NEXGEN COMMERCE
Manchester
united kingdom
Privacy Policy
Effective date: 21 May 2026
Last updated: 21 May 2026
TL;DR. We're NEXGEN COMMERCE, a UK-based Shopify development agency. To deliver our AIOS service we access your Shopify store theme code, manage a GitHub repository on your behalf, and process messages you send to our AI bot in Slack. We use third-party services (Stripe, Anthropic, GitHub, Slack, Shopify, Notion) to operate the platform. We don't sell your data. You can request access, correction, or deletion at any time by emailing andrew@wearengc.com.
1. Who we are
Data controller: NEXGEN COMMERCE, operated by NEXGEN COMMERCE GROUP LTD, Companies House number 10914621, a company registered in England and Wales.
- Registered office: Unit A 82 James Carter Road, Mildenhall, Suffolk, England, IP28 7DE
- Contact email: andrew@wearengc.com
- Website: https://wearengc.com
- Data protection contact: andrew@wearengc.com (we are not required to appoint a Data Protection Officer under UK GDPR, but Andrew Douglas is our point of contact for all privacy matters)
2. What this policy covers
This policy explains:
- What data we collect about you (or your business)
- How we use it
- Who we share it with (sub-processors)
- How long we keep it
- Your rights under UK GDPR, EU GDPR, and US CCPA
It applies to:
- The wearengc.com marketing website and any sub-sites
- All NEXGEN COMMERCE services: AIOS (Core / Studio / Suite), GrowthEngine, BuildPro, SiteSpeed, and Growth Support
- Any communications with us (email, Slack, calls, contact forms)
3. What data we collect
3.1 Data you provide directly
- Contact information: name, email, phone (if shared), company name, role
- Billing information: company address, VAT number (if applicable), and payment details (processed by Stripe — see section 5)
- Communications: the content of emails, Slack messages, and any documents you share with us during onboarding or ongoing work
3.2 Data from your Shopify store (AIOS clients)
When you install the NEXGEN AIOS Shopify app, you grant us OAuth access with the following scopes:
-
read_themes,write_themes— to read and update your theme code -
read_content,write_content— for content and SEO management -
read_products,write_products— to know what's in your catalogue (for context-aware copy generation) and update product metadata when you request it -
read_files,write_files— to manage assets like images -
read_orders— for analytical reporting and limited context (not customer-identifying) -
read_customers— for limited segmentation context; we do NOT access individual customer PII unless you explicitly ask us to in a request (e.g. "fix the customer account page layout") -
read_metaobjects,write_metaobjects— for storefront feature data -
read_locales— for translation and i18n work
What we actually use:
- Your theme code (read + write) — this is the primary surface of AIOS
- Product metadata (names, categories, settings) — for context when generating copy
- Theme configuration JSON — for layout decisions
What we DO NOT access (despite scope permitting it):
- Customer names, emails, addresses, or order history at an individual level
- Payment details
- Personally identifiable customer data
We may aggregate or anonymise data we access for product improvement, but never in a way that re-identifies your customers.
3.3 Data from your GitHub workspace (AIOS clients)
When you install the NEXGEN AIOS GitHub App on a per-client repository, we access:
- The contents of the repository (your Shopify theme code)
- The ability to create branches and pull requests
- Commit history
We do NOT access:
- Other repositories in your GitHub organisation
- GitHub Issues, Discussions, or other repository surfaces beyond code
3.4 Data from your Slack workspace (AIOS clients)
When you install the NEXGEN client-facing Slack app in your workspace, we access:
- Messages posted in channels where the bot is invited
- Messages where the bot is @-mentioned
- Direct messages to the bot
We use this data to:
- Understand and act on your change requests
- Post updates back to you (intake acks, preview links, done cards)
We DO NOT:
- Read messages in channels the bot is not invited to
- Access your team's private DMs
- Use Slack data for any purpose other than fulfilling your specific change requests
3.5 Data from your Notion workspace (Studio + Suite clients only)
If you opt in to Notion sync (Studio and Suite tiers), we access:
- The specific Notion task database you connect to NEXGEN AIOS via Notion's Connections feature
- Pages we create or update on your behalf within that database
We do NOT access any other Notion pages, databases, or workspaces in your account.
