Privacy Policy

Last updated: October 25, 2025

Our Commitment to Privacy

Aeyora AI is committed to protecting the privacy and security of customer data processed through our Shopify app. This privacy policy explains how we collect, use, and protect personal data in compliance with privacy regulations and Shopify's protected customer data requirements.

Data We Collect and Process

Device & Session Data

  • Device fingerprints via FingerprintJS for unique visitor identification
  • Session identifiers that reset per browser session
  • UTM parameters and landing page URLs for marketing attribution
  • Search queries and product interaction data within the widget

Customer Information

  • Customer email addresses collected only from completed purchases via Shopify webhooks
  • Order details and transaction information from Shopify order webhooks
  • No collection of personal data during browsing - only post-purchase

Behavioral Analytics

  • Page views, search behavior, and product interactions
  • Purchase funnel progression and conversion events
  • Time-based behavioral patterns for purchase intent analysis
  • Cart abandonment and recovery tracking

How We Use Your Data

Search Optimization

We analyze search queries to improve semantic understanding and provide relevant product recommendations through AI-powered search enhancements.

Analytics & Insights

Customer data is processed to generate actionable insights about visitor behavior, conversion funnels, and marketing attribution for merchant analytics dashboards.

Data Protection & Security

Encryption & Authentication

  • Data at rest: AES-256-CBC encryption for all stored customer emails
  • Data in transit: TLS 1.3 encryption for all API communications
  • HMAC authentication: All event data cryptographically signed
  • Merchant isolation: Prevents cross-merchant data access

Access Controls

  • Environment-based access controls via configuration management
  • API authentication through HMAC signature validation
  • Structured logging for all customer data operations
  • Production and test environments strictly separated

Data Sharing & Third-Party Services

External Services

  • Google Cloud BigQuery: Encrypted customer data storage
  • Google Cloud Storage: Backup storage for event files
  • FingerprintJS: Device fingerprint generation (no personal data transmitted)
  • Shopify APIs: Order and customer data received via webhooks only

AI Processing

  • Customer emails never sent to OpenAI or other AI services
  • Only aggregated, pseudonymized behavioral metrics used for AI analysis
  • AI recommendations based on product interactions, not personal identifiers

Customer Rights & Control

Browser-Based Control

  • Users can clear localStorage/sessionStorage to reset all tracking
  • No persistent tracking across browser clearing or incognito mode
  • Session-based attribution prevents cross-session data pollution
  • Domain-specific fingerprinting only - no cross-site tracking

GDPR Compliance

  • Automated GDPR endpoints for customer data redaction, export, and access requests
  • Customer email encryption with AES-256-CBC before storage
  • Comprehensive audit logging with privacy-safe hashed identifiers
  • Right to access, rectify, and delete personal data upon request

Data Retention

  • Search analytics data: 24 months for trend analysis
  • Customer behavior data: 12 months for lifetime value calculations
  • Marketing attribution data: 18 months for campaign optimization
  • Customer email addresses: Encrypted in BigQuery, accessible via GDPR endpoints
  • Session data: Automatically expires per browser session

Compliance & Legal Framework

Aeyora AI operates in compliance with:

  • Shopify Partner Program Agreement and API Terms of Use
  • Shopify Protected Customer Data Requirements (Level 2 compliance)
  • General Data Protection Regulation (GDPR) for EU customers
  • California Consumer Privacy Act (CCPA) for California residents
  • Other applicable privacy laws including PIPEDA, LGPD, and regional regulations

Updates to This Policy

We may update this privacy policy to reflect changes in our practices, legal requirements, or service features. Material changes will be communicated to merchants through:

  • Shopify Partner Dashboard notifications
  • Email notifications to merchant contacts
  • In-app notifications within the Aeyora AI interface
  • Version history maintained on our website

Continued use of Aeyora AI after changes constitutes acceptance of the updated policy. For material changes affecting customer rights, we may require explicit consent.

Questions or Concerns?

If you have questions about this privacy policy or how we handle your data, please contact our privacy team at privacy@aeyora.com. We're committed to transparency and will respond to all inquiries within 48 hours.

For urgent security matters, contact security@aeyora.com immediately.

For data subject requests, contact requests@aeyora.com for automated data access, deletion, or export requests.