Privacy Policy

Last updated: 23 April 2026

Meet Rufus ("we", "us", or "our") provides an AI-powered operations dashboard for Shopify merchants. This Privacy Policy explains what personal data we collect, how we use it, and the choices you have. It applies to anyone who visits our website, signs in to the dashboard at app.meetrufus.co, or connects a third-party service to their Meet Rufus account.

Quick summary. We collect the minimum needed to run our service, we never sell your data, we store everything on EU-based infrastructure, and each customer's business data lives on a dedicated server assigned to them alone. You can export or delete your data at any time.

1. Who we are

Meet Rufus is a service of TRS Enterprises B.V. (“we”, “us”, or “our”), a private limited company registered in the Netherlands. TRS Enterprises B.V. is the data controller for personal data processed through Meet Rufus. For any privacy-related question, request, or complaint, contact us at info@meetrufus.co.

Registered office: Eenspan 30 F, 3897 AL Zeewolde, The Netherlands
Chamber of Commerce (KVK): 99615312
VAT number: NL869062190B01

2. What data we collect

2.1 Account data

When you sign up for Meet Rufus we collect your name, email address, and a hashed password. We also keep a record of your subscription status, billing identifiers from our payment processor (Stripe), and timestamps for key account events (sign-up, onboarding, last sign-in).

2.2 Shopify store data

When you connect a Shopify store, we receive an OAuth access token from Shopify that lets us read products, orders, inventory, and shop metadata on your behalf. Using that token we periodically sync a copy of your store's orders and products into your dedicated Meet Rufus database so our AI agents can operate on it. Access tokens never leave your dedicated server; they are not stored in the central Meet Rufus database.

2.3 Email data (Gmail, Outlook, iCloud, IMAP)

When you connect an email account to Meet Rufus we receive - with your explicit consent - authorised access to read and send emails on your behalf. For Gmail this goes through Google's OAuth 2.0 flow and uses the gmail.readonly, gmail.send, and gmail.modify scopes. For Outlook / Office 365 we use Microsoft Graph with the Mail.Read and Mail.Send delegated permissions. For iCloud and other providers we use standard IMAP/SMTP with an app-specific password you generate yourself.

Email content, metadata (sender, recipient, subject, date), and attachments are stored on your dedicated Meet Rufus server so our AI agents can draft replies, categorise threads, and summarise inboxes for you.

2.4 Advertising account data

When you connect a Meta, TikTok, or Google Ads account, we request read-only access to campaign performance data (spend, impressions, clicks, conversions). We do not modify your campaigns or access payment methods on your advertising platforms.

2.5 Usage and technical data

We log page views, feature usage, and technical information (IP address, browser type, timestamps) for the purpose of running and improving the service, diagnosing issues, and preventing abuse. We do not use third-party advertising pixels on the authenticated dashboard.

3. How we use your data - Google API Services User Data Policy

Meet Rufus's use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements.

In particular:

Data obtained through Google APIs (Gmail, Google Ads) is used only to provide or improve user-facing features that are prominent in the application's user interface.
We do not transfer Google user data to third parties except as necessary to provide or improve those features, to comply with applicable law, or as part of a merger or acquisition.
We do not use Google user data for serving advertisements or targeted advertising of any kind.
We do not allow humans to read Google user data unless we have your affirmative agreement for specific messages, it is necessary for security purposes (investigating abuse), to comply with applicable law, or our use is limited to internal operations where the data has been aggregated and anonymised.

4. Why we process your data (legal bases under GDPR)

Performance of a contract (GDPR art. 6(1)(b)) - to deliver the Meet Rufus service you subscribed to.
Legitimate interests (art. 6(1)(f)) - to keep the service secure, prevent abuse, and make it work well.
Consent (art. 6(1)(a)) - for optional connections (email providers, ad platforms) where you explicitly grant access and can revoke at any time.
Legal obligation (art. 6(1)(c)) - to comply with tax, accounting, and anti-fraud laws.

5. How your data is stored

Each Meet Rufus customer is provisioned a dedicated server. Your Shopify orders, email content, advertising data, and AI-generated output live on your server and are reachable only by your Meet Rufus account and our on-call engineers over a private WireGuard-encrypted mesh network. Other customers cannot reach your server.

