1. Introduction

Sortiq AI ("Sortiq", "we", "us", or "our") operates the Sortiq AI platform, a Shopify application that provides AI-powered customer support tools for e-commerce merchants. This Privacy Policy explains how we collect, use, store, and protect personal data when you use our services.

By installing our Shopify application or using our dashboard, you agree to the practices described in this policy.

2. Data We Collect

2.1 Merchant Data (Store Owners)

• Name and email address (for account creation and authentication)
• Store name and Shopify domain
• Shopify API access token (for data synchronization)
• Account preferences and settings

2.2 Customer Data (Synced from Shopify)

When merchants connect their Shopify store, we sync the following customer data to provide AI-powered support:

• Customer name, email address, and phone number
• Shipping and billing addresses
• Order history (order numbers, items, totals, fulfillment status)
• Marketing consent preferences
• Customer tags and notes

2.3 Conversation Data

• Chat messages between customers and the AI support agent
• Support ticket details and resolutions
• Conversation metadata (timestamps, status)

2.4 Usage Data

• HTTP request logs (IP address, user agent, timestamps)
• Feature usage and interaction patterns
• Error logs for debugging and service improvement

3. How We Use Your Data

We process personal data exclusively for the following purposes:

• AI Customer Support: Enabling the AI agent to identify customers, reference order history, and provide personalized support responses.
• Order Management: Processing refund requests, return/exchange evaluations, and order status inquiries based on merchant-configured policies.
• Customer Relationship Management: Displaying customer profiles, order history, and conversation history in the merchant dashboard.
• Analytics: Providing merchants with aggregated insights about customer interactions and support performance.
• Service Operation: Authentication, security monitoring, and platform maintenance.

We do not sell, rent, or share personal data with third parties for marketing purposes. We do not use customer data for any purpose beyond providing the services described above.

4. Data Storage and Security

4.1 Infrastructure

• Data is stored in MongoDB Atlas with encryption at rest (AES-256)
• All data in transit is encrypted via TLS/HTTPS
• Database backups are encrypted automatically by the cloud provider
• Test and production environments are fully separated

4.2 Access Controls

• Role-based access control (RBAC) ensures merchants can only access their own store data
• JWT-based authentication with secure token handling
• Strong password requirements enforced (minimum 8 characters, uppercase, lowercase, numbers, and special characters)
• API rate limiting to prevent abuse (100 requests per minute)

4.3 Shopify API Credentials

Shopify access tokens are stored securely and excluded from default database queries. They are only retrieved when actively synchronizing data with Shopify.

5. Data Retention

• Active accounts: Data is retained for as long as the merchant's Shopify app is installed and the account is active.
• Store disconnection: When a merchant disconnects their store, all associated data (customers, orders, conversations, agents, knowledge base, tickets) is permanently deleted.
• App uninstallation: Within 48 hours of uninstalling the Shopify app, all store data is automatically purged in compliance with Shopify's mandatory GDPR webhooks.
• HTTP logs: Request logs are retained for up to 90 days for security and debugging purposes.

6. Data Sharing

We share data only with the following categories of service providers:

• Shopify: We communicate with Shopify's APIs to sync store data (as authorized by the merchant).
• OpenAI: Customer messages and relevant context are sent to OpenAI's API for AI-powered response generation. OpenAI processes this data under their data processing agreement and does not use API inputs for training.
• Cloud Infrastructure: MongoDB Atlas (database hosting) and our cloud hosting provider process data as part of service delivery.

We do not sell personal data. We do not share personal data with advertisers or data brokers.

7. Customer Rights (GDPR & CCPA)

7.1 For End Customers

Customers of Shopify stores using Sortiq have the following rights:

• Right to Access: Request a copy of the personal data we hold about you.
• Right to Deletion: Request erasure of your personal data. We honor Shopify's customer redaction webhooks and anonymize all associated records.
• Right to Opt-Out: We respect marketing consent preferences synced from Shopify. We do not sell personal data, so CCPA opt-out of sale is not applicable.
• Right to Data Portability: Request your data in a machine-readable format.

7.2 For Merchants

• Full control over connected data via the Sortiq dashboard
• Ability to disconnect the store and trigger immediate data deletion
• Access to customer data, conversation history, and analytics within the platform

8. Consent

• Merchants consent to data processing by installing the Sortiq Shopify app and connecting their store.
• Customer marketing consent preferences from Shopify are synced and respected.
• Chat widget interactions include a disclosure that messages are processed by an AI assistant.

9. Cookies

The Sortiq dashboard uses essential cookies for authentication and session management. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make significant changes, we will notify merchants via email or an in-app notification. Continued use of the service after changes constitutes acceptance of the updated policy.

11. Contact

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at:

• Email: privacy@sortiq.ai
• Support: Via the Sortiq dashboard Help & Support section