Privacy Policy

About This Policy

Madcrow: AI Chat & Support ("Madcrow", "we", "us", or "our") is a Shopify application developed and operated by GlobeCo Technologies Pvt Ltd. This Privacy Policy explains how we collect, use, store, and disclose information when merchants ("Merchants") install and use the Madcrow app on their Shopify store, and when their customers ("End Users" or "Shoppers") interact with the Madcrow chat widget. By installing the app, Merchants accept this policy on behalf of their store and confirm that their use complies with all applicable data protection laws in their jurisdiction.

1. Information We Collect

We collect the following categories of information:

• —Merchant Account Data: Store name, email address, Shopify plan, store URL, and timezone — collected via the Shopify API at installation and kept in sync throughout the subscription.
• —Store Catalogue Data: Product titles, descriptions, pricing, variants, collections, and shop policies — accessed via the Shopify Admin API to ground AI responses in accurate, up-to-date store information.
• —Uploaded Knowledge Base Content: Documents (PDF, DOCX, TXT) uploaded by merchants to the Madcrow dashboard to train the AI assistant on store-specific FAQs, guides, and policies.
• —End User Chat Data: Messages submitted by shoppers to the chat widget, interaction timestamps, session identifiers, and inferred intent. We do not collect shopper names, email addresses, or payment data unless explicitly provided by the shopper within the chat.
• —Order Lookup Data: On plans that support order tracking, we query Shopify for order status using identifiers provided by the shopper (e.g., order number). We do not store raw order records.
• —Technical and Device Data: IP addresses, browser type, operating system, and referral data, collected automatically from both merchant admin sessions and end-user chat sessions for security and debugging purposes.
• —Analytics Data: Aggregated, anonymised metrics about chat volume, resolution rates, and topic distribution — used to provide merchants with actionable performance insights in the dashboard.

2. How We Use Information

We use the information collected for the following purposes:

• —Delivering accurate, context-aware AI responses to shoppers using Retrieval-Augmented Generation (RAG) against the merchant's private knowledge base and store catalogue.
• —Providing merchants with conversation analytics, AI performance metrics, and chat history in the Madcrow dashboard.
• —Processing merchant billing through Shopify's billing API and managing subscription status.
• —Sending merchants important service communications including support responses, feature updates, and billing notices.
• —Detecting and preventing abuse, fraud, and misuse of the service.
• —Improving the reliability and performance of our AI infrastructure at the product level — never using merchant or shopper data to train foundational AI models.

3. Legal Basis for Processing

Where GDPR or similar data protection regulations apply to your customers, we process personal data on the following legal bases:

• —Contract Performance: Data processing required to deliver the chatbot service you have subscribed to.
• —Legitimate Interests: Security monitoring, abuse prevention, and anonymised analytics for product improvement — balanced against your privacy rights.
• —Legal Obligation: Compliance with applicable laws, including Shopify's Partner Programme requirements and applicable tax regulations.
• —Consent: Where shoppers voluntarily provide personal information within the chat interface.

4. Data Isolation and AI Processing

Your store's data is housed in a dedicated, private vector database, separated at the infrastructure level from all other merchants. We apply strict logical and physical separation between merchant accounts. Specifically:

• —No cross-merchant data access: Your product data, uploaded documents, and chat history are never accessible to other merchants or used to generate responses for other stores.
• —No foundational model training: We do not use your data to fine-tune, pre-train, or otherwise improve any AI foundation model for our own or third-party benefit.
• —AI inference providers (such as Google Gemini) receive only the minimum context required to generate a response and are contractually prohibited from retaining or using this data for any other purpose.

5. Shopify Platform Integration

Madcrow operates as a Shopify Partner app subject to Shopify's Partner Programme Agreement and API Terms of Service. As such:

• —We request only the Shopify API permission scopes strictly necessary to provide the service: read_products, read_content, read_orders (for order lookup, on supported plans), and write_script_tags (to embed the chat widget).
• —We do not store raw customer payment card data or full Shopify-issued access tokens beyond active API session requirements.
• —Subscription billing is managed entirely through Shopify's Recurring Application Charge API. We do not process payment card information directly.

6. Third-Party Sub-processors

We engage the following categories of sub-processors to deliver our service:

• —AI Inference (e.g., Google Gemini API): For natural language understanding and response generation. Zero-data-retention agreements are in place where available.
• —Vector Database Infrastructure: For storing and querying merchant knowledge base embeddings. Data is logically partitioned per merchant.
• —Cloud Hosting (AWS and/or GCP): For application hosting, encrypted storage, and logging infrastructure.
• —Internal Analytics: Aggregated, anonymised product analytics only. No personal data is shared with third-party analytics services.

7. Security

We implement the following security measures to protect merchant and end-user data:

• —TLS 1.2+ encryption for all data in transit between the chat widget, our servers, and AI inference providers.
• —AES-256 encryption for all data at rest, including vector embeddings, chat logs, and merchant account records.
• —Role-based access controls ensuring that only authorised personnel can access merchant data, and only for support purposes.
• —Regular penetration testing and vulnerability assessments of our infrastructure.
• —In the event of a confirmed data breach affecting personal data, we will notify affected merchants and relevant regulatory authorities within the timeframes required by applicable law.

8. Data Retention

We retain data for the following periods, after which it is securely deleted:

• —Merchant account data: Retained for the duration of the subscription and for 30 days after uninstallation to allow for re-installation, then deleted unless earlier deletion is requested.
• —Chat logs and conversation data: Retained for the duration of the active subscription to support analytics. Merchants may request deletion at any time via the dashboard or by contacting us.
• —Uploaded knowledge base documents: Retained until deleted by the merchant from the Madcrow dashboard, or upon app uninstallation.
• —Technical and security logs: Retained for up to 90 days.
• —Billing records: Retained for 7 years as required by applicable accounting and tax regulations.

9. Merchant Responsibilities as Data Controller

As a Merchant, you are the data controller of your customers' (End Users') personal data. Madcrow acts as a data processor on your behalf. You are responsible for:

• —Ensuring you have a lawful basis to collect and process your customers' data through the Madcrow chat widget.
• —Maintaining an up-to-date privacy policy on your Shopify store that discloses the use of AI-powered chat tools and how customer messages may be processed.
• —Handling any data subject access, rectification, or deletion requests from your customers that relate to data processed by Madcrow on your behalf.
• —Complying with all consumer protection and data privacy laws applicable in your jurisdiction and the jurisdictions of your customers.

10. Cookies

The Madcrow chat widget places a session cookie in the shopper's browser solely to maintain conversation continuity within a single browsing session. This cookie does not track the shopper across other websites, does not contain personal data, and expires when the browser session ends. No third-party advertising or tracking cookies are set by Madcrow.

11. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, Shopify platform requirements, or applicable law. We will notify merchants of material changes by email at least 14 days before they take effect. Continued use of the Madcrow app after the updated policy takes effect constitutes acceptance. We recommend merchants review and update their own store privacy policies accordingly.