Privacy Policy

1. Introduction

Autonomo AI (“we”, “our”, “the Service”) provides an AI-powered sales and customer support platform for Shopify merchants. This Privacy Policy explains how we collect, use, and protect information when you use our Service.

This policy covers:

• Merchant data (store owners who install the Autonomo AI app)
• End-customer data (your store's customers who interact with the chat widget)

2. Information We Collect

2.1 Merchant Information

When you install Autonomo AI, we collect:

• Store name and Shopify domain
• Email address (from Shopify account)
• Billing information (processed by Shopify Billing API — we never store card details)
• Store configuration settings and AI agent instructions you provide

2.2 End-Customer Information

When your customers interact with the Autonomo AI chat widget, we process:

• Chat conversation content
• Customer name and email (if provided during the conversation)
• Order information retrieved from your Shopify store (order status, tracking numbers)

2.3 Usage Data

• Conversation volume and response metrics
• Widget interaction events
• Error logs (no personally identifiable information in logs)

3. How We Use Information

Merchant data is used to:

• Provide and operate the Service
• Process billing through Shopify's Billing API
• Send service communications (onboarding, feature updates, billing notices)
• Improve the Service

End-customer data is used to:

• Power the AI conversation engine (sent to Anthropic API for inference — see Section 5)
• Retrieve order information from your Shopify store on behalf of your customers
• Generate conversation analytics for your merchant dashboard

We do not sell customer data to third parties.

4. Data Retention

• Conversation data: Retained for 90 days, then permanently deleted
• Merchant account data: Retained while your account is active, deleted within 30 days of cancellation
• End-customer PII: Encrypted at rest (AES-256-GCM). Deleted on request within 30 days.

5. Third-Party Services

Autonomo AI uses the following sub-processors:

6. GDPR / Data Subject Rights

If you or your customers are in the European Union or EEA, the following rights apply:

• Right to access: Request a copy of your data
• Right to erasure: Request deletion of your data
• Right to portability: Receive your data in machine-readable format
• Right to object: Object to processing of your data

To exercise these rights, contact: privacy@autonomo.ai

We respond to all requests within 30 days.

For end-customers of Shopify stores using Autonomo AI: Your data is processed on behalf of the merchant. Requests should be directed to the merchant first. We will cooperate with merchants to fulfill data subject requests.

7. Shopify App-Specific Data Handling

Autonomo AI handles the following Shopify data subject requests automatically:

• Customer data erasure (customers/redact webhook): We permanently delete all stored data associated with the customer within 30 days
• Shop data erasure (shop/redact webhook): When you uninstall the app, all store data is deleted within 30 days
• Customer data requests (customers/data_request webhook): We respond with all stored data associated with the customer within 30 days

8. Security

• All data is encrypted in transit (TLS 1.2+) and at rest (AES-256-GCM)
• Customer PII (names, emails) is stored encrypted with a blind index for search
• Access tokens are encrypted before database storage
• Rate limiting on all endpoints to prevent abuse
• Security audits performed regularly

9. Contact

For privacy questions or data requests:

• Email: privacy@autonomo.ai
• Response time: Within 30 days

10. Changes to This Policy

We may update this policy. We will notify merchants via email at least 30 days before material changes take effect.