/script logs: 90 days.
  • Backups: rolling backups, not edited in place and typically overwritten within 35 days.
  • Credentials/tokens: deleted immediately on disconnect or contract end.

Deletion on request
Upon a verified request, we delete your data from primary systems within 30 days; backups then expire on their normal schedule and are not restored except for disaster recovery.

Right to disconnect (agency clients)

From the internal dashboard Settings we can disconnect Google Ads / Merchant Center for a given shop: this clears the shop’s encrypted refresh token (if present), removes stored account IDs, and marks the shop disabled. Scheduled jobs skip that shop gracefully. The global agency service-account key remains untouched so other MCC-managed shops continue to run.

You can also request disconnection via privacy@raptor.uk.

Your rights (UK/EU and similar regimes)

You may have the right to access, rectify, erase, restrict or object to processing, and data portability (where applicable). To exercise your rights, contact privacy@raptor.uk. We’ll respond within 30 days or explain if we need more time. We may need to verify your identity.

International transfers

Processing currently occurs in the UK on a secured workstation. If/when we move to Google Cloud, we will select appropriate regions and implement safeguards (e.g., Standard Contractual Clauses) and update this policy.

Children

Our services and site are not directed to children. We do not knowingly collect information relating to children.

Changes to this policy

We may update this Policy from time to time. Material changes will be posted here with a new “Last updated” date. If changes materially affect your rights, we’ll notify you where possible.

Contact

RAPTOR Commerce
Foord House, Chalk Road, Brandon, Suffolk, IP270SD. UK
privacy@raptor.uk

You can adjust your cookie preferences at any time by clicking the icon at the bottom/left of your screen or here. You can also clear or block cookies in your browser settings. You can also view our cookie declaration page.