Privacy Policy — Cervito

Last updated: March 2, 2026

Effective date: March 2, 2026

1. Who We Are

Cervito ("we", "us", "our") provides an AI-powered shopping assistant for Shopify merchants. This policy covers how we handle data for two types of users:

Merchants — Shopify store owners who install and configure Cervito through our dashboard.
Visitors — Shoppers who interact with the Cervito chat widget on a merchant's online store.

2. Data We Collect

2.1 Merchant Account Data

When you create a Cervito account, we collect:

Email address — used for login, email verification, and account recovery.
Password — stored as a one-way bcrypt hash (cost factor 12). We never store plaintext passwords.
Google account ID — if you sign in with Google (we only request your email, not profile data).

2.2 Shopify Store Data

When you connect a Shopify store, we access data through Shopify's authorized OAuth API with these read-only scopes:

Scope	Data accessed	Purpose
`read_products`	Product titles, descriptions, images, prices, variants, availability	Power AI product recommendations in the chat widget
`read_orders`	Order numbers, totals, line items, financial status	Attribute purchases to chat conversations for analytics
`read_checkouts`	Checkout status	Conversion tracking
`read_customers`	Customer information associated with orders	Link visitor sessions to purchases

We sync product data every 6 hours and in real-time via Shopify webhooks. We only read data — Cervito never modifies your Shopify store.

2.3 Visitor Chat Data

When shoppers use the Cervito widget on a merchant's store, we collect:

Chat messages — the text of conversations between visitors and the AI assistant.
Session identifier — a random, non-identifying session ID generated in the browser.
Interaction events — anonymous actions such as widget opens, product views, and add-to-cart clicks.

What we do NOT collect from visitors:

IP addresses
Browser fingerprints or user agents
Device identifiers
Geolocation data
Third-party tracking cookies

2.4 Billing Data

Payments are processed entirely by Stripe. We never see, store, or handle your credit card number or bank details. Stripe provides us with a customer ID and subscription status only.

3. How We Use Your Data

Data	Use
Email address	Authentication, email verification, account notifications
Shopify products	AI-powered product recommendations in the chat widget
Chat messages	Generate AI responses, power analytics and insights for the merchant
Interaction events	Aggregate analytics (conversation counts, conversion rates, product interest)
Order data	Revenue attribution — linking purchases to chat conversations

4. Sub-processors

We engage the following sub-processors to deliver Cervito. Each is contractually bound under their own Data Processing Addendum and Standard Contractual Clauses (SCCs) for international transfers where applicable. The canonical list is maintained at /docs/legal/sub-processors with at least 30 days notice before any change.

4.1 AI Processing (Anthropic — USA)

Chat messages and the relevant subset of your store catalog are sent to Anthropic's Claude API to generate assistant responses. Anthropic does not use API inputs to train its models (zero-retention per their commercial API terms). See Anthropic privacy policy · DPA.

4.2 Product Embeddings (OpenAI — USA)

Product titles and descriptions from your Shopify catalog are sent to OpenAI's embeddings API to generate the vector index used for semantic search. No personally identifiable information (visitor messages, customer data, order history) is sent to OpenAI — only product content already public on your storefront. See OpenAI privacy · DPA.

4.3 E-Commerce Platform (Shopify — multi-region)

Store data is accessed through Shopify's Admin API under the OAuth scopes listed in Section 2.2. Shopify is the Controller of the underlying data; Cervito is a Processor. See Shopify privacy policy · Shopify DPA.

4.4 Email Delivery (Resend — USA)

Transactional emails to merchants (verification links, daily debriefs, cost-budget alerts) are sent through Resend. Only the merchant's email address and the message content are shared. See Resend privacy · DPA.

4.5 Hosting (Railway — USA)

Application servers and databases are hosted on Railway. All data is encrypted in transit (TLS 1.2+). Database file is encrypted at rest by Railway's managed storage. Shopify access tokens are additionally encrypted at the column level (AES-256-GCM) with a key Cervito controls outside Railway. See Railway privacy · DPA.

4.6 Authentication (Google — multi-region)

If you choose Google sign-in, authentication is handled via Google OAuth. We request only your email address (the openid email scope). No profile data, contacts, or other Google data is accessed.

4.7 Payment Processing (Stripe — currently inactive)

Stripe is NOT currently engaged; Cervito uses bank-transfer invoicing during 2026. When Stripe is reactivated (planned Phase 1: 2026-Q3), merchants will receive 30 days notice before any payment data is transmitted. See the sub-processor list for status.

4.8 International transfers

Personal data of EU/UK data subjects that is transferred to a sub-processor outside the EEA/UK is governed by the EU Standard Contractual Clauses Module 3 (Processor-to-Processor) signed between Cervito and each non-EU sub-processor. Supplementary safeguards include TLS 1.2+ in transit, AES-256-GCM at rest for Shopify access tokens, and tenant-isolated database queries enforced at the application layer.

