Privacy Policy
Last Updated: April 6, 2026
1. Introduction
This Privacy Policy describes how Shopify Agent ("we", "our", "the App") collects, uses, stores, and protects information when you install and use our application through the Shopify App Store. This policy applies to both merchants who install the App and their end customers who interact with the chat widget.
By installing or using Shopify Agent, you agree to the practices described in this Privacy Policy.
2. Information We Collect
2.1 Data from Shopify (Merchant Data)
When a merchant installs the App, we request the following OAuth scopes:
| Scope | Data Accessed | Purpose |
|---|---|---|
read_products | Product titles, descriptions, pricing, variants, images, tags | Build AI knowledge base for product recommendations and Q&A |
read_orders | Order numbers, status, fulfillment state, shipping addresses, line items | Order tracking, refund eligibility evaluation |
write_orders | Order cancellations, refund creation | Process approved refunds and cancellations |
read_customers | Customer email addresses (linked to order lookups only) | Verify identity for refund and order modification requests |
read_content | Store policies (refund, privacy, terms, shipping) | Power policy-aware AI responses |
We adhere to the principle of minimal data access and only request scopes strictly necessary for the App's functionality.
2.2 Customer Interaction Data
When an end customer uses the chat widget, we collect:
- Chat messages — Content of messages exchanged between the customer and the AI agent.
- Email address (optional) — Only when voluntarily provided for identity verification.
- Session identifiers — A randomly generated session ID for conversation continuity.
- Satisfaction ratings — Optional 1-5 star ratings submitted after conversations.
2.3 Technical Data
- IP addresses — Used solely for rate limiting (30 requests/minute). Held in memory only, not persisted to disk.
- Request metadata — HTTP method, path, response status, and duration for operational monitoring. Written to stderr, not stored in the application database.
2.4 Data We Do NOT Collect
- Payment card numbers, bank account details, or financial credentials
- Cookies or browser fingerprinting
- Cross-store or cross-site tracking
- We do not sell, rent, or trade any personal data
3. How We Use Your Data
| Data | Use | Legal Basis |
|---|---|---|
| Products and policies | Build and maintain AI knowledge base | Legitimate interest (contract performance) |
| Order data | Verify order status, evaluate refund eligibility | Contract performance |
| Customer email | Identity verification for sensitive operations | Legitimate interest (fraud prevention) |
| Chat messages | Generate AI responses, maintain context | Contract performance |
| Satisfaction ratings | Aggregate analytics for merchants | Legitimate interest |
| IP addresses | Rate limiting to prevent abuse | Legitimate interest (security) |
4. Data Storage and Security
- Database — All persistent data stored in SQLite on the application server.
- OAuth tokens — Encrypted at rest using AES-256-GCM. Stored as
iv:authTag:ciphertext. - Active conversations — Held in server memory with a 2-hour TTL. Automatically evicted.
- Persisted conversations — Stored in SQLite, automatically purged after 24 hours.
- Webhook verification — All Shopify webhooks verified via HMAC-SHA256 with timing-safe comparison.
- CORS — API restricted to
*.myshopify.comorigins and the configured app host. - Rate limiting — Per-IP sliding window (30 req/min) on all public routes.
- Input validation — All request bodies validated with Zod schemas.
- Prompt injection protection — Customer messages screened for injection patterns.
5. Data Retention and Deletion
| Data Type | Retention | Deletion Trigger |
|---|---|---|
| In-memory conversations | 2 hours | Automatic TTL eviction |
| Persisted chat sessions | 30 days | Automatic scheduled purge |
| Knowledge base | Until uninstall | app/uninstalled or shop/redact webhook |
| OAuth sessions | Until uninstall | app/uninstalled or shop/redact webhook |
| Analytics data | Until uninstall | shop/redact webhook |
| Refund history | Until uninstall or customer redact | customers/redact or shop/redact |
| Support tickets | Until uninstall or customer redact | customers/redact or shop/redact |
| Billing records | Until uninstall | shop/redact webhook |
5.1 Data Retention Policy
Chat conversations are automatically deleted after 30 days. All other merchant data is retained only for the duration of the app installation. We do not retain any data beyond what is necessary for the App's operation.
