Privacy Policy

Last updated: May 16, 2026

1. Who we are

RetainAI ("we", "our", "the app") is a Shopify-embedded application that helps merchants recover abandoned checkouts and request product reviews via automated, AI-personalized email. This policy explains what we collect, why, and how it is handled.

2. What we collect from merchants

When you install RetainAI on your Shopify store we receive:

  • Your shop domain (e.g. your-store.myshopify.com)
  • An offline access token granting the scopes you approved
  • Shop name, currency, and contact email
  • Your subscription state with us (plan, billing status)

3. What we collect from your customers

To send the emails the app is built for, we receive the following from Shopify when a checkout is abandoned or an order is fulfilled:

  • Customer email address and name
  • Cart contents (product titles, quantities, prices, images)
  • Order total and currency
  • The Shopify-provided checkout recovery URL

We do not store payment information, full addresses, passwords, or any sensitive personal data beyond what is listed above.

4. How we use this data

  • Generate the body of a recovery or review request email using a Large Language Model (Anthropic Claude). Cart and product data is sent to the model only to personalize the email copy.
  • Deliver those emails via our transactional email provider.
  • Display aggregate stats (carts active, recovered revenue) in your embedded admin dashboard.
  • Enforce plan limits and bill you correctly.

We do not sell, rent, or share customer data with third parties for marketing or any other purpose.

5. Where data is stored

All data is stored in a Supabase (PostgreSQL) database hosted in the United States. Shopify access tokens are encrypted at rest using AES-256-GCM before being written to the database. The application is hosted on Vercel.

6. Sub-processors

We rely on the following service providers to operate the app. Each is bound by their own privacy and security commitments:

  • Shopify — source of all merchant and customer data.
  • Supabase — database hosting.
  • Vercel — application hosting.
  • Anthropic — AI email copy generation (Claude).
  • Resend — transactional email delivery.

7. Retention & deletion

We retain customer email history for as long as the merchant has the app installed, so that recovery and review stats remain accurate. When a merchant uninstalls RetainAI:

  • The store record is flagged uninstalled and no further emails are sent.
  • 48 hours later, Shopify dispatches a shop/redact webhook and we delete the store record and all associated checkout, email, and review-request rows.
  • On a customers/redactwebhook, we delete every row tied to that customer's email within the store.
  • On a customers/data_requestwebhook, the merchant is responsible for fulfilling the data export; the data we hold is limited to that customer's email, name, cart contents, and email history.

8. Your rights

Customers in jurisdictions covered by the GDPR or CCPA may request access to or deletion of their data. Requests should be made to the merchant of the store on which the data was collected; merchants can contact us at privacy@retain-ai.app for assistance.

9. Changes to this policy

We may update this policy as the product evolves. Material changes will be communicated by email to installed merchants and reflected in the "last updated" date above.

10. Contact

Questions or concerns? Reach us at privacy@retain-ai.app.