Privacy Policy for AI Talk Shopify App

1. Information We Collect

1.1 Information from Merchants

When you install and use our Shopify App, we collect:

• Store information (store name, Shopify store URL, store ID)
• Contact information (email address, name)
• OpenAI API key (stored encrypted, used only for chat functionality)
• Store context data accessed through Shopify's MCP for chat responses
• Configuration settings and preferences
• Usage analytics and performance metrics

1.2 Information from End Users (Store Visitors)

When visitors interact with the chat widget on your store, we collect:

• Chat messages and conversation history
• Browser type and version
• Device information (type, operating system)
• IP address (for geographic location and security purposes)
• Session data and interaction timestamps
• Page URLs visited on the merchant\'s store

1.3 Information We Do NOT Collect

• Payment card information
• Social security numbers or government IDs
• Sensitive personal data (health, race, religion, etc.)

2. How We Use Information

2.1 Merchant Data

• Provide and maintain the AI chat widget service
• Process and respond to customer inquiries using AI
• Provide contextual responses using Shopify's MCP integration
• Send service-related communications and updates
• Provide customer support and technical assistance
• Monitor and analyze usage to improve our services
• Comply with legal obligations

2.2 End User Data

• Facilitate chat conversations and provide AI-powered responses
• Improve response accuracy and relevance
• Detect and prevent spam, fraud, and abuse
• Analyze chat patterns to enhance service quality

3. Data Storage and Security

3.1 Where We Store Data

• Primary servers: Located in Europe (EU region)
• CDN caching: AWS CloudFront may cache static assets globally
• Chat conversations: Stored encrypted on our European servers
• OpenAI interactions: Processed through your API key; OpenAI may retain logs for up to 30 days per their policy

3.2 Security Measures

We implement industry-standard security measures including:

• Encryption Algorithm: AES-256-GCM with authenticated encryption
• Key Management: Two-tier key system with Master Key and Data Encryption Keys (DEK)
• OpenAI API Keys: Encrypted using envelope encryption before storage
• Chat Conversations: All messages encrypted with unique DEKs per session
• TLS/SSL for all data in transit
• Regular security audits and vulnerability assessments

4. Data Sharing and Third Parties

4.1 Service Providers

We share data with trusted service providers:

• OpenAI: For AI processing via your API key (subject to OpenAI\'s privacy policy)
• Shopify: For MCP integration and app functionality
• Amazon Web Services: For hosting and CloudFront CDN services

4.2 We Do NOT:

• Sell your personal information to third parties
• Share data for advertising or marketing purposes without consent
• Transfer data to third parties except as described in this policy

5. Data Retention and Deletion

• Chat conversations: Automatically deleted after 90 days
• OpenAI logs: OpenAI retains API interaction logs for up to 30 days per their policy
• Merchant account data: Retained for payment records and compliance purposes
• Manual deletion: You can delete chat history and service data through the app\'s Settings
• Anonymization: Personal information can be anonymized through the "Anonymize personal information" feature

6. Your Rights and Choices

6.1 Merchant Rights

As a merchant, you have the right to:

• Access your personal data and chat history
• Correct or update your information
• Delete your account and associated data
• Export your data in a portable format
• Opt-out of non-essential communications
• Restrict or object to certain processing activities

6.2 End User Rights

Store visitors can:

• Request deletion of their chat history
• Opt-out of data collection by not using the chat widget
• Request information about data we hold about them

To exercise these rights, contact us at privacy@aitalk.ch

7. GDPR Compliance (For European Users)

If you are located in the European Economic Area (EEA), you have additional rights under GDPR:

• Legal basis: We process data based on contract performance, legitimate interests, or consent
• Data portability: Receive your data in a structured, machine-readable format
• Right to erasure: Request deletion of your personal data ("right to be forgotten")
• Complaint rights: Lodge a complaint with your local data protection authority

8. CCPA/CPRA Compliance (For California Users)

California residents have specific rights under CCPA/CPRA:

• Right to know what personal information we collect and how we use it
• Right to delete personal information
• Right to opt-out of the sale of personal information (we do not sell data)
• Right to non-discrimination for exercising privacy rights

9. Cookies and Tracking

The chat widget uses essential cookies to:

• Maintain chat session continuity
• Remember user preferences within a session
• Ensure security and prevent fraud

We do not use advertising or tracking cookies in the chat widget.

10. Children\'s Privacy

Our service is not intended for children under 16 years of age. We do not knowingly collect personal information from children. If you believe we have collected data from a child, please contact us immediately.

11. International Data Transfers

Your data may be transferred to and processed in countries outside your location. We ensure appropriate safeguards are in place, including:

• Standard contractual clauses approved by the European Commission
• Adequacy decisions where applicable
• Your explicit consent where required

12. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of material changes by:

• Posting the updated policy on our website and Shopify App listing
• Sending email notifications to registered merchants
• Displaying in-app notifications

Continued use of our service after changes constitutes acceptance of the updated policy.

13. Contact Information