3.6 Data we collect automatically
When you use our services or visit wearengc.com:
- IP address (for logging and security purposes)
- Browser type, device, and operating system
- Usage data — which features you use, how often, error logs, performance metrics
- Cookies (see section 9)
4. Why we process your data and legal basis (UK / EU GDPR)
We process your data on the following legal bases:
| Why we process | Legal basis (UK GDPR) |
|---|---|
| To deliver the services you've contracted us for (AIOS, GrowthEngine, etc.) | Contract (Article 6(1)(b)) |
| To bill you and process payments | Contract + legal obligation |
| To respond to your queries and provide support | Contract + legitimate interest |
| To improve our services and develop new features | Legitimate interest |
| To monitor security, prevent fraud, and ensure platform stability | Legitimate interest + legal obligation |
| To send service-related emails (billing, downtime, important updates) | Contract |
| To send marketing emails about new features or related services | Consent (you can opt out anytime) |
| To comply with legal obligations (tax, accounting, court orders) | Legal obligation |
Where we rely on legitimate interest, we have assessed the impact on your rights and concluded our interest is not overridden by your fundamental rights. You may object to this processing — see section 8.
5. Sub-processors
We use the following third-party services to operate our platform. Each handles data under their own privacy terms, and each is bound by appropriate data processing agreements:
| Sub-processor | Purpose | Location | Their privacy notice |
|---|---|---|---|
| Anthropic | AI processing — Claude models power our agents | US (with UK/EU regional routing where available) | anthropic.com/legal/privacy |
| GitHub | Code repository hosting + Git operations | US | docs.github.com/privacy |
| Slack | Real-time client communication | US/EU | slack.com/legal#privacy |
| Shopify | Your storefront API — direct access via OAuth | US/UK/EU regional | shopify.com/legal/privacy |
| Stripe | Subscription billing and payments | US/UK/EU regional | stripe.com/privacy |
| Notion | Optional client portal (Studio/Suite only) | US | notion.so/notion/Privacy-Policy |
| Postmark | Transactional email delivery | US | postmarkapp.com/eu-privacy |
| Railway | Hosting infrastructure for the orchestrator | US/EU regional | railway.app/legal/privacy |
| Axiom | Operational logging and observability | US/EU regional | axiom.co/privacy |
| Sentry | Error monitoring | US/EU regional | sentry.io/privacy |
For data transferred outside the UK or EU (e.g. to US-based services), we rely on Standard Contractual Clauses (SCCs) or the UK Extension to the EU-US Data Privacy Framework, as applicable.
We notify active clients at least 30 days before adding a material new sub-processor that has access to your data.
6. Data sharing — what we do NOT do
To be explicit:
- We do not sell your data to anyone, ever.
- We do not share your data with advertisers or for marketing purposes outside of the limited service-related contexts above.
- We do not share data with any other client of ours. Each client's data is logically isolated.
We may share your data only when:
- It is necessary to deliver the service (e.g. our sub-processors above, all under DPAs)
- Legally required (court order, regulatory request, etc.)
- You explicitly instruct us to (e.g. you ask us to coordinate with a third party on your behalf)
- In connection with a business transfer (e.g. acquisition or merger) — we will notify you before this happens
7. Data retention
| Type of data | Retention |
|---|---|
| Active subscription data (theme code, task history, Slack channel history) | Duration of active subscription |
| Post-cancellation grace period | 90 days after cancellation, in case you re-subscribe |
| Billing records | 7 years (UK accounting / tax obligation) |
| Communications (emails, Slack messages) | 3 years from last contact |
| Server logs (Axiom, Sentry) | 30 days for verbose logs; 1 year for security/audit logs |
| Analytics on wearengc.com | 14 months (standard analytics retention) |
After the retention period, we permanently delete or fully anonymise the data.
