Privacy Policy

Shopilot ("Shopilot", "we", "us", or "our") is operated by [LEGAL ENTITY NAME], a company registered in [GOVERNING JURISDICTION] at [REGISTERED ADDRESS].

Shopilot is an AI-powered shopping assistant platform. Businesses ("Merchants") subscribe to embed a conversational AI widget on their websites. Their customers ("Shoppers") interact with that widget.

This Privacy Policy applies to both Merchants and Shoppers. Where your rights or our obligations differ, we say so explicitly.

2.1 Account & Profile Data

• Email address — authentication and transactional communications.
• Full name — optional, used for support and account management.
• Personal phone number — only when explicitly provided for OTP verification. Stored after verification; removable on request.
• Preferred locale — the dashboard language.
• Role — organization owner or store manager.

2.2 Store & Organization Data

• Organization name, logo, brand names, taglines, and AI system prompt.
• Store details: name, slug, location, address, map URL, phone, working hours, and shipping configuration.
• Product catalog: names, descriptions, prices, currency, stock, attributes, AI notes, images, and external URLs.
• Category definitions and field schemas.

2.3 Billing Data

Payments are processed by Paddle.com Market Limited, our Merchant of Record. Shopilot never receives or stores raw card numbers. We store only:

• Subscription plan, billing cycle, and current period dates.
• Payment status (active, trialing, past due, canceled).
• Card brand and last four digits (as provided by Paddle in webhooks).
• Transaction IDs and invoice numbers for reconciliation.
• Paddle customer and subscription IDs.

2.4 Activity & Audit Logs

We log Merchant account actions (product created, store updated, manager invited, etc.) in an audit trail accessible in the dashboard. Retained for 30 days (Starter), 90 days (Growth), or 365 days (Scale), then automatically deleted.

2.5 WhatsApp Integration (Optional)

If you connect a WhatsApp Business account, we store your WABA ID, phone number ID, and access token (encrypted at rest), plus destination phone numbers for lead notifications.

2.6 Usage Data

• Monthly conversation count against your plan quota.
• Token consumption per turn (for cost estimation and quota management).
• AI feature usage counts (description autofill, etc.).

3.1 Visitor Identifiers

When a Shopper first opens the chat widget, we generate a pseudonymous visitor ID (a random UUID), stored in browser local storage and in a signed HTTP-only cookie (chat-token, 24-hour expiry). This ID links turns within a session and across return visits on the same device. It is not linked to any name, email, or phone unless the Shopper voluntarily provides those.

3.2 Contact Information (When Voluntarily Provided)

The AI may invite Shoppers to share their name, phone, email, or preferred contact method to follow up on a purchase inquiry. This is stored as a lead in the Merchant's account. Shopilot does not use this data for its own marketing.

3.3 Conversation Content

Every message and AI response is stored, capped at 1,500 characters per turn. Conversations are held in queryable form for the Merchant's retention tier (30 / 90 / 365 days), then archived compressed, and eventually deleted per the schedule in Section 7.

3.4 Lead Quality Scores

After a Shopper provides contact details, our AI assigns a quality score (0–100), tier (hot / warm / cold), and a brief reason. This is shown only to the Merchant. Shoppers are not notified.

3.5 Session Metadata

• Language preference detected from the conversation.
• Products discussed (IDs only).
• Answer source (catalog vs. web search).
• Message count and session duration.

3.6 IP Addresses

Collected transiently for rate-limiting (20 req/min per IP) and bot detection. IP addresses are not stored in the database.

3.7 Shopper-Uploaded Images

On supported stores, Shoppers may upload images in chat. These are transmitted to Google Vertex AI for analysis and then deleted. Images are not retained in Shopilot's storage after the response is generated.

3.8 Discovery Events

For discoverable stores, we record anonymous event signals (impression, profile view, chat click, WhatsApp click) and any search query used to find the store. These contain no personally identifiable information.

4.1 For Merchants

• Create and maintain your account and organization.
• Operate the platform and AI assistant features you have subscribed to.
• Bill you via Paddle and manage your subscription.
• Send transactional communications (receipts, payment alerts, usage summaries).
• Provide customer support.
• Enforce our Terms & Conditions and prevent abuse.
• Improve the platform based on aggregate, anonymized usage patterns.
• Verify your phone number via OTP when you choose to add one.

4.2 For Shoppers

• Power the AI shopping assistant on behalf of the Merchant.
• Store conversation history for contextually aware responses.
• Generate leads in the Merchant's dashboard when Shoppers share contact details.
• Detect and block automated bot traffic.

The AI assistant is powered by Google's Gemini models via Google Vertex AI. On each conversation turn, we transmit the following to Google's servers in the United States:

• The Shopper's message (and any uploaded image).
• Prior conversation history for that session (up to the last 12 turns).
• The Merchant's product catalog as formatted text (names, descriptions, prices, attributes, AI notes). For large catalogs, only the most relevant products are included via retrieval-augmented generation (RAG).
• The Merchant's system prompt, store details, branding, and working hours.
• Current date and detected conversation language.

