Privacy Policy

Last updated: April 30, 2026

1. Introduction

This Privacy Policy explains how Cortimo ("we", "us", "our") collects, uses, stores, and protects personal data when merchants and their end-customers interact with the Cortimo service, including the Cortimo AI Chat & Support app available on the Shopify App Store.

We act as a data processor for personal data merchants' customers share with us through the Cortimo chat widget on the merchant's storefront, and as a data controller for personal data we collect about merchants who sign up for and operate the Cortimo service.

2. Who We Are

Cortimo is the data controller responsible for personal data processed under this policy. Contact: [email protected].

3. Data We Collect

3.1. Merchant data (about you, the merchant)

  • Account information: email address, name, password hash, contact email
  • Store information: Shopify store domain, store name, OAuth access tokens we use to call the Shopify Admin API on your behalf
  • Subscription and billing metadata (current plan, message usage counts) — payment details themselves are processed by Shopify Billing and never reach us
  • Configuration and content you upload: agent prompts, store policies, custom suggestions

3.2. Customer data (about your store's visitors and customers)

When a customer interacts with the Cortimo chat widget on your storefront, we may receive:

  • Customer email and first name, where Shopify provides them via the embedded widget tag (used to look up the customer's orders)
  • Chat content: messages typed by the customer and responses generated by Cortimo
  • Order metadata: order numbers, items, prices, fulfillment status, tracking numbers — only when retrieved on the customer's behalf to answer their query
  • Browser-detected language and timezone, used to localize the response

3.3. Technical data

  • IP addresses (truncated where feasible) and request timestamps in our server access logs
  • Browser user-agent strings
  • Session identifiers used to maintain conversation context within a single chat

4. How We Use Data

  • To provide the Cortimo service: answering customer questions, looking up orders, processing self-service refunds/returns/cancellations, and routing escalations to your support team
  • To operate, debug, and secure the service (logs, abuse detection, rate-limit enforcement)
  • To communicate with you about your account, billing, security incidents, and product changes
  • To comply with legal obligations

We do not sell personal data, and we do not use merchant data or customer data to train, fine-tune, or improve any machine-learning models — our own or third parties' — except where we have your explicit written consent or Shopify's prior written consent (per Section 9.15 of the Shopify Partner Program Agreement).

5. AI Processing and Providers

Cortimo uses third-party large-language-model (LLM) and embedding providers to generate responses and search across your store's policies. The current providers are:

  • Mistral AI (Paris, France) — primary LLM for chat responses, language detection, and intent classification
  • OpenAI (San Francisco, USA) — alternative LLM, used per merchant configuration
  • Voyage AI (Palo Alto, USA) — text embedding generation for semantic search across store policies

We send each provider only what is necessary to fulfill the immediate request: the customer's message, the agent's system prompt, and any tool-call results required to answer. The providers process this content under their standard API terms, which prohibit them from using API inputs to train their models.

6. Where We Store Data

  • Primary infrastructure: Hetzner Cloud datacenter in Nuremberg, Germany. PostgreSQL and vector data (Qdrant) are stored on encrypted infrastructure-level disks.
  • Edge / DNS / WAF: Cloudflare (global edge network)
  • Backups: retained on the same infrastructure region; encrypted backups also held at rest in Cloudflare R2

7. Data Retention

  • Chat sessions and conversation content: 90 days, then deleted automatically
  • Server access and audit logs: 30 days
  • Account, configuration, and integration data: kept for the duration of your subscription, then deleted within 30 days of confirmed account closure
  • Tax and financial records: retained for the period required by applicable law (typically 6–7 years)
  • On Shopify app uninstall, we automatically purge merchant configuration, agent definitions, RAG collections, and integration records within 24 hours, except where retention is required by law

8. Sharing with Third Parties

We share data only with the providers listed below, each acting as a sub-processor:

  • Shopify (the platform on which your store operates)
  • Mistral AI, OpenAI, Voyage AI (LLM and embedding services — see Section 5)
  • Hetzner Online (hosting infrastructure)
  • Cloudflare (DNS, CDN, WAF, R2 storage)
  • Email provider for transactional notifications (SMTP via configured ESP)

We do not share personal data for advertising or analytics purposes with any other parties.

9. Your Rights

9.1. GDPR rights (EU/EEA/UK residents)

  • Access: request a copy of your personal data
  • Rectification: ask us to correct inaccurate data
  • Erasure ("right to be forgotten"): ask us to delete your data
  • Restriction: limit how we process your data
  • Portability: receive your data in a machine-readable format
  • Object: object to processing based on legitimate interests
  • Right not to be subject to automated decision-making with legal or similarly significant effects — Cortimo's automated actions (e.g., refund preview) always require explicit customer confirmation, and customers can request a live agent at any point
  • Right to lodge a complaint with your local data protection authority

9.2. CCPA rights (California residents)

  • Right to know what personal information we collect, use, and disclose
  • Right to delete personal information we have collected
  • Right to opt-out of the sale of personal information — we do not sell personal information; this right is therefore satisfied by default
  • Right to non-discrimination for exercising any of the above

9.3. How to exercise your rights

Email [email protected] with your request. We respond within 30 days. If you are an end-customer of a Shopify merchant using Cortimo, you may also contact the merchant directly — they are the primary controller of your data.

10. Shopify-Specific Data Subject Webhooks

As required by Shopify, we implement and respond to the following mandatory Shopify webhooks:

  • customers/data_request — when a Shopify customer requests a copy of their data, we return any data we hold for that customer to the merchant within 30 days
  • customers/redact — when a customer requests deletion or 10 days have passed since their account was deleted, we permanently erase all data we hold about that customer
  • shop/redact — 48 hours after a merchant uninstalls Cortimo, we permanently erase all data we hold for that shop

11. AI Training Restriction

In accordance with Section 9.15 of the Shopify Partner Program Agreement, we do not use, and do not enable any third party to use, Merchant Data or Customer Data — including any anonymized, aggregated, or derived form — to create, develop, train, fine-tune, or improve any machine-learning or artificial-intelligence systems, models, or technologies, including large language models, except with: (a) Shopify's prior written consent, or (b) the relevant merchant's prior written consent.

12. Cookies

See our Cookie Policy for details on how we use cookies and local storage. The Cortimo chat widget uses a session identifier to maintain conversation context across page navigations within a single browsing session.

13. Security

We protect personal data through:

  • HTTPS / TLS for all network traffic
  • Infrastructure-level disk encryption
  • SSH-key-only access to production servers; no shared credentials
  • Audit logging of access to customer data
  • A documented security incident response policy
  • Principle of least privilege for staff access

No system is 100% secure; if you suspect a security issue please email [email protected].

14. Data Breach Notification

In the event of a personal data breach affecting your data, we will notify affected merchants within 72 hours of becoming aware (per GDPR Article 33), and notify Shopify Trust & Safety as required by the Shopify Partner Program Agreement. Affected end-customers will be notified through the merchant where the merchant is the controller, or directly where we are the controller, in accordance with applicable law.

15. International Transfers

Personal data is stored in the European Union (Germany). Some sub-processors (OpenAI, Voyage AI, Cloudflare) operate in the United States. Where personal data is transferred outside the EEA, the transfer is protected by Standard Contractual Clauses or an equivalent safeguard recognized under GDPR Article 46.

16. Children's Privacy

Cortimo is not intended for use by children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact [email protected] and we will delete it.

17. Changes to This Policy

We may update this policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. Material changes will be communicated to registered merchants by email or in the Cortimo dashboard. Continued use of the service after the effective date constitutes acceptance of the updated policy.

18. Contact

Questions, requests, or complaints: [email protected].