Privacy Policy

ShopMind ("we", "us") operates TackleAI and other niche AI shopping consultants for online stores. The data controller is ShopMind, reachable at privacy@shopmind.co.

From merchants who install the app:

• Shopify shop domain, shop name, and owner email (provided by Shopify during OAuth).
• An encrypted Shopify access token so we can read your product catalog and inject the widget on your storefront.
• Your widget configuration: persona name, brand color, avatar image, position, custom greeting.
• Your product catalog (titles, descriptions, prices, inventory, images, tags) — used to power product recommendations.
• Billing status and plan (managed via the Shopify Billing API).

From visitors who chat with the widget:

• A randomly generated session ID stored in the visitor's browser (used to keep the chat history within a single visit).
• The messages they send to the widget and the responses we generate.
• Their browser language (used to pick the chat language).
• The conversation metadata: timestamps, AI model used, token counts.

We do not ask for, store, or read the visitor's name, email, address, phone number, payment details, or Shopify customer account. The session ID is pseudonymous and not linked to a real-world identity.

• Run the chat widget on your storefront and answer visitor questions.
• Recommend products from your catalog to visitors based on what they ask.
• Show you conversation history and basic analytics in your dashboard.
• Bill you according to your selected plan.
• Email you about your account, trial status, and material changes to the service.

We never sell merchant or visitor data, and we never use chat content to train third-party foundation models.

We rely on a small set of processors. They only receive what they need to do their job:

• Anthropic — chat messages are sent to Anthropic's Claude API for response generation. Anthropic does not retain or train on this data per their API terms.
• Voyage AI — product titles and descriptions are embedded by Voyage for semantic search.
• Supabase — Postgres database hosting (EU region) and storage for uploaded avatar images.
• Railway — backend application hosting.
• Vercel — dashboard and widget asset hosting.
• Shopify — OAuth, product sync, ScriptTag injection, and recurring billing.

We do not share data with advertising networks, data brokers, or any party outside the list above.

The widget uses sessionStorage and localStorage in the visitor's browser to keep the chat panel open across page navigations and remember the last 40 messages of a session. We do not set tracking or advertising cookies, and we do not fingerprint visitors.

• Chat messages and conversation metadata: retained for as long as the shop is active.
• Product catalog: kept in sync with Shopify; deleted within 30 days after the app is uninstalled.
• Merchant account and billing records: retained for the duration of the subscription, then 6 months after cancellation for accounting and tax reasons, then deleted.
• Avatar images: deleted from storage when the merchant removes them or uninstalls the app.
• When Shopify sends us a shop/redact webhook (48 hours after a final uninstall), we permanently delete the shop's products, conversations, messages, and shop record.

If you are in the EU, UK, or Switzerland, the GDPR (or equivalent local law) gives you the right to access, correct, export, and delete personal data we hold about you. To exercise any of these rights, email privacy@shopmind.co. We respond within 30 days.

Merchants can also trigger an immediate data deletion by uninstalling the app from their Shopify admin — Shopify automatically notifies us via the shop/redact webhook, and we comply.

Shopify access tokens are stored encrypted at rest. All traffic between the widget, dashboard, and our backend is over TLS. Database backups are encrypted and access is restricted to authorized engineers. We do not maintain a customer-data warehouse outside the services listed in section 4.

ShopMind is operated from Switzerland. Some of our processors (Anthropic, Vercel, Railway) operate in the United States. Transfers rely on Standard Contractual Clauses or equivalent safeguards.

The TackleAI widget is intended for use by adult shoppers and merchants. We do not knowingly collect data from children under 16.

We will update this page if our practices change. Material changes will be announced by email to merchants on a paid plan at least 14 days before they take effect.

Questions, complaints, or data-subject requests: privacy@shopmind.co.