Privacy Policy — Merchant Copilot

Privacy Policy

Last updated: July 5, 2026

Merchant Copilot ("we", "our", or "the app") is a Shopify application that provides an AI-powered chat widget for Shopify storefronts. This Privacy Policy explains what information we collect, how we use it, and your rights.

1. Information We Collect

When a merchant installs Merchant Copilot, we collect and store:

2. Information We Do NOT Collect

3. How We Use Your Information

4. Third-Party Services

5. Data Retention and Deletion

When you uninstall Merchant Copilot, we delete your OAuth access token and all associated product chunks immediately upon receiving the app/uninstalled Shopify webhook. Any remaining data is purged within 48 hours via the shop/redact GDPR webhook.

You may also request deletion at any time by contacting us at the email below.

6. GDPR and Data Subject Rights

Because we do not store customer PII, there is no customer personal data to export or redact in response to customers/data_request or customers/redact webhooks. We respond to all Shopify mandatory GDPR webhooks within the required timeframe.

Merchants (data controllers) may contact us to request access, correction, or deletion of their shop-level data (shop domain, product chunks, usage records).

7. Security

Shopify OAuth tokens are stored in an encrypted PostgreSQL database. All traffic between the app and Shopify is over HTTPS. Webhook requests are validated using HMAC-SHA256 signatures before processing.

8. Changes to This Policy

We may update this policy from time to time. The "Last updated" date at the top reflects the most recent revision. Continued use of the app after changes constitutes acceptance of the updated policy.

9. Contact

For privacy questions or data deletion requests, contact us at: pramithvidusara@gmail.com