Back to Home

Privacy Policy

Last updated: June 4, 2026

1. Introduction

This Privacy Policy describes how Swishy (the “Application”) processes data in connection with its use by Shopify merchants (“Merchant”). Swishy is a software tool integrated into Shopify stores via Shopify APIs. Depending on the type of data processed:

  • The Merchant acts as the data controller of its customers’ personal data.
  • Dmytro Popov acts as a data processor solely for the purpose of providing the Application.

The Provider does not determine the purposes or means of processing customer personal data and does not independently control such data. Personal Data means any information relating to an identified or identifiable natural person as defined under applicable data protection laws. The parties enter into a Data Processing Agreement, which applies automatically on installation of the Application and governs the processing of customer personal data.

2. Categories of Data Processed

2.1 Shopify Event Data

The Application may process technical Shopify events exclusively through authorised Shopify APIs, including but not limited to: page_viewed, collection_viewed, search_submitted, product_viewed, product_added_to_cart, product_removed_from_cart, cart_viewed, checkout_started, checkout_completed, checkout_shipping_info_submitted, checkout_address_info_submitted, checkout_contact_info_submitted, and payment_info_submitted.

2.2 Swishy Custom Events

The Application may generate and process custom technical events, including swishy_agent_session_started, swishy_agent_interaction, and swishy_agent_product_recommended. These events are processed for analytics, product performance measurement, and service improvement.

2.3 Chat Interaction Data

The Application stores chat interaction history between end users and the AI agent within session scope. Chat history:

  • is stored without direct identifiers and is not linked to identifiable customer accounts;
  • is not linked to identifiable customer profiles;
  • is not used for independent profiling.

However, end users may voluntarily submit personal information within chat messages. In such cases, the data is processed solely for the purpose of generating a contextual response.

2.4 Merchant Data

The Application may process the following Merchant-related data: store name, product identifiers, product descriptions, and content imported from social media platforms upon Merchant authorisation.

2.5 Order and Support Data

Where the Merchant enables the Application’s customer-support functionality, the Application processes order-related data through authorised Shopify APIs solely to answer an end user’s own support enquiry (such as order tracking, order status, cancellations, refunds, and returns). This data may include:

  • order identifiers, order numbers, line items, totals, and fulfilment and tracking status;
  • the customer email address associated with the order, used only to verify that the end user is entitled to view or act on that order;
  • a one-time verification code, stored only as a non-reversible hash, used to confirm the end user before any order action is taken.

Order and support data is processed only on the end user’s own request, only to handle that request, and is not used for profiling, marketing, or any purpose beyond resolving the enquiry. The customer email address is removed from the Application’s support records once the support interaction is closed and the applicable retention period has elapsed (see Section 7).

3. Use of Artificial Intelligence

The Application may utilise third-party artificial intelligence and automated processing systems for the purpose of generating contextual, informational, and product-related responses within the Merchant’s store. In order to enable such functionality, certain inputs may be transmitted to authorised AI service providers. These inputs may include:

  • text messages voluntarily submitted by end users;
  • technical session identifiers;
  • non-identifiable contextual data related to the product page;
  • limited metadata necessary to generate a relevant response.

Such data is transmitted strictly for the purpose of processing and generating a response in real time and in accordance with the Merchant’s instructions. The Provider implements data minimisation measures designed to limit the scope of information transmitted to what is reasonably necessary for the functionality of the Application. The Provider does not sell personal data to third parties, use end user data for independent commercial exploitation, engage in autonomous behavioural profiling outside the Merchant’s store environment, or combine data across different Merchant accounts for cross-site profiling. The Application does not carry out solely automated decision-making producing legal or similarly significant effects within the meaning of Article 22 GDPR. Where the support functionality can act on an order at the end user’s request (for example a cancellation, refund, or return), such an action is never executed by the AI alone: the end user must first confirm their identity with a one-time verification code, and the action is then carried out by the Provider’s systems against the Merchant’s store. An end user who does not wish to proceed in this way can decline verification at any time and be directed to the Merchant’s human support, ensuring meaningful human involvement remains available.

4. Legal Bases for Processing

UK and European Union

Where the GDPR or the UK GDPR applies, the legal bases include:

  • Performance of a contract: Processing is necessary for the performance of the agreement between the Provider and the Merchant.
  • Legitimate interests: Processing is necessary for improving functionality, ensuring security, and analysing service performance.
  • Consent: Where required, consent is obtained and managed by the Merchant as the data controller.

United States

For users located in the United States, personal data is processed as necessary to provide the Application, for legitimate business purposes, and in compliance with applicable state privacy laws (including CCPA). The Provider does not sell personal information.

5. International Data Transfers

Personal data may be transferred to, stored in, or accessed from jurisdictions outside the EU/UK, including the United States. The Provider implements appropriate safeguards, such as Standard Contractual Clauses (SCCs) or the UK IDTA, to ensure a level of protection equivalent to that guaranteed under applicable data protection laws.

6. Subprocessors

The Provider may engage third-party subprocessors for cloud infrastructure, AI services, monitoring, and support. The Provider selects subprocessors with due care and ensures that written agreements are in place with appropriate data protection obligations.

7. Data Retention

Chat interaction history and technical event data are retained only for as long as necessary, and in any event for no longer than twelve (12) months from the date of collection, unless a longer retention period is required or permitted under applicable law for legal compliance or security monitoring.

Order and support data (Section 2.5) is subject to shorter, purpose-bound retention periods. Verification records used to confirm an end user are deleted shortly after the verification flow completes; the customer email address held in support records is removed once the related support interaction has been closed for a defined period, after which only non-identifying outcome information is retained for the Merchant’s reporting. In all cases, where the Merchant or an end user exercises a deletion request through Shopify, the associated personal data is deleted in accordance with the Provider’s obligations.