5.2 Uninstallation
When a merchant uninstalls the App, all stored data is permanently deleted within 48 hours. Upon receiving Shopify's shop/redact webhook, the following data is immediately and irrevocably deleted in a single database transaction: knowledge base entries, chat sessions, OAuth tokens, analytics data, refund history, support tickets, billing usage records, billing subscriptions, and shop configuration.
5.3 Customer Data Deletion
Individual customer data can be deleted via the customers/redact webhook. This removes all chat sessions, refund history, and anonymizes any analytics records associated with the customer's email address. Ticket records are anonymized by removing the customer email while preserving aggregate data for the merchant.
6. GDPR Compliance
We fully support Shopify's mandatory GDPR webhooks. All operations are processed within 48 hours of receipt, as required by Shopify.
| Webhook | Action |
|---|---|
customers/data_request | Exports all stored data for the requested customer in JSON format, including chat sessions, refund history, and satisfaction ratings |
customers/redact | Permanently deletes all data associated with the customer's email (chat sessions, refund history) and anonymizes analytics records. Executed in a single database transaction. |
shop/redact | Permanently deletes all data for the shop (knowledge base, chat sessions, OAuth tokens, analytics, refund history, tickets, billing records, shop configuration). Executed in a single database transaction. |
Data Collected and Purposes
| Data Category | What We Collect | Why | Retention |
|---|---|---|---|
| Chat Messages | Message content, session ID, timestamps | Provide AI-powered customer support | 30 days |
| Customer Email | Email address (when voluntarily provided) | Identity verification for refunds/order changes | 30 days (with chat session) |
| Satisfaction Ratings | 1-5 star rating per session | Merchant analytics dashboard | Until uninstall |
| Refund History | Order ID, amount, decision, email | Fraud prevention and audit trail | Until uninstall |
| Product Data | Titles, descriptions, pricing, variants | AI knowledge base for product Q&A | Until uninstall |
| Store Policies | Refund, privacy, terms, shipping policies | Policy-aware AI responses | Until uninstall |
Data Subject Rights
Under the GDPR, individuals have the following rights:
- Right of Access — Request a copy of all personal data we hold. We export data in machine-readable JSON format.
- Right to Erasure — Request deletion of all personal data. All customer data is permanently deleted within 48 hours.
- Right to Rectification — Correct inaccurate data.
- Right to Restriction — Limit processing of your data.
- Right to Data Portability — Receive data in a machine-readable format (JSON).
- Right to Object — Object to processing based on legitimate interests.
Merchants should use the Shopify admin panel to initiate GDPR requests. End customers should contact the merchant directly, who can then process the request through Shopify.
A verified privacy contact must be configured before production activation. This public preview does not collect personal data.
7. Third-Party Services
Anthropic (Claude AI)
Customer chat messages and store data are shared with Anthropic to generate AI responses. Anthropic does not use API inputs/outputs to train models. Subject to Anthropic's Privacy Policy.
AfterShip
Order tracking numbers and carrier information are shared for real-time shipment tracking. This integration is optional. Subject to AfterShip's Privacy Policy.
Shopify
OAuth tokens are exchanged with Shopify's API for core integration. Governed by Shopify's Privacy Policy.
We do not share data with advertising networks, data brokers, or analytics platforms.
8. Cross-Border Data Transfers
The App processes data on the server where it is deployed. Data shared with Anthropic may be processed in the United States. For merchants in the EEA, we rely on Standard Contractual Clauses (SCCs) for transfers outside the EEA.
9. Children's Privacy
The App is not directed at children under 16. We do not knowingly collect personal data from children. If we become aware of such collection, we will delete it promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated by updating the "Last Updated" date. Continued use after changes constitutes acceptance.
11. Contact Us
For privacy questions or data rights requests:
- Contact: unavailable while the service remains a non-collecting preview
- Support: Available through the Shopify App Store listing
For unresolved privacy complaints, you may contact your local data protection authority.