Enterprise merchants may request a counter-signed copy of our Data Processing Addendum by emailing privacy@cervito.app.

5. Cookies and Local Storage

Cervito uses a minimal set of functional cookies. We do not use any advertising, tracking, or analytics cookies.

Name	Type	Duration	Purpose
`auth_token`	httpOnly cookie	7 days	Merchant dashboard authentication (JWT)
`oauth_state`	httpOnly cookie	10 minutes	CSRF protection during Google sign-in
`shopify_nonce`	httpOnly cookie	10 minutes	CSRF protection during Shopify OAuth

The chat widget uses browser localStorage (not cookies) to store a random session ID and chat history. This data has a 30-minute expiry and is scoped to the merchant's store domain.

6. Data Security

We implement the following security measures:

Encryption in transit — all connections use HTTPS/TLS.
Password hashing — bcrypt with cost factor 12.
httpOnly cookies — authentication tokens are inaccessible to JavaScript.
CSRF protection — OAuth flows use cryptographic state tokens.
Webhook verification — Shopify HMAC and Stripe signature validation on all incoming webhooks.
Rate limiting — API endpoints are protected against abuse.
Input validation — all user inputs are validated and sanitized server-side.
Content Security Policy — CSP headers restrict resource loading on the dashboard.

7. Data Retention

Following EU/GDPR best practice, we apply tiered retention windows that minimize the amount of personal data we hold beyond what's needed to deliver the service:

Visitor chat transcripts (anonymous) — 90 days from last activity, then auto-pruned.
Visitor chat transcripts (identified — after email capture) — 365 days from last activity, then auto-pruned. Tied to the identified contact record.
Identified contact records — retained until the merchant deletes the contact or the merchant's account is terminated. Subject to immediate deletion on customer request via Shopify's customers/redact GDPR webhook (typically within 10 days).
Merchant accounts — retained while your account is active. You may request deletion at any time. After account termination, all merchant data is deleted from active systems within 60 days and from backups within an additional 30 days.
API call logs (LLM token + cost metadata, no PII) — 90 days raw, 12 months aggregated for billing reconciliation.
Security event logs — 180 days for incident investigation.
Admin audit log — 365 days (records founder-impersonation actions on merchant accounts for accountability).
Shopify data — product catalog is re-synced every 6 hours. When a store is disconnected or the app is uninstalled, the Shopify access token is revoked. Within 30 days of uninstall, we automatically delete all shop data (products, sessions, contacts, events, campaigns, attribution, coaching notes, debriefs) via the shop/redact GDPR webhook.
Billing records — retained per legal and accounting requirements (typically 7 years for tax-relevant records).

Merchants may instruct us to apply shorter retention windows by emailing privacy@cervito.app.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

Access — request a copy of the personal data we hold about you.
Correction — request corrections to inaccurate data.
Deletion — request that we delete your account and associated data.
Portability — receive your data in a structured, machine-readable format.
Objection — object to data processing in certain circumstances.

To exercise any of these rights, please use our self-service request form. We will verify ownership of the email address before any data is exported or deleted.

For Shopify Store Visitors

If you interacted with the Cervito widget on a merchant's store, you can request a copy of your data or its deletion directly from us through the self-service privacy request form — no merchant intermediation required. We will email a verification link to the address you submit; once you confirm, we will compile and email your data export, or cascade-delete your records across every Cervito-powered store that holds data about your email address. Requests are processed within 30 days as required by GDPR Article 12(3); deletion requests typically complete within minutes of email verification.

Automated GDPR Webhooks (Shopify)

When a customer requests data deletion through Shopify, Shopify notifies us via three mandatory GDPR webhooks:

customers/data_request — the merchant is notified to compile the customer's data for them (Cervito provides a Contacts page JSON/CSV export for this).
customers/redact — we automatically cascade-delete the customer's PII from our database (contact record, linked sessions anonymised, orders scrubbed of customer name/email) within 10 days of Shopify's notification.
shop/redact — if a merchant uninstalls Cervito, we automatically delete ALL data associated with that shop (products, sessions, contacts, events, campaigns, etc) 48 hours after uninstall.

These webhooks fire server-to-server and are verified with HMAC-SHA256 signatures — no manual action is required from the merchant or customer for deletion to propagate.

Legal note: This privacy policy is provided for transparency. Depending on your jurisdiction (e.g., GDPR, CCPA, PIPEDA), additional obligations may apply. We recommend consulting legal counsel to ensure full compliance with applicable data protection regulations.

9. Children's Privacy

Cervito is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

10. Changes to This Policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated "Last updated" date. For material changes, we will notify merchants via email or dashboard notification.

11. Contact

For privacy questions, data requests, or concerns:

Email: privacy@cervito.app
Dashboard: Settings → Account