Effective date: 1 June 2026
Version 1.0
1. Introduction and Scope
1.1 This Privacy Policy (the “Policy”) explains how Plugcy, operating the Atorse platform and brand (“Atorse,” “we,” “us,” or “our”), collects, uses, discloses, and protects personal data and business data submitted by users of the website https://atorse.com/ and any associated applications or services (collectively, the “Services”).
1.2 This Policy applies to all users of the Services, including individuals acting in a personal capacity and individuals acting on behalf of a business (“Users”), regardless of the User’s location. We process personal data of Users located in the European Economic Area (“EEA”), the United Kingdom, Mexico, the United States (including California), and other jurisdictions worldwide, and we apply the standards described in Sections 12 to 14 according to the User’s place of residence.
1.3 By creating an account or otherwise using the Services, the User acknowledges that they have read and understood this Policy. Where applicable law requires affirmative consent for a specific processing activity, we will request that consent separately, as described in this Policy.
2. Data Controller
2.1 The data controller responsible for the processing of personal data described in this Policy is:
- Plugcy Plugcy SAPI de CV, with its registered office in Mexico (“Plugcy,” the “Controller,” or “Controller/Operator”).
2.2 Contact for all privacy-related matters: c@atorse.com. Plugcy has not currently appointed a statutory Data Protection Officer; this contact point performs the equivalent function pending any future appointment required by applicable law.
2.3 Where Plugcy processes personal data on behalf of a business User in connection with content that business User submits about its own customers or third parties, Plugcy acts as a processor for that specific data, and the business User acts as controller. The terms of that processing relationship are set out in the Atorse Data Processing Addendum, provided as a separate document.
3. Definitions
- “Personal Data” means any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
- “Processing” means any operation performed on Personal Data, including collection, storage, structuring, indexing, transmission, and erasure.
- “Business Data” means brand names, shop names, product descriptions, and related commercial metadata submitted by Users, which may or may not constitute Personal Data depending on context.
- “AI Ecosystem” means third-party large language models, generative AI systems, AI-assisted search tools, and related AI-driven discovery platforms (including, without limitation, systems operated by OpenAI, Anthropic, Google, and Microsoft) that may crawl, index, retrieve, or otherwise process data made available through the Services.
- “Subprocessor” means any third party engaged by Plugcy to process Personal Data on its behalf.
- “GDPR” means Regulation (EU) 2016/679; “UK GDPR” means the GDPR as incorporated into UK law by the Data Protection Act 2018 and the European Union (Withdrawal) Act 2018.
4. Categories of Data We Collect
We collect the following categories of data, depending on how a User interacts with the Services:
4.1 Account and Identity Data
- Email address
- Password (processed only in hashed, salted form; we do not store passwords in plain text)
- Authentication identifiers issued by Google OAuth, where a User chooses to register or sign in via Google
- In future product phases: phone number and one-time passcodes (OTP), for two-factor authentication purposes
4.2 Brand and Business Data
- Brand name and shop name
- Product names, descriptions, categories, pricing, and related product metadata
- Optional business metadata voluntarily provided by the User (for example, business registration details, website links, or social profiles)
4.3 Technical and Usage Data
- IP address, device and browser type, operating system, and general location inferred from IP address
- Log data, including timestamps, pages viewed, and actions taken within the Services
- Cookies and similar technologies, as described in the separate Atorse Cookie Policy
4.4 Communications Data
- Records of correspondence with our support team
- Marketing preferences and engagement data (for example, whether an email was opened)
5. How We Collect Data
5.1 Directly from the User: when an account is created, when Business Data is submitted, and when the User communicates with us.
5.2 Automatically: through cookies, server logs, and analytics tools when the User accesses the Services.
5.3 From third parties: where the User authenticates via Google OAuth, we receive identity data made available by that provider in accordance with the User’s settings with that provider.
