Privacy Policy
SupportBot ("the app", "we") is operated by Printube OÜ. This policy explains what data the app processes when a Shopify merchant installs it, why, and what rights merchants and their customers have. Questions: support@supportbot.app.
Data we collect
From the merchant's store
- Store identity: your
.myshopify.comdomain, granted API scopes, and an API access token (stored encrypted) needed to read store content. - Store content: products, pages, blog posts, and policies, which are synced into the app's knowledge base so the chatbot can answer from them.
- Merchant-provided content: FAQs, tone-of-voice examples, and custom knowledge notes you add in the dashboard.
- Settings and usage: widget configuration, plan name, and usage counters (AI replies and tokens used) for enforcing plan limits.
From the merchant's customers
- Chat messages: the questions customers type into the widget and the answers they receive, stored as conversation transcripts the merchant can review.
- Contact details for handoff: if a customer asks for a human and shares an email address, it is included in the escalation sent to the merchant.
The widget does not use advertising trackers and does not sell data to anyone. Conversation history is kept in the customer's browser session storage only for continuity across pages, capped and cleared by the browser.
How we use data
- To generate chat answers grounded in the merchant's store content.
- To match the merchant's tone of voice in answers.
- To escalate conversations to the merchant when the AI cannot help.
- To enforce plan limits and prevent abuse.
- To operate, secure, and improve the service.
Sub-processors
| Provider | Purpose | Location |
|---|---|---|
| Fly.io | Application hosting and database | Frankfurt, Germany (EU) |
| OpenAI | Generating answers and text embeddings | United States |
| Resend | Escalation and transactional email | EU region (eu-west-1) |
| Shopify | App platform, authentication, billing | Global |
Chat messages and relevant store content are sent to OpenAI's API to generate answers. Under OpenAI's API terms, this data is not used to train their models.
GDPR and customer rights
SupportBot implements all of Shopify's mandatory privacy webhooks:
- Customer data request: we compile the customer's conversation data for the merchant to pass on.
- Customer redact: the customer's personal details are redacted from stored transcripts.
- Shop redact: when a store uninstalls the app, all of its data — content, conversations, settings, and credentials — is deleted.
Merchants remain the data controller for their customers' data; SupportBot acts as a data processor on the merchant's behalf.
Retention
Data is retained while the app is installed. After uninstall, all shop data is deleted automatically via Shopify's shop-redact webhook schedule. Aggregated, non-identifying usage statistics may be retained for accounting.
Security
All traffic is encrypted in transit (TLS). Store access tokens are encrypted at rest (AES-256-GCM). Every database query is scoped to the requesting store — no store can ever read another store's data.
Changes
We will post any changes to this policy on this page and update the date above. Material changes will be announced in the app dashboard.
Contact
Printube OÜ · support@supportbot.app