Privacy Policy

Effective date: April 25, 2026

CartAgent ("we", "us", "our") operates an AI customer support agent for e-commerce stores. This Privacy Policy explains how we collect, use, and protect data when you use our Service.

1. Data We Collect

From Merchants: Shopify store domain, email address, store name, OAuth access tokens, billing information, and configuration preferences.

From Customers (End Users): Chat messages, email addresses (when provided), order numbers referenced in conversations, and browsing session data (page URL, cart contents) for the chat widget.

From Shopify APIs: Order details (status, tracking, items), product catalog data, and customer records — accessed only as needed to answer customer inquiries.

2. How We Use Data

• Generate AI responses to customer inquiries
• Retrieve relevant order, product, and policy information via RAG (Retrieval-Augmented Generation)
• Score response confidence and route low-confidence responses to human review
• Provide analytics dashboards to merchants
• Process billing and enforce subscription limits
• Send transactional notifications (escalation alerts, back-in-stock emails)

3. AI Processing

Customer messages and relevant context are sent to third-party AI providers (Anthropic Claude, OpenAI, AWS Bedrock) to generate responses. We use system prompts with strict grounding rules to prevent hallucination and data leakage between customers. AI providers process data under their respective data processing agreements and do not use your data for model training.

4. Data Storage & Security

Data is stored in encrypted PostgreSQL databases hosted on AWS. Conversation data, embeddings (vector representations of knowledge base content), and merchant records are isolated per merchant. We use TLS for all data in transit, encrypt sensitive fields at rest, and restrict database access to application services only.

5. Data Retention

• Conversations: Retained for 12 months, then auto-deleted
• Knowledge base embeddings: Retained while the merchant account is active
• Merchant account data: Retained until 30 days after account deletion
• Analytics events: Aggregated after 90 days, raw events deleted after 12 months

6. Data Sharing

We do not sell personal data. We share data only with:

• AI providers (Anthropic, OpenAI, AWS) — for response generation
• Shopify — for billing, authentication, and API access
• Stripe — for payment processing (WooCommerce merchants)
• AWS — for infrastructure (hosting, queues, email delivery)

7. Your Rights (GDPR / CCPA)

Merchants: You may access, export, correct, or delete your account data at any time from the dashboard settings or by contacting us.

Customers: End users may request data access or deletion through the merchant, who can use Shopify's GDPR tools. We support all three Shopify mandatory GDPR webhooks (data request, customer redact, shop redact).

8. Cookies

The chat widget uses a session cookie to maintain conversation state. The merchant dashboard uses authentication cookies. We do not use third-party tracking cookies.

9. Children's Privacy

The Service is not directed at children under 16. We do not knowingly collect data from children.

10. Changes

We will notify merchants of material changes via email at least 30 days in advance.

11. Contact

Data protection inquiries: [email protected]