Google processes this data as a sub-processor under its Cloud Data Processing Addendum. Google does not use Vertex AI data to train its base models.

We use the following sub-processors to operate the platform:

7.1 Merchant Account Data

Retained while the subscription is active. After account deletion, permanently deleted within 30 days. Billing records may be kept up to 7 years to meet financial obligations.

7.2 Shopper Conversations

Conversation data moves through three stages automatically:

Conversation summaries and anonymized insights (turn counts, token costs, resolution type) are retained indefinitely for Merchant analytics. No individual messages survive past the warm archive expiry.

Bounce sessions (single-message conversations with no meaningful content) are purged within 2 hours.

7.3 Lead Data

Contact details Shoppers share are stored as leads in the Merchant's account. The Merchant controls this data. Shoppers requesting deletion should contact the Merchant directly, or email support@shopilot.store and we will forward the request.

7.4 Audit Logs

Auto-deleted after 30 / 90 / 365 days (Starter / Growth / Scale).

7.5 OTP Data

OTP hashes and expiry timestamps are cleared immediately after successful verification or on a new OTP request. OTPs expire automatically after 10 minutes.

Our primary infrastructure is in the United States. If you are in the EEA, UK, or another jurisdiction with transfer restrictions, your personal data will be transferred to the US.

We rely on the following transfer mechanisms (as applicable):

• Standard Contractual Clauses (SCCs) issued by the European Commission.
• Adequacy decisions where applicable.
• The UK International Data Transfer Agreement (IDTA) for UK data subjects.

Merchants requiring EU or UK data residency should contact support@shopilot.store.

9.1 Merchant Rights

• Access — request a copy of the personal data we hold about you.
• Correction — update inaccurate data via the dashboard or by contacting us.
• Deletion — delete your account and all associated data from dashboard settings. This is permanent and cascades to all organization data.
• Restriction — ask us to stop certain processing while a dispute is resolved.
• Portability — receive your data in a structured, machine-readable format. Contact us to request.
• Opt-out of marketing — unsubscribe using the link in any non-transactional email.

9.2 Shopper Rights

Shoppers do not hold an account with Shopilot. The Merchant is the controller of Shopper data. To exercise your rights as a Shopper:

• Contact the Merchant directly (the business whose chat widget you used).
• If the Merchant doesn't respond, email support@shopilot.store with the store name and we will forward your request and assist where technically possible.

9.3 California Residents (CCPA / CPRA)

California residents may request to know what personal information we collect, request deletion, opt out of any "sale" (we do not sell personal information), and not be discriminated against for exercising these rights. Contact us at support@shopilot.store.

9.4 Response Time

We aim to respond within 30 days. Complex requests may take up to 90 days with notice.

We do not use advertising cookies, third-party tracking pixels, or cross-site tracking technologies.

• All data transmitted between your browser and our servers is encrypted using TLS 1.2+.
• Database access is controlled by row-level security (RLS) — Merchant data is scoped per organization and cannot be accessed cross-tenant.
• Auth tokens are HTTP-only and signed with server-side secrets.
• OTP codes are hashed (SHA-256) before storage — plaintext codes are never written to the database.
• Third-party integration secrets (e.g., WhatsApp access tokens) are encrypted at the application layer before storage.
• Payment card data is handled entirely by Paddle and never transmitted to or stored on Shopilot servers.

No system is perfectly secure. If you discover a vulnerability, please disclose it responsibly to support@shopilot.store.

The Shopilot platform is intended for use by adults (18+). Merchants who deploy the chat widget are responsible for ensuring their shopper base is age-appropriate and that they comply with applicable child privacy laws (e.g., COPPA, GDPR Article 8).

Shopilot does not knowingly collect personal data from children under 13. If you believe we have inadvertently done so, contact support@shopilot.store and we will delete it promptly.

Merchants are the data controllers for all Shopper data collected through their embedded chat widget. By using Shopilot, Merchants agree to:

• Maintain a compliant privacy notice on their own website that discloses the use of AI and third-party services.
• Obtain any legally required consents from Shoppers before deploying the chat widget.
• Honor Shopper data subject rights within the timeframes required by applicable law.
• Not instruct the AI to solicit sensitive categories of personal data (health, financial, political, or religious information) from Shoppers.
• Comply with applicable data protection laws (GDPR, CCPA, KSA PDPL, UAE PDPL, and local equivalents).

We may update this policy from time to time. If we make material changes, we will notify Merchants via their account email at least 14 days before the changes take effect. Continued use of the platform after the effective date constitutes acceptance.

For any privacy-related questions, requests, or complaints:

If you are in the EEA and believe we have not resolved your complaint satisfactorily, you have the right to lodge a complaint with your local supervisory authority.