Privacy Policy

Introduction

Ustam "the App" provides AI-powered customer support chat assistant service "the Service" to merchants who use Shopify to power their stores. This Privacy Policy describes how personal information is collected, used, and shared when you install or use the App in connection with your Shopify-supported store.

Personal Information the App Collects

We collect personal information directly from the relevant individual, through your Shopify account, and through the technologies described below.

Information Accessed from Your Shopify Account

When you install the App, we are automatically able to access certain types of information from your Shopify account:

• Store information — shop name, domain, email address, address, phone number, currency, and timezone; used to configure and identify your account
• Product catalog — product titles, descriptions, prices, variants, and inventory; used to power AI assistant responses
• Customer profiles — name and email address of customers who are actively logged in and using the chat; used solely to personalize the chat experience
• Order information — order status and details for logged-in customers who ask about their orders; used to provide accurate order support
• Store content — pages, blogs, and articles (read_content); used so the AI assistant can answer questions about your store
• Legal policies — refund, privacy, shipping, and terms policies (read_legal_policies); used so the assistant can answer policy-related questions

Information Collected Directly from Merchants

When you create an account and use the App, we additionally collect:

• Registration information — name and email address provided when you create an account
• Subscription and billing status — plan tier and billing status managed through Shopify App Billing (we do not collect or store payment card numbers)
• Usage and analytics data — feature usage, conversation volumes, and performance metrics used to operate and improve the Service
• Device and browser information — IP address, browser type, and time zone collected when you access the admin dashboard

Information from Merchant Customers (Chat Users)

When end customers use the chat assistant on a merchant's store, we collect minimal personal data:

• Name — only when the customer is logged in to the merchant store
• Email address — only when the customer is logged in to the merchant store
• Conversation messages and content exchanged during the chat session
• Current page context — the page type (e.g. product, collection, home) and page path the customer is currently viewing on the storefront; used to provide relevant chat assistance. Page navigation events are recorded in the conversation to help support staff understand the customer's browsing context.
• Cart summary — the number of items, total price, and product titles in the customer's shopping cart; used to provide cart-aware assistance. Cart data is not stored beyond the active chat session.

Note: On the storefront chat widget we do not collect addresses, payment information, or order data beyond what is needed to answer a specific support query. Name and email are collected only when the customer is logged in to the merchant store. Cart data (item count, total, and product titles) is used during the active chat session to power responses and is not stored as a separate database record; page navigation during a chat may be recorded as conversation events. If you connect additional channels (such as WhatsApp), we collect identifiers required by that channel (for example, a phone number for WhatsApp).

Tracking Technologies

We collect information using the following technologies:

• Authentication cookies — when you sign in to the merchant admin dashboard, we use cookies (such as session and CSRF tokens) to keep you signed in securely.
• Google Analytics — on our marketing website (ustam.ai), we use Google Analytics to understand how visitors use the site. You can opt out via your browser settings or Google's tools. This does not apply to the embedded chat widget on merchant storefronts.
• Log files — server logs that may include your IP address, browser type, referring/exit pages, and date/time stamps when you access the App or dashboard.

How Do We Use Your Personal Information?

We use the personal information we collect from you and your customers in order to provide the Service and to operate the App. Additionally, we use this personal information to:

• Provide, maintain, and improve the App and the Service
• Communicate with you about your account, billing, and updates to the Service
• Analyze usage patterns to enhance the user experience and develop new features
• Detect and prevent fraud, abuse, and security incidents

Sharing Your Personal Information

We do not sell your personal information. We may share your information only with the following parties and in the following circumstances:

• AI service providers (such as OpenAI) — conversation content and related context are shared to generate assistant responses. These providers process data solely on our behalf under strict confidentiality obligations.
• Analytics providers (such as Google) — on our marketing website only, as described under Tracking Technologies above.
• Infrastructure and hosting providers — cloud database and server providers used to store and process data on our behalf.
• Legal compliance — when required by applicable law, regulation, court order, or to protect the rights and safety of Ustam or others.
• Business transfers — in connection with a merger, acquisition, financing, or sale of all or a portion of our assets.

Data Security

We implement appropriate technical and organizational measures to protect your personal information, including encryption at rest and in transit, access controls, and regular security reviews.

Chat message content, conversation summaries, and feedback comments are additionally encrypted with a separate per-company (tenant) key. Each company's chat data is cryptographically isolated from every other company's, so a database read by itself does not yield readable conversation text. Inbox search across this encrypted content uses a per-company index of hashed search tokens rather than the message text itself, so search queries are matched against hashes — not plaintext — at the database layer.