Our central account database (emails, subscription status, billing references) is hosted in the European Union. Data is encrypted in transit (TLS 1.3) and at rest (disk-level encryption).

6. Who we share data with

We share personal data only with the following categories of processors:

Stripe (payment processing) - for subscription billing. Stripe stores your card details directly; we never see or store card numbers.
Resend (transactional email) - to send you account emails (welcome, receipts, service notifications).
AI model providers (Anthropic, OpenAI, Google) — AI agents in Meet Rufus call large-language-model APIs from Anthropic (Claude), OpenAI (GPT) and Google (Gemini) to draft replies, summarise data and generate content. Each provider's commercial API terms prohibit using customer inputs to train their models.
Kaashosting (infrastructure) - hosts the dedicated servers and databases.
Google — for Gmail API access (when you connect a Google mailbox), outgoing transactional email delivery routing, and the Google Ads API (when you connect a Google Ads account) to read campaign performance and, at your instruction, adjust campaigns.
Meta (Facebook + Instagram Ads) — when you connect a Meta Ads account, we access campaign performance data (spend, impressions, conversions) and, at your instruction, adjust campaigns on your behalf via the Meta Marketing API.
TikTok (TikTok Ads) — when you connect a TikTok Business Center account, we access campaign performance data and adjust campaigns on your behalf via the TikTok Business API.

We have data processing agreements in place with each processor as required by GDPR. We do not sell your personal data or use it for third-party advertising.

7. International transfers

Some of our processors (Anthropic, OpenAI, Stripe, Google, Meta, TikTok, Microsoft, Resend) are based outside the European Economic Area. Where data is transferred, we rely on Standard Contractual Clauses approved by the European Commission and supplementary measures where appropriate.

8. How long we keep your data

Account data: for the duration of your subscription, plus 12 months after cancellation for financial record-keeping.
Shopify, email, advertising data on your dedicated server: for the duration of your subscription. When you cancel, we retain the data for 30 days (grace period for re-subscription), then delete it.
Billing records: 7 years, as required by Dutch tax law.
Security logs: 90 days.

9. Your rights

Under GDPR you have the right to:

Access the personal data we hold about you.
Correct inaccurate data.
Request deletion ("right to be forgotten").
Restrict or object to processing.
Receive your data in a portable format.
Withdraw consent for optional data uses at any time.
Lodge a complaint with your national data-protection authority (in the Netherlands: Autoriteit Persoonsgegevens).

To exercise any of these rights, email us at info@meetrufus.co. We respond within 30 days.

10. Revoking connected accounts

You can revoke Meet Rufus's access to any connected third-party service at any time:

Shopify: in your Meet Rufus dashboard under Settings → Subscription → per-store Disconnect.
Google / Gmail: Meet Rufus dashboard → Settings → Mail → Disconnect, or at Google Account permissions.
Microsoft / Outlook: Meet Rufus dashboard → Settings → Mail → Disconnect, or at Microsoft app access.
Meta / TikTok / Google Ads: Meet Rufus dashboard → Settings → Ad accounts → Disconnect, or within each platform's own "connected apps" settings.

Once revoked, we stop syncing data from that service immediately. Data already synced to your dedicated server is retained until you disconnect the service entirely from the dashboard, at which point it is deleted.

11. Cookies

The Meet Rufus dashboard uses strictly necessary cookies for authentication (to keep you signed in). The public marketing site at meetrufus.co uses a Meta Pixel cookie when you consent; you can reject this via our cookie banner. We do not use tracking cookies on the authenticated dashboard.

12. Security

We apply industry-standard safeguards: TLS 1.3 for all connections, encryption at rest, private WireGuard-encrypted traffic between central and customer servers, SSH hardened with public-key authentication only, one-time passwords for provisioning, bearer-token API access, and per-customer server isolation.

If a data breach occurs that is likely to result in a risk to your rights, we will notify you and the relevant supervisory authority within 72 hours of becoming aware, as required by GDPR.

13. Children

Meet Rufus is a B2B service for e-commerce merchants and is not intended for use by anyone under 16.

14. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced via email to the address on your account, at least 30 days before taking effect. The date at the top of this page reflects the last update.

15. Contact

Questions, complaints, or data-rights requests - as well as support, security disclosures, and legal inquiries: info@meetrufus.co.