Privacy Policy

Last updated: April 18, 2026

This Privacy Policy explains how Chatious ("we", "us", "our") collects, uses, stores, and shares information when merchants install our Shopify application and when end customers ("shoppers") interact with the Chatious chat widget on a merchant's storefront. By installing or using Chatious, you agree to the practices described below.

1. Who we are

Chatious is an AI-powered chatbot designed for Shopify merchants. We provide 24/7 customer support automation, product discovery, and in-chat checkout assistance. For any privacy-related questions, contact us at privacy@chatious.app.

2. Information we collect

From merchants

• Store information: Shop name, domain, contact email, currency, locale, and plan tier — accessed via the Shopify Admin API.
• Catalog data: Products, variants, collections, prices, descriptions, and images used to train the chatbot.
• Content data: Pages, blog posts, policies, and any custom knowledge base entries you provide.
• Account data: User identity, role, and authentication tokens issued by Shopify.
• Billing data: Subscription status and plan, processed through Shopify's managed billing — we never see your payment card details.

From shoppers (end customers)

• Conversation content: Messages sent to and from the chatbot.
• Session data: Anonymous session identifier, timestamp, page URL where the chat occurred, browser type, and approximate location (country/region).
• Cart actions: Products added to cart through the chat widget.
• Order references: Order numbers or emails that shoppers voluntarily share when asking about order status.

We do not collect payment card details, government IDs, or sensitive personal categories such as health or biometric data.

3. How we use information

• To operate, maintain, and provide the Chatious chatbot service.
• To generate accurate, store-specific responses using AI models.
• To process in-chat add-to-cart actions on the merchant's storefront.
• To provide order tracking responses when shoppers request them.
• To improve product recommendations and conversation quality.
• To monitor usage limits, billing, and security.
• To communicate with merchants about updates, support, and account matters.

4. AI processing & subprocessors

Chatious uses third-party large language model providers to generate chatbot responses. Conversation content and relevant store context are sent to these providers strictly to produce a response. We use the following subprocessors:

• OpenAI — for AI response generation (data is not used to train their models).
• Anthropic (Claude) — for AI response generation (data is not used to train their models).
• Amazon Web Services (AWS) — for hosting, storage, and infrastructure.
• Shopify — for app distribution, authentication, and managed billing.

All subprocessors are bound by data processing agreements that meet GDPR standards.

5. Legal basis for processing (GDPR)

For merchants and shoppers in the EU/EEA and UK, we rely on the following lawful bases:

• Contract: processing necessary to deliver the Chatious service to merchants who installed the app.
• Legitimate interest: improving service quality, preventing abuse, and securing our systems.
• Consent: where required by local law for cookies, analytics, or optional features.

6. EU AI Act compliance

Chatious is built to comply with the EU AI Act. Shoppers are clearly informed that they are interacting with an AI assistant, not a human. We do not use the chatbot to perform prohibited practices such as social scoring, biometric inference, or manipulative profiling.

7. Data retention

• Conversation history: retained for 90 days by default to power continuity features and analytics. Merchants may request deletion at any time.
• Store catalog data: retained while the app is installed; deleted within 30 days of uninstall.
• Billing records: retained as long as required by tax and accounting laws (typically 7 years).
• Backups: securely deleted within 30 days of removal from primary storage.

8. Sharing & disclosure

We do not sell personal data. We share information only with:

• Subprocessors listed in Section 4, under contractual data protection terms.
• Shopify, where required for app functionality, authentication, or billing.
• Law enforcement or government bodies, when legally compelled to do so.
• Successors in the event of a merger, acquisition, or asset sale (with notice).

9. Data security

We implement industry-standard safeguards to protect data, including TLS encryption in transit, encryption at rest, access controls, audit logging, and regular security reviews. While no system is perfectly secure, we are committed to protecting the information you trust us with.

10. Your rights

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your data ("right to be forgotten").
• Object to or restrict certain processing.
• Receive a portable copy of your data.
• Withdraw consent where processing is based on consent.
• Lodge a complaint with your local data protection authority.

To exercise any of these rights, email privacy@chatious.app. We respond within 30 days.

11. Shopify mandatory data webhooks

Chatious complies with Shopify's mandatory GDPR webhooks: customers/data_request, customers/redact, and shop/redact. Upon receiving a redaction request, we permanently delete the relevant data within 30 days.

12. Cookies & tracking

The Chatious widget uses a single first-party cookie or local storage entry to maintain a chat session across page loads. We do not use advertising or third-party tracking cookies inside the widget.

13. International data transfers

Data may be processed in countries outside the EU/EEA, including the United States. When transferring personal data internationally, we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards approved by the European Commission.

14. Children's privacy

Chatious is not directed at children under 13 (or 16 in the EU/EEA). We do not knowingly collect data from children. If we become aware of such collection, we will promptly delete the data.

15. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated to merchants via email or in-app notice at least 14 days before taking effect. The "Last updated" date at the top of this page reflects the most recent revision.

16. Contact us

For privacy questions, data requests, or concerns:
Email: privacy@chatious.app
Support: support@chatious.app