Decryption happens only inside our application servers while serving a request (for example, when an authorized staff user opens a conversation, or when a message is delivered to the customer's chat channel). The keys that unlock this data are held by our application and are not shared with sub-processors except as needed to operate the Service (see "Sharing Your Personal Information" above).

However, no method of transmission over the Internet is 100% secure, and we cannot guarantee absolute security.

Data Retention

We retain your personal data only for as long as necessary to provide our services. Personal data is automatically deleted when:

• You request deletion of your personal data
• A shop uninstalls our app — all shop and related data is deleted within 48 hours of uninstallation
• The data is no longer needed for the purpose for which it was collected

Data Deletion When You Uninstall

When you uninstall the Ustam app from your Shopify store, Shopify sends us a compliance webhook (shop/redact) 48 hours after uninstallation. Upon receiving this webhook, we permanently delete your shop record and all associated data. This includes: store information and settings, all conversations and messages, AI assistants and their configurations, product and recommendation data we cached, subscriptions and service connections, and related files (e.g. assistant logos). We also remove any external resources linked to your shop (e.g. search indexes). We do not retain your data after uninstall except as needed for backups (see below).

Backup copies are retained for up to 30 days and are automatically purged after this period.

Your Rights

Regardless of where you live, you may exercise the following rights regarding personal information we process about you, subject only to limits required by applicable law:

• Know — the categories of personal information we collect, the sources, the purposes for collection and use, and the categories of third parties to whom we disclose it (described in this Privacy Policy)
• Access — access and receive a copy of the specific pieces of personal information we hold about you
• Correct — request correction of inaccurate personal information
• Delete — request deletion of your personal information
• Portability — receive a copy of your personal information in a portable, readily usable format (for example, structured JSON from an access request)
• Non-discrimination — not receive discriminatory treatment for exercising your privacy rights
• Restrict or object to certain processing, where applicable by law
• Withdraw consent where processing is based on consent

Practices we do not engage in

We do not sell personal information. We do not share personal information for cross-context behavioral advertising (targeted advertising across websites or apps). We do not use merchant or end-customer data for Ustam's own marketing campaigns. If you have questions about these practices, contact us at info@ustam.ai.

We use personal information only as needed to provide the Service. We do not use sensitive personal information for purposes beyond what is necessary to operate the App. If you believe we hold sensitive personal information about you and have questions, contact us at info@ustam.ai.

Our AI chat assistant does not make automated decisions that produce legal or similarly significant effects (such as credit, employment, or housing decisions). If that changes, we will update this policy and provide any opt-out required by law.

How to exercise your rights

Contact us at info@ustam.ai to exercise any of the rights above. We will respond within the timeframe required by applicable law (for example, 45 days under California law, with a single extension when permitted). You may use an authorized agent to submit a request on your behalf; we may require proof of the agent's authority and verification of your identity.

If you are an end customer chatting on a merchant's store, the merchant is the data controller for that interaction and Ustam acts as their processor — please contact the store first for requests about your chat data; we will assist the merchant as required.

Shopify merchants can also use Shopify's mandatory compliance webhooks (customers/data_request, customers/redact, shop/redact) for automated export and deletion of customer and shop data stored by the App. Merchants may correct contact records in the admin dashboard; end-customer chat data export and deletion are handled through those webhooks or via the merchant's request to us.

We process personal information to provide the Service (performance of a contract), to operate, secure, and improve the Service (legitimate interests), and where required by law (legal obligations). Your information may be processed in the United States and other countries where we or our service providers operate; we use appropriate safeguards for international transfers as required by applicable law. If you believe we have not addressed your request, you may contact us again or raise a concern with a data protection regulator in your jurisdiction.

Cookies and Tracking Technologies

See the Tracking Technologies section above for details on cookies and analytics we use. You can instruct your browser to refuse cookies or to indicate when a cookie is being sent. Note that refusing authentication cookies will prevent you from staying signed in to the admin dashboard.

Changes

We may update this privacy policy from time to time in order to reflect changes to our practices or for other operational, legal, or regulatory reasons. We will notify you of material changes by posting the updated policy on this page and updating the "Last Updated" date.

Contact Us

For more information about our privacy practices, if you have questions, or if you would like to make a complaint, please contact us by email at info@ustam.ai or by mail using the details below:

Email: info@ustam.ai