Legal

Privacy Policy

Last updated: June 29, 2026

Loom Labs AI ("Loom Labs," "we," "us") provides an AI chat widget and merchant intelligence dashboard for Shopify stores (the "Service"). This policy explains what we collect, why, and how merchants and their customers can exercise their rights. It applies to the Loom Labs embedded app, the storefront chat widget, and this marketing site.

1. Information we collect

From merchants: when you install the app, Shopify provides us your store domain, account email, and the access scopes you grant (currently read_products, read_orders, read_legal_policies). We never request access beyond what the Service needs to function.

From your store's customers: when a shopper uses the chat widget, we process the messages they send, an anonymous session identifier, and — only if the shopper provides it (e.g. to look up an order) — their email address or order number.

Usage and billing data: conversation counts, AI-card matches, and per-merchant usage against your plan's quota, used to enforce plan limits and calculate Shopify Billing charges.

2. How we use information

  • Generate chat responses, classify conversations (intent, sentiment, urgency), and evaluate AI Cards.
  • Look up order status and store policies to answer customer questions.
  • Produce the merchant Daily Brief, recommendations, and analytics.
  • Enforce plan quotas and calculate billing through the Shopify Billing API.
  • Operate, secure, and improve the Service, including fraud and abuse prevention.

3. AI processing and sub-processors

To generate chat replies and classifications, message content is sent to one of our AI providers — OpenAI or Google Gemini — through our internal AI Gateway, which selects a provider, retries on failure, and caches responses to limit how much data is sent. We do not use store or customer data to train our own models, and we do not permit our sub-processors to use submitted data to train their general-purpose models beyond their standard API data-usage terms. In local development, an offline mock provider is used and no data leaves your machine.

4. Data storage and security

All merchant and conversation data is stored in Postgres (via Supabase), isolated per merchant with row-level security enforced on every table — one merchant's data is never visible to another, even in the event of an application bug. Data is encrypted in transit. Access to production data is limited to the systems and personnel required to operate the Service.

5. Data sharing

We do not sell personal data. We share data only with: Shopify (as the commerce platform you install Loom Labs on), our AI sub-processors (OpenAI, Google) strictly to generate responses, and infrastructure providers (hosting, database) who process data on our behalf under confidentiality obligations. We disclose data if required by law.

6. Your rights (GDPR / CCPA)

Loom Labs implements Shopify's mandatory compliance webhooks so that data requests and deletions flow automatically: a customer's data export or erasure request to a merchant (customers/data_request, customers/redact) is honored in our systems, and uninstalling the app (shop/redact) erases the merchant's stored data after Shopify's redaction window. Merchants or customers in the EEA, UK, or California may also contact us directly using the details below to request access, correction, or deletion of personal data we hold.

7. Data retention

We retain conversation and usage data for as long as a merchant's account is active, so the dashboard, AI Cards, and analytics remain accurate. Data is deleted or anonymized after uninstall per the redaction window above, or earlier on request.

8. Cookies

This marketing site uses only the cookies strictly necessary for it to function (e.g. remembering that you dismissed a banner). The embedded admin app and storefront widget use session identifiers required for the Service to work; we do not run third-party advertising trackers.

9. Children's privacy

The Service is intended for use by Shopify merchants and their adult customers and is not directed at children. We do not knowingly collect personal data from children.

10. Changes to this policy

We may update this policy as the Service evolves. Material changes will be reflected by updating the date above; continued use of the Service after a change constitutes acceptance.

11. Contact

Questions or requests regarding this policy or your data can be sent to privacy@loomlabs.ai.