Privacy Policy
Botswe Shopify Assistant · Effective date: 2026-05-04
This Privacy Policy describes how Botnoos S.r.l. ("Botswe", "we") collects, uses, stores and shares personal information when merchants install the Botswe Shopify Assistant app on their Shopify store.
1. Data we collect
When the merchant installs the app, we receive from Shopify:
- Shop information: shop domain, shop name, email, currency, locale, timezone.
- Admin API access token (encrypted at rest with AES-256-GCM).
- OAuth scopes granted:
read_products,read_customers,read_orders,read_checkouts,read_inventory,write_discounts.
When a visitor interacts with the chat widget on the merchant's storefront, we may collect:
- Anonymous visitor identifier (UUID) stored in the visitor's browser.
- Logged-in customer ID (if available from
window.ShopifyAnalytics). - Active cart token (from cookie
cart). - Messages typed in the chat (text content of the conversation).
- Page type / current product viewed, locale, currency.
We do NOT collect: payment information, full credit cards, government IDs.
2. How we use data
- Provide AI-generated responses based on the merchant's catalog and policies.
- Add products to the visitor's cart via Shopify Storefront MCP.
- Show conversation history to the merchant's operators in the Botswe dashboard.
- Improve answer quality through aggregate analytics (no individual identification).
3. Data retention
- Conversations: 90 days rolling window (DynamoDB TTL automatic deletion).
- Shop session (token + shop info): until app uninstall, then 48h grace period, then permanently deleted.
- Aggregate analytics: indefinitely, fully anonymized.
4. Your rights (GDPR / CCPA)
You can exercise these rights at any time via your merchant portal, or by emailing privacy@botnoos.com:
- Right of access (Art. 15 GDPR): request a copy of your data.
- Right to erasure (Art. 17 GDPR): request deletion of your data.
- Right to portability (Art. 20 GDPR): receive data in machine-readable format.
- Right to object (Art. 21 GDPR): opt out of processing.
For end-customers (visitors), Shopify forwards mandatory webhook requests to us:
customers/data_request— we forward the visitor's conversation history to the merchant.customers/redact— we delete the visitor'scustomerIdfrom all messages.shop/redact— 48h after uninstall, we permanently delete all shop data.
5. Third parties (Sub-Processors)
| Sub-Processor | Purpose | Region | Transfer safeguards |
|---|---|---|---|
| Amazon Web Services | Hosting, DDB, Bedrock AI, S3, Lambda | Frankfurt (EU) | EU primary, SCC + DPF for any incidental US transfer |
| Shopify Inc. | Source data via official APIs (Storefront MCP, Admin API) | Global | SCC + DPF |
| OpenAI Inc. | AI fallback model (only when AI_PROVIDER=openai) | USA | SCC + DPF certification |
| Google LLC | Authentication (Google OAuth via NextAuth) for merchant dashboard login only | USA | SCC + DPF certification |
| Cloudflare Inc. | CDN, DNS, DDoS protection | Global edge (incl. EU) | SCC + DPF certification |
| Stripe Inc. | Subscription billing of merchants (NO end-customer data) | EU + USA | SCC + DPF certification |
International transfers: where personal data is transferred to a third country outside the EEA, we rely on (a) European Commission adequacy decisions where applicable, (b) Standard Contractual Clauses (Commission Implementing Decision 2021/914) and (c) the EU-U.S. Data Privacy Framework (DPF) certification of the recipient where applicable.
No data is sold or shared with advertisers. Sub-Processors changes are notified to the merchant via email at least 30 days in advance.
Full Data Processing Agreement (Art. 28 GDPR) available — merchant click-through acceptance required at first login.
6. Security
- All API tokens encrypted at rest (AES-256-GCM, master key in AWS KMS-equivalent secure storage).
- HTTPS/TLS 1.3 for all transport.
- Multi-tenant isolation: every query enforces tenantId / shopDomain scoping.
- HMAC verification on all Shopify webhooks.
7. Cookie
The widget sets one first-party cookie bw_id on the visitor's browser (UUID, 365 days) to maintain conversation continuity across page reloads. No third-party tracking cookies.
8. Contact
Botnoos S.r.l.
Email: privacy@botnoos.com
Website: https://botswe.com
Data Protection Officer: dpo@botnoos.com
9. Changes
We will notify merchants via email at least 30 days before any material change to this policy.
For developer setup, see technical documentation. For merchant onboarding, see onboarding guide.