6. Purposes of Processing and Legal Basis
6.1 We process Personal Data only where we have a valid legal basis under Article 6 GDPR (and, where applicable, the equivalent provisions of UK GDPR). The table below summarises our primary processing activities.
| Purpose of Processing | Examples | Legal Basis (GDPR Art. 6) |
| Account creation and authentication | Storing email/password (hashed), managing OAuth login, future 2FA/OTP | Performance of a contract (Art. 6(1)(b)) |
| Provision of the core Service: structuring and pushing Business Data to AI Ecosystems and search indexes | Optimising and surfacing brand/product pages for discoverability | Performance of a contract (Art. 6(1)(b)), as this is the core functionality the User requests by submitting content |
| Service improvement and security | Fraud prevention, debugging, abuse monitoring | Legitimate interests (Art. 6(1)(f)) |
| Analytics | Understanding feature usage and platform performance | Legitimate interests (Art. 6(1)(f)), or consent where required by cookie law |
| Direct marketing communications | Product updates, newsletters, promotional emails | Consent (Art. 6(1)(a)), with an unsubscribe option in every communication |
| Compliance with legal obligations | Responding to lawful requests from authorities, tax and accounting records | Legal obligation (Art. 6(1)(c)) |
Drafting note: Using ‘performance of a contract’ as the legal basis for pushing data to AI Ecosystems is defensible because this is the advertised, core function of the Service — but it depends on the Terms and the onboarding flow making that purpose unmistakably clear to the User before they submit data, and on the processing being genuinely necessary (not merely useful) to deliver the Service. Counsel should confirm this characterisation, and a fallback legitimate-interest balancing test should be documented internally regardless.
7. AI Ecosystem Indexing and Distribution (Default Processing)
7.1 Core feature, on by default. The Services are designed to optimise and structure Business Data for discoverability across search engines and AI Ecosystems. Unless a User configures their account settings otherwise (where such controls are made available), Business Data submitted to the Services is, by default, structured and made available for crawling, indexing, and retrieval by third-party AI Ecosystems and search engines.
7.2 Nature of default processing. Because this distribution is the central function of the Services described at registration and in the Terms and Conditions, it is treated as a necessary element of contract performance rather than a separate, optional marketing activity. This is distinct from, and should not be confused with, processing for direct marketing purposes, which remains consent-based and opt-in under Section 6 above.
7.3 No control over downstream AI behaviour. Once data is indexed or retrieved by a third-party AI Ecosystem, Plugcy has no further control over how that AI Ecosystem stores, summarises, reproduces, or presents that data. Users should not submit Personal Data of third parties, or sensitive, confidential, or special-category data, as part of Business Data, since it cannot be fully retracted once distributed.
7.4 Right to object and account-level controls. A User may request that their Business Data be excluded from future indexing cycles, or may delete their content, by using in-product controls where available or by contacting c@atorse.com. Plugcy will action such requests on a going-forward basis but cannot guarantee removal of data already retrieved, cached, or incorporated into outputs by third-party AI Ecosystems, which fall outside Plugcy’s control.
8. Disclosure of Data to Third Parties
8.1 We disclose data to the following categories of recipients:
- AI Ecosystems and search engines: as described in Section 7, for the purpose of discoverability.
- Cloud infrastructure and hosting providers: to store and operate the Services [provider(s) to be confirmed].
- Authentication providers: Google, for OAuth-based sign-in.
- Analytics providers: where deployed, to understand Service usage [provider(s) to be confirmed].
- Payment processors: for subscription billing, once paid tiers are launched [provider(s) to be confirmed].
- Professional advisers and authorities: where necessary for legal, accounting, or regulatory compliance, or in connection with a corporate transaction.
8.2 We do not sell Personal Data to third parties for monetary consideration. Where the CCPA/CPRA definition of “sale” or “share” is interpreted to include certain disclosures to AI Ecosystems or analytics providers, California residents may exercise the rights described in Section 13.
9. International Data Transfers
9.1 Plugcy is established in Mexico and may engage Subprocessors located in the European Union, the United States, and other jurisdictions. Personal Data may therefore be transferred outside the country in which the User is located.
9.2 Where Personal Data originating in the EEA or UK is transferred to a country not recognised as providing an adequate level of protection, we rely on the European Commission’s Standard Contractual Clauses (and, for UK transfers, the UK International Data Transfer Addendum) or another valid transfer mechanism recognised under GDPR Chapter V or UK GDPR, as applicable.
9.3 A list of current Subprocessors and their locations is maintained in the Atorse Data Processing Addendum and may be requested at privacy@atorse.com.