8. Your rights
You have the following rights under UK GDPR. EU residents have equivalent rights under EU GDPR; US residents (specifically California) have similar rights under CCPA.
| Right | What it means | How to exercise |
|---|---|---|
| Access | Get a copy of the data we hold about you | Email andrew@wearengc.com — we'll respond within 30 days |
| Rectification | Correct inaccurate data | Same |
| Erasure ("right to be forgotten") | Have your data deleted | Same. Note: some data must be retained for legal reasons (e.g. billing records) |
| Restriction | Limit how we process your data | Same |
| Objection | Object to processing based on legitimate interest | Same |
| Portability | Receive your data in a portable format (e.g. JSON export) | Same |
| Withdraw consent | Where we relied on consent (e.g. marketing emails), withdraw it | Use the unsubscribe link, or email us |
| Complain to a regulator | Lodge a complaint with the supervisory authority | UK ICO (ico.org.uk) for UK residents; the appropriate Data Protection Authority for EU residents; California AG for CCPA matters |
We will not charge you for exercising these rights, and we will not discriminate against you for doing so.
9. Cookies
The wearengc.com website uses cookies for:
- Strictly necessary purposes (session management, security, load balancing)
- Analytics (to understand site usage and improve content)
- Marketing attribution (to know which channels bring in customers)
You can manage cookie preferences via the cookie banner on the site. Disabling non-essential cookies will not affect your ability to use AIOS — those cookies don't apply to the AIOS service itself.
10. International transfers
NEXGEN COMMERCE is based in the UK. We use sub-processors located in the US, EU, and UK, as listed in section 5. For transfers outside the UK / EU, we rely on:
- Standard Contractual Clauses (SCCs) issued by the European Commission
- UK International Data Transfer Agreement (IDTA) issued by the UK ICO
- UK Extension to the EU-US Data Privacy Framework where the sub-processor is certified
- Adequacy decisions where applicable
You can request a copy of the SCCs / IDTAs governing transfers by emailing andrew@wearengc.com.
11. Security
We take reasonable technical and organisational measures to protect your data:
- All data in transit is encrypted via TLS 1.2+
- API tokens are stored encrypted at rest where applicable
- Access controls limit who within NEXGEN can access client data
- We monitor for unauthorised access via Sentry and Axiom
- Sub-processors are vetted for SOC 2 or equivalent certifications
No system is 100% secure. If we become aware of a personal data breach affecting your data, we will notify you and (where required) the ICO within 72 hours.
12. Children
Our services are not directed at children under 18. We do not knowingly collect data from anyone under 18. If you believe we have done so accidentally, contact us and we will delete it.
13. AI processing notice
We use third-party large language models (currently Anthropic's Claude family) to power AIOS agents. Specifically:
- The content of your change requests and theme files are sent to Anthropic's API for processing
- Anthropic's API does not train on your data by default (per their commercial API terms — see anthropic.com/legal/commercial-terms)
- Anthropic retains API request data for up to 30 days for safety/abuse monitoring per their terms
If you are concerned about AI processing of your specific theme data, we can discuss bespoke arrangements (e.g. on-premise model deployment) at the Suite tier or via BuildPro engagements.
14. Changes to this policy
We may update this policy from time to time. Material changes will be notified to active subscribers by email at least 30 days before they take effect. The "Last updated" date at the top of this document will always reflect the most recent version.
15. Contact
Questions, requests, or complaints about your data?
NEXGEN COMMERCE GROUP LTD
Unit A 82 James Carter Road, Mildenhall, Suffolk, England, IP28 7DE
Email: andrew@wearengc.com
Web: https://wearengc.com
For UK GDPR complaints, you may also contact the Information Commissioner's Office:
- Website: https://ico.org.uk/make-a-complaint
- Phone: 0303 123 1113
This is a v1 document published 21 May 2026. We expect to revise it following formal UK SaaS legal review. Any update will be notified to active subscribers at least 30 days before it takes effect, in line with section 14.