Privacy Policy

Wren is a product of The Sky Floor (“we,” “us”). When you create a Wren account, you are entering into a relationship with The Sky Floor for the purposes of this Privacy Policy.

For questions, email hello@theskyfloor.com.

2.1 Wren account data

When you sign up, we collect your email address and (via our auth provider) a hashed password. If you subscribe to a paid plan, our payment processor collects your billing details and shares a customer ID and subscription status with us — we never see your card number.

2.2 Store connection credentials

To pull data from your e-commerce store and Google services, you provide credentials such as a WooCommerce consumer key/secret and a Google service-account private key. These are encrypted at rest with AES-256-GCM using a key held outside the database. We use them only to pull data on your behalf.

2.3 Store data we process on your behalf

When Wren syncs with your store, we retrieve and store: orders (totals, statuses, dates, payment methods, coupon codes), order line items (products, quantities, prices), products (names, prices, stock), customers (names, email addresses, addresses associated with orders), refunds, sessions and channel attribution from Google Analytics 4, and search query data from Google Search Console.

Important: some of this data is personal information about your customers, not about you. You are the data controller for that information; Wren acts as a processor on your behalf. Section 7 below describes the responsibilities that come with that role.

2.4 Derived and computed data

From your store data, Wren computes daily snapshots, customer segments (champions, loyal, at-risk, lost), channel-quality metrics, product-affinity signals, and AI-generated insight reports. These are stored alongside your raw store data and are deleted with it.

2.5 Usage data

We log basic usage information — which pages you load, when you trigger a sync — to operate and debug the service. We do not use third-party analytics or advertising trackers in the Wren product.

We use the data described above to:

• • Provide the Wren service — run syncs, compute insights, render dashboards, send digests
• • Manage your account, authenticate you, and process billing
• • Respond to support requests
• • Improve the product — for example, identify common error patterns or sync failures
• • Comply with legal obligations

We do not use your store data or your customers’ personal information to train AI models. When we send data to our AI subprocessor (Anthropic) for the insight engine, it is processed under their commercial-API terms with no training on submitted content.

We use the following service providers to operate Wren. Each receives only the data needed to perform its role.

We will update this list when we add or remove subprocessors. If you have an active subscription, you will be notified by email at least 30 days before a material change.

Data is stored in our subprocessors’ US-region infrastructure. Backups are retained according to those providers’ standard policies (typically 7 to 30 days).

We retain your store data for as long as your account is active. If you cancel your subscription, your data remains intact for 60 days (so you can resubscribe without re-syncing) and is then permanently deleted. You can request immediate deletion at any time — see Section 8.

Connection credentials are encrypted at rest with AES-256-GCM. Database access is scoped per user via row-level security. Application-to-database traffic is TLS-encrypted. We follow least-privilege practices for our own access to production systems and apply security headers (HSTS, CSP, frame protection) to every Wren response. No system is perfectly secure, but we treat this seriously and patch promptly when issues are discovered.

If you connect a store whose customer data you process on behalf of someone else — for example, a client of your agency — you are the data controller for that store’s data, and Wren acts as your data processor. By connecting that store you confirm that you have the legal right to share its data (including its customers’ personal information) with Wren for processing.

For customers in regions that require a Data Processing Agreement (notably EU/UK under GDPR), contact us and we’ll execute one. If you serve EU residents, we recommend you do this before connecting their data.

You can:

• • Access — view all data Wren holds about you and your stores from inside the dashboard
• • Export — download your customer segments and intelligence reports as CSV/JSON
• • Correct — update your profile and connection credentials in Settings
• • Delete — disconnect a store (which deletes its data) or close your account (which deletes everything)

For requests we can’t fulfill from inside the product — including requests from your customers asking what data of theirs you hold — email us at hello@theskyfloor.com and we’ll respond within 30 days.

Depending on where you live, you may have additional rights under GDPR, the UK GDPR, the CCPA, or similar laws. We will honor those rights as required by applicable law.

Our infrastructure is hosted in the United States. If you are in the EU, UK, or another region with data-transfer restrictions, your data will be transferred to the US for processing. We rely on Standard Contractual Clauses or equivalent safeguards with our subprocessors.

Wren is not directed at children under 16, and we do not knowingly collect data from them. If you believe we hold data about a child, contact us and we will delete it.

If we change this policy materially, we will email you and update the effective date at the top. Continued use of Wren after a change means you accept the updated policy.

Questions, requests, or concerns: hello@theskyfloor.com