Privacy Policy
Effective date: April 2026
Last updated: 2026-04-06
Responsable del tratamiento: Carlos Galindo Dumitrescu (Autonomo AI)
NIF: 05462757G
Domicilio: Calle del Doctor Fleming 53, 3ºB, 28036 Madrid, España
Contacto de privacidad: hola@agentaicorp.com
1. Introduction
Autonomo AI, operated by Carlos Galindo Dumitrescu (NIF: 05462757G), with domicile at Calle del Doctor Fleming 53, 3ºB, 28036 Madrid, España (“we”, “our”, “the Service”), provides an AI-powered sales and customer support platform for Shopify merchants. This Privacy Policy explains how we collect, use, and protect information when you use our Service, in compliance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and Organic Law 3/2018 on the Protection of Personal Data (LOPDGDD).
This policy covers:
- Merchant data (store owners who install the Autonomo AI app)
- End-customer data (your store's customers who interact with the chat widget)
2. Information We Collect
2.1 Merchant Information
When you install Autonomo AI, we collect:
- Store name and Shopify domain
- Email address (from Shopify account)
- Billing information (processed by Shopify Billing API — we never store card details)
- Store configuration settings and AI agent instructions you provide
2.2 End-Customer Information
When your customers interact with the Autonomo AI chat widget, we process:
- Chat conversation content
- Customer name and email (if provided during the conversation)
- Order information retrieved from your Shopify store (order status, tracking numbers)
2.3 Usage Data
- Conversation volume and response metrics
- Widget interaction events
- Error logs (no personally identifiable information in logs)
3. How We Use Information
Merchant data is used to:
- Provide and operate the Service
- Process billing through Shopify's Billing API
- Send service communications (onboarding, feature updates, billing notices)
- Improve the Service
End-customer data is used to:
- Power the AI conversation engine (sent to Anthropic API for inference — see Section 5)
- Retrieve order information from your Shopify store on behalf of your customers
- Generate conversation analytics for your merchant dashboard
We do not sell customer data to third parties.
4. Data Retention
- Conversation data: Retained for 90 days, then permanently deleted
- Merchant account data: Retained while your account is active, deleted within 30 days of cancellation
- End-customer PII: Encrypted at rest (AES-256-GCM). Deleted on request within 30 days.
5. Third-Party Services
Autonomo AI uses the following sub-processors:
| Service | Purpose | Data shared |
|---|---|---|
| Anthropic (Claude API) | AI conversation inference | Conversation messages (no PII stored by Anthropic per their zero-retention policy) |
| Neon (PostgreSQL) | Database | Encrypted merchant and conversation data |
| Vercel | Hosting and compute | Application logs, request metadata |
| Shopify | App platform and billing | Shopify-provided merchant and order data |
| Upstash (Redis) | Rate limiting | IP addresses and merchant IDs (no content) |
6. GDPR / Data Subject Rights
If you or your customers are in the European Union or EEA, the following rights apply:
- Right to access: Request a copy of your data
- Right to erasure: Request deletion of your data
- Right to portability: Receive your data in machine-readable format
- Right to object: Object to processing of your data
To exercise these rights, contact: hola@agentaicorp.com
We respond to all requests within 30 days.
For end-customers of Shopify stores using Autonomo AI: Your data is processed on behalf of the merchant. Requests should be directed to the merchant first. We will cooperate with merchants to fulfill data subject requests.
7. Shopify App-Specific Data Handling
Autonomo AI handles the following Shopify data subject requests automatically:
- Customer data erasure (
customers/redactwebhook): We permanently delete all stored data associated with the customer within 30 days - Shop data erasure (
shop/redactwebhook): When you uninstall the app, all store data is deleted within 30 days - Customer data requests (
customers/data_requestwebhook): We respond with all stored data associated with the customer within 30 days
8. Security
- All data is encrypted in transit (TLS 1.2+) and at rest (AES-256-GCM)
- Customer PII (names, emails) is stored encrypted with a blind index for search
- Access tokens are encrypted before database storage
- Rate limiting on all endpoints to prevent abuse
- Security audits performed regularly
9. Contact
For privacy questions or data requests:
- Responsable: Carlos Galindo Dumitrescu (Autonomo AI)
- Email: hola@agentaicorp.com
- Domicilio: Calle del Doctor Fleming 53, 3ºB, 28036 Madrid, España
- Response time: Within 30 days
You also have the right to file a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es.
10. Changes to This Policy
We may update this policy. We will notify merchants via email at least 30 days before material changes take effect.