Sitewai
Loading…

Privacy Policy

Last updated: September 22, 2025

This Privacy Policy explains how Sitewai (“we”, “us”, “our”) collects, uses, and protects information when merchants use our dashboard and when AI assistants interact with merchant storefronts that publish Sitewai metadata. This document is informational and not legal advice.

1) Scope

  • Merchants: Store owners who connect a Shopify or WooCommerce shop to Sitewai and paste discovery tags in their theme.
  • Assistants/Agents: Automated clients that read discovery tags, product sitemaps, and (with merchant permission) call the draft-only checkout endpoint.
  • Shoppers: End customers of the merchant. Sitewai never processes payment information; the customer pays on the merchant’s checkout.

2) Information We Process

2.1 Merchant Account

  • Profile data: name, email.
  • Authentication data: password hash (never the raw password), sessions, and login timestamps.
  • Support/communications you send us.

2.2 Store & Catalog

  • Store identifiers: domain (including sub-paths if applicable), platform type, shop name, basic settings.
  • Catalog: product titles, descriptions, images, prices, variant attributes and IDs needed for checkout. This is sourced from your platform’s APIs.

2.3 Integration Credentials

  • Shopify: Admin API access token; optional API version.
  • WooCommerce: REST API consumer key/secret; base URL.
  • Storage: credentials are stored server-side, encrypted at rest, and never exposed to the client browser or discovery tags.

2.4 Checkout Intents (Draft-only)

When an assistant asks to create a draft/pending order, we may store the following to generate the invoice URL and help merchants track activity:

  • Product and variant IDs, quantity.
  • Customer email (required), optional name and shipping fields provided by the agent.
  • Platform order reference (e.g., Shopify Draft Order ID), payment URL, and timestamps.
  • Flags such as whether an invoice email was sent by the merchant’s SMTP settings.

We do not process card data. Payments occur on the merchant’s checkout domain.

2.5 Technical & Safety Signals

  • Server logs (timestamps, IP addresses, user-agent, response codes).
  • Idempotency keys for safe retries (not personally identifying).
  • Rate-limit counters and abuse-guard signals to protect platforms and merchants.

3) How We Use Information

  • Provide the dashboard and per-domain product sitemap.
  • Create draft/pending orders when asked by an assistant (with merchant configuration in place).
  • Operate safety features: idempotency, rate limiting, and normalized error responses.
  • Monitor sync jobs and latency to keep feeds fresh and debuggable.
  • Comply with legal obligations, enforce terms, and protect against abuse.

4) Sharing

  • Service providers: Hosting, email delivery (if configured), and analytics. Providers are contractually bound to process data on our behalf.
  • Merchants: Checkout-intent data is visible to the merchant who owns the domain.
  • Legal: We may disclose information if required by law or to protect rights, privacy, and safety.
  • No selling of personal data.

5) Cookies & Similar Technologies

  • Dashboard: Session cookies for authentication and essential functionality.
  • Public docs/marketing: Minimal cookies; we avoid unnecessary trackers by default.

6) Data Retention

  • Merchant account: retained while the account is active, then deleted or anonymized within 90 days.
  • Catalog & sync logs: typically 30–90 days of operational logs; product data persists while connected.
  • Checkout intents: retained for auditability (e.g., 12 months) or as required by law/merchant requests.
  • Security logs and rate-limit counters: short-lived (e.g., 30–60 days) unless needed for investigations.

7) Security

  • TLS in transit; encryption at rest for credentials and sensitive fields.
  • Secrets stored in environment variables or key vaults; least-privilege access controls.
  • Audit trails for privileged operations and periodic review of access.

8) International Transfers

Data may be processed in the country where we or our providers operate. Where required, we rely on appropriate safeguards for international data transfers.

9) Your Rights

Depending on your location (e.g., GDPR, CCPA/CPRA), you may have rights to access, correct, export, or delete your personal information, or object to/limit certain processing. To exercise rights, contact us at ops@sitewai.com. We may need to verify your identity and ownership of the relevant account or domain.

10) Children

Our services are not directed to children under 13 (or the applicable age in your jurisdiction). We do not knowingly collect personal information from children.

11) Third-Party Links

Merchant storefronts and assistants may link to third-party sites. Their privacy practices are governed by their own policies.

12) Changes to This Policy

We may update this Privacy Policy from time to time. We will revise the “Last updated” date and, where appropriate, provide additional notice.

13) Contact

For questions or requests, email ops@sitewai.com.