10. Data Retention
| Data Category | Retention Period |
| Account data (email, hashed password) | For the duration of the account, plus 90 days after deletion to allow for account recovery and fraud checks |
| Business Data submitted for indexing | For the duration of the account, or until the User requests deletion; cached or retrieved copies held by third-party AI Ecosystems are outside our retention control |
| Billing and transaction records | As required by applicable Mexican, EU, and tax law, typically 5 to 10 years |
| Support correspondence | Up to 3 years from the last interaction |
| Server and security logs | Up to 12 months, unless required for an active investigation |
11. Data Security
11.1 We implement technical and organisational measures appropriate to the risk, including encryption of passwords at rest, access controls limiting internal access to Personal Data on a need-to-know basis, and the use of reputable infrastructure providers.
11.2 No system is completely secure, and Plugcy cannot guarantee absolute security of data transmitted over the internet. Users are responsible for maintaining the confidentiality of their account credentials.
12. Rights of EEA and UK Users (GDPR / UK GDPR)
12.1 Subject to the conditions and exceptions set out in applicable law, Users located in the EEA or UK have the right to:
- Access the Personal Data we hold about them (Art. 15 GDPR)
- Request rectification of inaccurate Personal Data (Art. 16 GDPR)
- Request erasure of Personal Data (Art. 17 GDPR), subject to Section 7.4 regarding data already distributed to third-party AI Ecosystems
- Request restriction of processing (Art. 18 GDPR)
- Request data portability (Art. 20 GDPR)
- Object to processing carried out on the basis of legitimate interests (Art. 21 GDPR)
- Withdraw consent at any time, where processing is based on consent, without affecting the lawfulness of processing prior to withdrawal
- Lodge a complaint with a supervisory authority in their country of residence, place of work, or place of the alleged infringement
12.2 Requests may be submitted to c@atorse.com. We will respond within one month, extendable by two further months for complex requests, as permitted under Article 12(3) GDPR.
13. Rights of California and Other US Residents (CCPA/CPRA)
13.1 California residents have the right to know the categories and specific pieces of personal information collected, to request deletion, to correct inaccurate information, to limit the use of sensitive personal information, and to opt out of the sale or sharing of personal information, as defined under the CCPA as amended by the CPRA.
13.2 Plugcy does not sell Personal Data for monetary consideration. To the extent any disclosure to AI Ecosystems, advertising, or analytics partners is deemed a “share” under the CPRA, California residents may opt out via privacy@atorse.com or any in-product mechanism made available.
13.3 We will not discriminate against any User for exercising rights under the CCPA/CPRA.
14. Rights of Mexican Users (LFPDPPP)
14.1 As Plugcy is established in Mexico, Users located in Mexico additionally benefit from the ARCO rights established under the Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP): the rights to Access, Rectify, Cancel, and Object (Acceso, Rectificación, Cancelación, Oposición) to the processing of their Personal Data.
14.2 ARCO requests may be submitted to c@atorse.com and will be handled in accordance with the timelines established under the LFPDPPP and its Regulations.
15. Other Jurisdictions
Where a User resides in a jurisdiction with its own data protection framework not separately addressed in this Policy, Plugcy will endeavour to honour requests consistent with the spirit of the rights described in Sections 12 to 14, on a reasonable-efforts basis, without representing that all jurisdiction-specific procedural requirements have been separately implemented.
16. Children’s Privacy
The Services are not directed at, and may not be used by, individuals under the age of 18. We do not knowingly collect Personal Data from individuals under 18. If we become aware that we have done so, we will take reasonable steps to delete such data.
17. Automated Decision-Making
The structuring and surfacing of Business Data for AI Ecosystem discoverability involves algorithmic processing but does not, as currently implemented, produce legal effects or similarly significant decisions concerning Users within the meaning of Article 22 GDPR. Should this change, Plugcy will update this Policy and provide the additional disclosures and safeguards required under Article 22.
18. Cookies
Details of the cookies and similar tracking technologies used on the Services, including consent mechanisms, are set out in the separate Atorse Cookie Policy, which forms part of this Policy by reference.
19. Data Breach Notification
In the event of a Personal Data breach likely to result in a risk to the rights and freedoms of Users, we will notify the competent supervisory authority within 72 hours of becoming aware of the breach, where required under Article 33 GDPR, and will notify affected Users without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required under Article 34 GDPR.
20. Changes to This Policy
We may update this Policy from time to time to reflect changes in our practices or legal requirements. Material changes will be communicated by email or by a prominent notice on the Services prior to taking effect. Continued use of the Services after the effective date of an updated Policy constitutes acceptance of the changes.
21. Contact Us
For any questions about this Policy or to exercise your data protection rights, please contact: c@atorse.com.