Privacy Policy - ecAgent

← Back to ecAgent

Effective Date: November 4, 2025
Last Updated: November 4, 2025

This Privacy Policy describes how ecAgent ("we", "us", or "our") collects, uses, and shares your personal information when you use our AI-powered commerce assistant service ("Service").

1. Information We Collect

1.1 Information You Provide

Account Information: Username, email address, and encrypted password when you create an account
Shopify Store Information: Store domain, access tokens (encrypted), and store metadata when you connect via OAuth
Conversation Data: Chat messages, voice commands, and AI interactions with our service
Store Operations: Product searches, price updates, inventory changes, and other actions you perform through ecAgent

1.2 Information We Collect Automatically

Usage Data: Pages visited, features used, time spent, interaction patterns
Device Information: IP address, browser type, operating system, device identifiers
Cookies and Session Data: Session identifiers, authentication tokens, preferences
Log Data: Request timestamps, API calls, error logs, performance metrics

1.3 Information from Third Parties

Shopify API Data: Product catalogs, inventory levels, customer data (if granted permissions), order information
OAuth Providers: Authentication data from Shopify OAuth flow

2. How We Use Your Information

We use your information for the following purposes:

Provide the Service: Enable AI-powered store management, process your commands, execute operations
Improve AI Performance: Train and improve our AI models for better accuracy and functionality
Account Management: Create and maintain your account, authenticate users, manage subscriptions
Communication: Send service updates, feature announcements, billing notifications, support responses
Security: Detect and prevent fraud, abuse, security threats, and unauthorized access
Analytics: Understand usage patterns (anonymized), measure performance, identify improvement opportunities, optimize AI responses
Legal Compliance: Comply with applicable laws, regulations, and legal processes

3. How We Share Your Information

We do NOT sell your personal information. We share information only in these limited circumstances:

3.1 Service Providers

AI Providers: Anthropic (Claude AI) for natural language processing - conversation data only
Voice Processing: DeepInfra (OpenAI Whisper) for audio transcription - audio files only
Infrastructure: Heroku (hosting), PostgreSQL (database), Redis (caching) - encrypted data storage
Payment Processing: Stripe (for ecAgent Pro) and Shopify Billing API (for App Store version)

3.2 Shopify Integration

We access your Shopify store data via OAuth with permissions you explicitly grant. We use this data solely to provide the Service and do not share it with third parties except as required to operate the Service.

3.3 Legal Requirements

We may disclose information if required by law, court order, subpoena, or to protect our rights, property, or safety, or that of our users or the public.

3.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the new entity, subject to this Privacy Policy.

4. Data Security

We implement industry-standard security measures to protect your data:

Encryption: HTTPS/TLS for all data in transit, AES-256 for sensitive data at rest
Access Controls: Role-based access, multi-factor authentication for admin accounts
Token Security: Shopify access tokens encrypted before storage, never logged or exposed
Session Management: Secure session cookies with httponly, secure, and samesite flags
CSRF Protection: State parameter validation via Redis for OAuth flows
HMAC Validation: All OAuth and webhook requests validated for authenticity
Regular Updates: Security patches applied promptly, dependencies kept up-to-date

However, no method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

5. Data Retention

Account Data: Retained while your account is active
Conversation History: Retained for 90 days by default, automatically cleaned up via background scheduler
Store Connection Data: Retained while OAuth connection is active
Logs and Analytics: Retained for 30 days for operational purposes
Upon Account Deletion: All personal data deleted within 30 days, except as required by law

6. Your Rights (GDPR & CCPA)

Depending on your location, you may have the following rights:

6.1 Access and Portability

Request a copy of your personal data
Export your conversation history and store data
Receive data in a structured, machine-readable format

6.2 Correction and Deletion

Update or correct your account information
Request deletion of your account and associated data
Disconnect your Shopify store and delete OAuth tokens

6.3 Consent and Objection

Withdraw consent for data processing (where applicable)
Object to certain types of processing
Opt out of marketing communications

6.4 How to Exercise Your Rights

To exercise any of these rights, contact us at privacy@ecagent.ai. We will respond within 30 days.

7. Cookies and Tracking

7.1 Essential Cookies

session_id: Authentication and session management (7-day expiration)
csrf_token: CSRF protection for form submissions

7.2 Analytics Cookies

Usage Analytics: Anonymized usage patterns, feature adoption, performance metrics
Product Improvement: Help us understand how users interact with ecAgent to improve UX and features
No Personal Identifiers: Analytics data is aggregated and anonymized - we cannot identify individual users

Analytics help us make ecAgent better for everyone. Data is anonymized before analysis and never sold to third parties.

7.3 Cookie Controls

You can control cookies through your browser settings, but disabling essential cookies may prevent you from using the Service.

8. Third-Party Services

Our Service integrates with third-party platforms:

Shopify: Subject to Shopify's Privacy Policy
Anthropic (Claude AI): Subject to Anthropic's Privacy Policy
Stripe: Subject to Stripe's Privacy Policy

We are not responsible for the privacy practices of these third parties.

9. International Data Transfers

Your data may be transferred to and processed in the United States or other countries where our service providers operate. We ensure appropriate safeguards are in place for international transfers, including:

Standard Contractual Clauses (SCCs) approved by the European Commission
Data Processing Agreements with all service providers
Compliance with GDPR requirements for cross-border data transfers

10. Children's Privacy

Our Service is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us immediately.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date. For material changes, we will notify you via email or prominent notice in the Service.

Continued use of the Service after changes constitutes acceptance of the updated Privacy Policy.

12. Data Processing Addendum (For Merchants)

When you connect your Shopify store, we act as a data processor on your behalf for customer data. We commit to:

Process data only as instructed by you (the data controller)
Implement appropriate security measures
Assist with data subject requests (access, deletion, etc.)
Delete or return data upon termination of service
Comply with GDPR, CCPA, and other applicable data protection laws

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: privacy@ecagent.ai
Support: support@ecagent.ai
Website: https://ecagent.ai

Data Protection Officer (DPO): dpo@ecagent.ai

We will respond to all requests within 30 days.