Privacy Policy

Summary

PalUp is an AI sales agent that embeds on Shopify stores. This policy explains what data we collect from merchants and their shoppers, how we store and protect it, and the rights you have over your data. If you're a Shopify merchant's customer, your privacy is primarily governed by that merchant's own privacy policy — this policy covers PalUp's processing as a service provider.

Data We Collect from Merchants

When a merchant installs PalUp, we access Shopify store data through the Shopify Admin API under the scopes the merchant authorizes: product catalog, inventory, order history, shop metadata, and customer information. We also collect merchant-provided settings (VoiceDNA, guardrails, brand preferences). We do NOT collect payment card details.

Data We Collect from Shoppers

For each conversation a shopper has with PalUp, we collect: conversation transcripts, page URLs visited, session fingerprint (non-PII hash of browser + device signals), and — if the shopper converts — the resulting Shopify order ID for attribution. We do not collect shopper email addresses or names unless provided by the shopper during the conversation.

Protected Customer Data (Shopify)

PalUp accesses Protected Customer Data at the Advanced. This level is required for PalUp to personalize recommendations and close sales. Merchants can review and revoke access at any time through the Shopify admin.

Legal Basis for Processing (GDPR)

• Contract performance (Art. 6(1)(b)) — providing the AI sales agent service to merchants who have installed PalUp.
• Legitimate interests (Art. 6(1)(f)) — fraud prevention, service improvement, and aggregated analytics that do not identify individuals.
• Consent (Art. 6(1)(a)) — where a shopper voluntarily provides personal information during a conversation.
• Legal obligation (Art. 6(1)(c)) — retention of financial/attribution data for tax compliance.

How Data Is Stored

All data encrypted at rest in Google Cloud SQL. Row-level security enforces tenant isolation — no merchant can access another merchant's data. Data is stored in United States (us-central1), and for EU-resident data we rely on Standard Contractual Clauses (SCCs) for any cross-border transfer.

Data Sharing and Subprocessors

We do not sell your data. We use the following subprocessors, each bound by published Data Processing Agreements: Anthropic (Claude API for AI responses), Google Vertex AI (Gemini for language processing), and Google Cloud Platform (infrastructure). The current subprocessor list is published at palup.ai/subprocessors and updated when we add or remove vendors.

Your GDPR Rights

• Right of access — request a copy of your data. 30-day response.
• Right to rectification — correct inaccurate data.
• Right to erasure — request deletion of your data.
• Right to restrict processing — limit how we use your data.
• Right to data portability — receive your data in a machine-readable format.
• Right to object — opt out of processing based on legitimate interests.
• Right to withdraw consent — revoke previously given consent at any time.
• Requests: privacy@palup.ai.

Your CCPA Rights (California Residents)

• Right to Know — what categories of personal information we collect, the business purposes, and who we share it with. 45-day response.
• Right to Delete — request deletion of your personal information.
• Right to Opt-Out of Sale — we do NOT sell personal information. A 'Do Not Sell My Personal Information' link is available at palup.ai/do-not-sell.
• Right to Non-Discrimination — equal service regardless of privacy choices.
• Requests: privacy@palup.ai.

Shopify GDPR Mandatory Webhooks

• When a merchant (or their customer via the merchant) exercises GDPR rights through Shopify, Shopify sends PalUp one of three mandatory webhooks. PalUp processes each within 30 days.
• customers/data_request — we provide all conversation data and derived profile information held on that customer.
• customers/redact — we delete all conversation transcripts, derived profile data, and identifiable information tied to that customer. Aggregated analytics are anonymized.
• shop/redact — fires 48 hours after a merchant uninstalls PalUp. We delete all data tied to that shop — conversations, customer profiles, attribution records, and any derived analytics — within 30 days of receipt.

Data Retention

Merchant data and shopper conversation data are retained while the merchant has PalUp installed, up to a maximum of 2 years for conversation transcripts. If a merchant uninstalls PalUp, all data tied to that shop is deleted within 30 days via Shopify's shop/redact webhook — this overrides the 2-year cap. Financial/attribution data required for billing and tax compliance is retained for 7 years from the transaction date.

Security and Breach Response

PalUp follows industry-standard security practices: encryption at rest and in transit, least-privilege access controls, audit logging, and regular security reviews. In the event of a data breach affecting personal data, we notify the relevant supervisory authority within 72 hours of becoming aware, per GDPR Article 33, and affected data subjects without undue delay.

Cookies

We use session cookies to maintain the chat widget's state during a conversation. We do not use third-party advertising cookies or cross-site trackers. EU visitors are shown a cookie consent banner on first visit.

International Data Transfers

PalUp's primary data center is in the United States. Data about EU residents may be transferred to the US under Standard Contractual Clauses approved by the European Commission (2021/914), and/or under the EU-US Data Privacy Framework where our subprocessors are certified.

Policy Updates

Material changes to this policy will be communicated by email to merchants at least 30 days before the effective date. The effective date of the current version is shown at the top of this page.

Contact

Privacy questions, GDPR/CCPA requests, or breach notifications: privacy@palup.ai. Postal: PalUp, Taipei, Taiwan.