Privacy Policy
Last updated: March 10, 2026
ActDesk AI (“we”, “our”, or “us”) operates an AI-powered customer support platform for Shopify merchants. This Privacy Policy explains how we collect, use, and protect data when you install our app or when your customers interact with the chat widget.
By installing the ActDesk AI Shopify app, you (the merchant) agree to this policy. Please read it carefully.
1. Data We Collect
From Merchants (via Shopify OAuth)
- Shopify store domain and shop ID (required to identify your store)
- Shopify access token (encrypted at rest using AES-256; used exclusively to query your store data on your customers’ behalf)
- Subscription plan and billing status (via Shopify Billing API)
- Agent configuration you set (tone, welcome message, escalation email, refund limits)
From Customer Chat Interactions
- Customer messages sent through the chat widget
- Customer email address (if provided voluntarily or via Shopify order lookup)
- Order and fulfillment data queried live from your Shopify store in response to customer questions (never stored permanently)
- Conversation transcripts (stored to power the merchant dashboard and for GDPR data export requests)
Automatically Collected
- Server-side logs (IP addresses, request metadata) — retained 30 days
- Performance telemetry (response times, token usage) — aggregated, no PII
2. How We Use Data
- Answering customer queries — We pass conversation history and relevant store data to an AI language model (Claude by Anthropic) to generate responses. We use the Anthropic API under a data processing agreement that prohibits Anthropic from training on your data.
- Dashboard analytics — Aggregated metrics (ticket counts, resolution rates, costs) shown to merchants. These are computed from conversation records and contain no customer PII in the aggregate view.
- Escalation notifications — We send email notifications to merchant-configured addresses when a conversation is escalated to a human agent.
- Billing — Subscription management is handled entirely by Shopify’s Billing API. We do not store payment card data.
- RAG knowledge base — Store policies and FAQs you configure are embedded (converted to vector representations) and stored to improve AI response accuracy for your store specifically.
3. AI / Machine Learning Data Policy
We do not use your data or your customers’ data to train AI models.
- Model provider: We use Anthropic’s Claude models (Haiku 4.5, Sonnet 4.6) via the Anthropic API. Per Anthropic’s API Terms of Service and our data processing agreement, API inputs and outputs are not used to train Anthropic models.
- Embeddings provider: We use OpenAI’s text-embedding-3-small API for converting store knowledge base content into vector representations. Per OpenAI’s API usage policies, API data is not used to train OpenAI models.
- No internal training: ActDesk AI does not collect, label, or use merchant or customer data for any internal ML training pipeline.
- Shopify AI/ML Policy compliance: This app complies with Shopify’s February 2026 AI/ML data policy requirements. Customer data accessed via Shopify APIs is used solely to respond to the customer’s current request and is not retained for model training, profiling, or any purpose beyond the stated service.
4. Data Sharing
We share data with the following sub-processors:
| Processor | Purpose | Data shared |
|---|---|---|
| Anthropic | AI response generation | Conversation messages (no persistent storage per API terms) |
| OpenAI | Embeddings (knowledge base) | Store policy/FAQ text only |
| Supabase (PostgreSQL) | Database hosting | All stored app data; SOC 2 Type II certified |
| Vercel | Application hosting | Server-side request data; SOC 2 Type II certified |
| Resend | Transactional email | Merchant email address and escalation content |
| Inngest | Background job processing | Webhook payloads (Shopify IDs only) |
We do not sell your data or your customers’ data to any third party.
5. GDPR & Customer Rights
If you are located in the European Economic Area or United Kingdom, you have the following rights:
- Right of access — Request a copy of all data we hold about you or your customers.
- Right to erasure — Request deletion of your personal data.
- Right to portability — Receive your data in a structured, machine-readable format.
- Right to object — Object to processing of your personal data.
Shopify GDPR webhooks: This app implements all Shopify-required GDPR mandatory webhooks:
customers/data_request— We compile and return all stored conversation data for a customer upon request.customers/redact— We permanently delete all messages and anonymize conversation records for a customer within 30 days of a redact request.shop/redact— We permanently delete all data associated with a store 48 hours after uninstallation.
To exercise your rights, contact privacy@actdeskai.com.
6. Data Retention
- Conversation transcripts: retained for 12 months from the date of the conversation, or until a redact request is received.
- Store data: retained while the app is installed.
- All store data is permanently deleted 48 hours after uninstallation (per Shopify’s shop/redact webhook).
- Server logs: 30 days.
7. Security
- Shopify access tokens are encrypted at rest using AES-256 encryption.
- All data is transmitted over TLS 1.2 or higher.
- Database access is restricted to application servers; no public access.
- We use Shopify’s HMAC signature verification on all webhook deliveries.
8. Cookies
The customer-facing chat widget does not set any cookies. The merchant dashboard uses session tokens issued by Shopify App Bridge (not cookies) for authentication. We do not use tracking cookies or analytics cookies.
9. Changes to This Policy
We may update this policy from time to time. We will notify merchants via email at the store contact address on file. Continued use of the app after changes constitutes acceptance of the updated policy.
10. Contact
For privacy inquiries or to exercise your rights, contact our Data Protection Officer at:
ActDesk AIEmail: privacy@actdeskai.com