Privacy Policy

Assistant Intelligence (“we”, “our”, or “us”) provides an AI-powered e-commerce chat widget that allows merchants to embed a conversational assistant on their online stores (the “Service”). This Privacy Policy explains what information we collect, how we use it, and your rights in relation to that information.

By using our Service — whether as a merchant or as a shopper interacting with a widget — you acknowledge that you have read and understood this policy.

This policy applies to two groups of people:

• Merchants: businesses and individuals who register for an Assistant Intelligence account, create stores, and embed our widget on their websites.
• End users (shoppers):visitors to a merchant's website who interact with the chat widget.

3.1 Information from Merchants

When you register as a merchant, we collect:

• Email address and hashed password (for account authentication).
• Store name and configuration details you provide during setup.
• API keys generated to authenticate your widget (stored as hashes — we never retain the raw key after initial display).
• Product catalogue data you upload (used solely to power the chat assistant for your store).

3.2 Information from Chat Sessions

When a shopper interacts with the chat widget on a merchant's site, we collect:

• The text of the chat messages sent during the session.
• Conversation history within the active session, used to provide contextually accurate answers.

We do not collect names, email addresses, IP addresses, device identifiers, or any other personal information from shoppers unless a shopper voluntarily includes such information in their chat messages.

3.3 Information We Do Not Collect

We do not collect, and have no interest in collecting:

• Payment or financial information of any kind.
• Cookies or tracking data from shoppers browsing merchant websites.
• Behavioural, advertising, or analytics profiles.
• Any data beyond what is strictly necessary to deliver the Service.

We use the information we collect exclusively to provide and improve the Service:

• To authenticate merchant accounts and secure access via API keys and JWT tokens.
• To power the AI chat assistant by matching shopper questions to the merchant's product catalogue using vector search.
• To log conversation history so merchants can review past chat interactions from their dashboard.
• To enforce rate limits and detect abuse of the API.
• To send transactional communications to merchants (e.g., account creation confirmation, key rotation notices).

We do not use your data for advertising, profiling, or any purpose unrelated to operating the Service.

We do not sell, rent, or trade any personal data. We share information only in the following limited circumstances:

• Service providers: We use third-party infrastructure providers (including Railway for hosting and Vercel for frontend delivery) who process data on our behalf under appropriate data processing agreements. These providers do not have permission to use your data for their own purposes.
• AI processing: Chat messages are sent to our AI inference provider (currently Groq) to generate responses. Messages are processed transiently and are not retained by the provider for training purposes beyond their stated terms.
• Legal obligations: We may disclose information if required to do so by applicable law, court order, or regulatory authority.
• Business transfers: In the event of a merger, acquisition, or sale of assets, data may be transferred to the successor entity, subject to equivalent privacy protections.

We retain data only as long as necessary:

• Merchant account data is retained for as long as the account is active. Upon account deletion, we will delete your data within 30 days, except where retention is required by law.
• Conversation logs are retained until deleted by the merchant from their dashboard, or upon account deletion.
• Product catalogue data is retained until the merchant deletes it or closes their account.

We take reasonable and appropriate technical measures to protect your data, including:

• Passwords are stored as bcrypt hashes — never in plaintext.
• API keys are stored as SHA-256 hashes and are shown to merchants only once at creation.
• All data in transit is encrypted via HTTPS/TLS.
• Access tokens are short-lived JWTs with limited scope; refresh tokens rotate on every use.
• Per-key rate limiting is applied to prevent abuse.

No system is completely secure. If you believe your account has been compromised, please contact us immediately so we can revoke and rotate your credentials.

Depending on where you are located, you may have rights under applicable law (including GDPR, POPIA, CCPA, and similar frameworks) to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your data (subject to legal retention requirements).
• Object to or restrict certain types of processing.
• Receive a copy of your data in a portable format.

To exercise any of these rights, please contact us using the details in Section 12. We will respond within a reasonable timeframe and in accordance with applicable law. We do not discriminate against anyone for exercising their privacy rights.

Assistant Intelligence is a global service. Data you provide may be processed in countries other than your own. Where data is transferred outside your jurisdiction, we take steps to ensure appropriate protections are in place, including reliance on standard contractual clauses or equivalent mechanisms recognised under applicable law.

The Service is not directed at children under the age of 13 (or a higher age threshold where required by local law). We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

We may update this Privacy Policy from time to time. When we do, we will revise the Effective Date at the top of this document. If changes are material, we will notify merchants by email or via an in-dashboard notice. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.