How it worksConversion LabPricing
Back to Home

Privacy Policy

Last updated: April 8, 2026

1. Introduction

This Privacy Policy describes how Swishy (the “Application”) processes data in connection with its use by Shopify merchants (“Merchant”). Swishy is a software tool integrated into Shopify stores via Shopify APIs. Depending on the type of data processed:

  • The Merchant acts as the data controller of its customers’ personal data.
  • Dmytro Popov acts as a data processor solely for the purpose of providing the Application.

The Provider does not determine the purposes or means of processing customer personal data and does not independently control such data. Personal Data means any information relating to an identified or identifiable natural person as defined under applicable data protection laws. Where required under applicable law, the parties may enter into a separate Data Processing Agreement governing the processing of personal data.

2. Categories of Data Processed

2.1 Shopify Event Data

The Application may process technical Shopify events exclusively through authorised Shopify APIs, including but not limited to: page_viewed, collection_viewed, search_submitted, product_viewed, product_added_to_cart, product_removed_from_cart, cart_viewed, checkout_started, checkout_completed, checkout_shipping_info_submitted, checkout_address_info_submitted, checkout_contact_info_submitted, and payment_info_submitted.

2.2 Swishy Custom Events

The Application may generate and process custom technical events, including swishy_agent_session_started, swishy_agent_interaction, and swishy_agent_product_recommended. These events are processed for analytics, product performance measurement, and service improvement.

2.3 Chat Interaction Data

The Application stores chat interaction history between end users and the AI agent within session scope. Chat history:

  • is stored without direct identifiers and is not linked to identifiable customer accounts;
  • is not linked to identifiable customer profiles;
  • is not used for independent profiling.

However, end users may voluntarily submit personal information within chat messages. In such cases, the data is processed solely for the purpose of generating a contextual response.

2.4 Merchant Data

The Application may process the following Merchant-related data: store name, product identifiers, product descriptions, and content imported from social media platforms upon Merchant authorisation.

3. Use of Artificial Intelligence

The Application may utilise third-party artificial intelligence and automated processing systems for the purpose of generating contextual, informational, and product-related responses within the Merchant’s store. In order to enable such functionality, certain inputs may be transmitted to authorised AI service providers. These inputs may include:

  • text messages voluntarily submitted by end users;
  • technical session identifiers;
  • non-identifiable contextual data related to the product page;
  • limited metadata necessary to generate a relevant response.

Such data is transmitted strictly for the purpose of processing and generating a response in real time and in accordance with the Merchant’s instructions. The Provider implements data minimisation measures designed to limit the scope of information transmitted to what is reasonably necessary for the functionality of the Application. The Provider does not sell personal data to third parties, use end user data for independent commercial exploitation, engage in autonomous behavioural profiling outside the Merchant’s store environment, or combine data across different Merchant accounts for cross-site profiling. The Application does not perform automated decision-making that produces legal or similarly significant effects on individuals within the meaning of Article 22 GDPR.

4. Legal Bases for Processing

UK and European Union

Where the GDPR or the UK GDPR applies, the legal bases include:

  • Performance of a contract: Processing is necessary for the performance of the agreement between the Provider and the Merchant.
  • Legitimate interests: Processing is necessary for improving functionality, ensuring security, and analysing service performance.
  • Consent: Where required, consent is obtained and managed by the Merchant as the data controller.

United States

For users located in the United States, personal data is processed as necessary to provide the Application, for legitimate business purposes, and in compliance with applicable state privacy laws (including CCPA). The Provider does not sell personal information.

5. International Data Transfers

Personal data may be transferred to, stored in, or accessed from jurisdictions outside the EU/UK, including the United States. The Provider implements appropriate safeguards, such as Standard Contractual Clauses (SCCs) or the UK IDTA, to ensure a level of protection equivalent to that guaranteed under applicable data protection laws.

6. Subprocessors

The Provider may engage third-party subprocessors for cloud infrastructure, AI services, monitoring, and support. The Provider selects subprocessors with due care and ensures that written agreements are in place with appropriate data protection obligations.

7. Data Retention

Chat interaction history and technical event data are retained only for as long as necessary, and in any event for no longer than twelve (12) months from the date of collection, unless a longer retention period is required or permitted under applicable law for legal compliance or security monitoring.