Privacy Policy
Vorena — AI-powered product recommendations for Shopify
Last updated: June 19, 2026
1. Who we are
Vorena (“Vorena,” “we,” “us,” or “our”) provides an AI chat and product-recommendation widget that Shopify merchants install on their storefronts. This Privacy Policy explains what personal data we collect, why we collect it, how we use and share it, and the rights you have over it.
We act as a data processor on behalf of the merchant (who is the data controller / Data Fiduciary) for shopper data processed through the widget, and as a data controller for the merchant account data we collect to operate our service.
2. Information we collect
2.1 Merchant (store owner) data
- Shopify store domain, shop ID, store name and contact email.
- Account, onboarding and widget-configuration settings you enter.
- Billing plan and usage metrics (e.g. number of conversations).
- Shopify OAuth access tokens, stored encrypted and used only to call Shopify APIs on your behalf.
2.2 Storefront (shopper) data
- Chat messages a shopper sends to the widget, and the assistant responses returned.
- Conversation context such as the product being viewed, cart token, session identifiers and approximate locale/language.
- Technical metadata: timestamps, browser/user-agent, and event analytics (e.g. widget opened, message sent, recommendation clicked).
We do not ask shoppers for, and instruct merchants not to solicit, sensitive personal data (payment card numbers, government IDs, health information, etc.) through the chat.
2.3 Product catalog data
- Product titles, descriptions, images, variants, prices and metadata synced from the merchant’s Shopify store to power and enrich recommendations.
3. AI / LLM processing
Vorena’s core feature is conversational AI. To generate replies and recommendations, we send the shopper’s chat messages together with relevant product-catalog context and conversation history to third-party large language model (LLM) providers (such as Anthropic and OpenAI) via their APIs.
- We send only the data needed to answer the shopper’s question — message text, product context and limited session metadata.
- We do not send shopper names, email addresses or payment details to LLM providers as part of normal operation.
- Our LLM providers process this data under their API terms and do not use it to train their models. Inputs and outputs may be retained by the provider for a limited period for abuse monitoring, then deleted, per their published policies.
- AI responses can be imperfect. Recommendations are suggestions only and should not be relied upon as professional advice.
4. How we use information
- To provide, operate and improve the chat and recommendation service.
- To generate AI responses and product recommendations.
- To sync and enrich the merchant’s product catalog.
- To produce aggregated analytics and usage reporting for merchants.
- To meter usage for billing and enforce plan limits.
- To provide support, prevent abuse and maintain security.
- To comply with legal obligations.
We do not sell personal data and we do not use shopper chat content for advertising.
5. Legal bases for processing
Where GDPR or DPDP applies, we rely on the following bases:
- Contract — to deliver the service the merchant has subscribed to.
- Legitimate interests — to secure, maintain and improve the service.
- Consent — where required (e.g. certain cookies or analytics), obtained by the merchant from the shopper.
- Legal obligation — to meet our compliance duties.
6. Sharing and sub-processors
We share data only with service providers that help us run Vorena:
- Shopify — the platform the widget integrates with.
- Supabase — database, authentication and backend (data hosting).
- Vercel — application and widget hosting / CDN.
- LLM providers (Anthropic, OpenAI) — AI response generation (see Section 3).
Each sub-processor is bound by contractual data-protection terms. We may also disclose data where required by law or to protect our legal rights.
7. International transfers
Your data may be processed in countries other than your own, including the United States. Where required, such transfers are covered by appropriate safeguards (e.g. Standard Contractual Clauses) or equivalent mechanisms recognised under applicable law including the GDPR and India’s DPDP Act.
8. Data retention
- Conversation and analytics data is retained while your account is active and for a limited period thereafter, then deleted or anonymised.
- Merchant account data is retained for the life of the account and deleted on uninstall/closure, subject to legal retention needs.
- We honour Shopify’s mandatory compliance webhooks for
customers/data_request,customers/redactandshop/redact.
9. Your rights
Depending on your jurisdiction (GDPR / EU & UK, India’s DPDP Act, CCPA/CPRA in California, and similar laws), you may have the right to:
- Access, correct or update your personal data.
- Request deletion (“right to be forgotten”).
- Restrict or object to certain processing.
- Data portability.
- Withdraw consent at any time.
- Nominate a representative (DPDP) and lodge a complaint with a regulator.
Shoppers should direct requests to the merchant whose store they used (the controller). Merchants and individuals can also contact us at hello@vorena.ai and we will respond within the timeframes required by applicable law.
10. Security
We apply industry-standard safeguards including encryption in transit (TLS), encryption of stored access tokens, row-level access controls, and least-privilege access to production systems. No method of transmission or storage is completely secure, but we work to protect your data and to notify affected parties of breaches as required by law.
11. Children's privacy
Vorena is not directed to children. We do not knowingly collect personal data from individuals under the age of 18 (or the relevant age of digital consent in your jurisdiction). Under the DPDP Act, processing of children’s data requires verifiable parental consent, which is the responsibility of the merchant.
12. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be reflected by updating the “Last updated” date above and, where appropriate, by notifying merchants.
13. Contact us
For privacy questions or to exercise your rights, contact our privacy team: