Privacy Policy

1. Introduction

Emporiqa, operated by Rosel Group LTD., a limited liability company registered in Sofia, Bulgaria (UIC/EIK 206801487) ("we," "our," or "us"), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard personal information when you use our e-commerce online-salesperson platform (also described in marketing materials as a chat assistant for e-commerce) and related services (the "Service"). Our full registered address and contact details are in Section 15.

Controller vs. processor roles. For personal data relating to merchant accounts and dashboard users (for example your account email, team member details, billing data), we act as the controller. For personal data processed through the chat widget on behalf of a merchant (for example customer chat messages sent to a merchant's store), we act as a processor and the merchant is the controller; the merchant is responsible for providing an appropriate privacy notice to their end customers.

Data protection contact. We have not appointed a formal Data Protection Officer (we are not required to under GDPR Art. 37). Because we are established inside the European Union, we are not required to designate an EU representative under Art. 27. For any data-protection matter, including rights requests, you may contact us at [email protected].

Please read this Privacy Policy carefully. If you do not agree with it, please do not access the Service.

2. Information We Collect

2.1 Information You Provide or Your Store Transmits

We receive information in two ways: information you enter directly into our platform, and information your store sends to our webhook endpoints on your instruction. Specifically:

• Account registration information (name, email address, business details)
• Payment information (processed securely by our payment processor, Stripe — we do not store full card numbers)
• Profile information and preferences
• Support communications and correspondence
• Store content transmitted via webhooks: product data, page/policy content, and inventory metadata that your store actively pushes to our webhook endpoints. We do not pull or scrape data from your store.
• Webhook signing secrets: a secret used to verify HMAC-SHA256 signatures on webhook requests from your store. Stored encrypted at rest using symmetric (Fernet) encryption.
• Team member information: Names, email addresses, and access levels (Owner or Team Member)
• Order tracking configuration (optional): if you enable order tracking, you provide an HTTPS endpoint URL on your store that we call (with an HMAC-signed request) when a customer asks about an order. We do not store order data; we relay the response back through the chat.

2.2 Information Collected Automatically

When the chat widget is loaded on your store, or when you use our dashboard, we automatically collect:

• Customer chat data: All customer conversations (kept for 90 days, then automatically deleted)
• Customer satisfaction ratings: Thumbs up/down feedback submitted by customers after chat sessions
• Cart interaction data: Products added, removed, or updated via in-chat cart operations
• Conversion tracking data: Cart events and purchase attribution linking chat sessions to completed orders. If you enable conversion tracking, your store sends us an order.completed webhook containing the order identifier, order total, and an identifier linking the order to a chat session. We do not receive or store the customer's name, address, or payment details through this webhook.
• Widget engagement data: Chat widget loads, opens, unique visitors, and engagement rates
• Visitor identifier in browser storage: the widget stores a random visitor_id in the end-customer's browser localStorage for unique-visitor counting via HyperLogLog. Individual visitors are not personally identified by this value.
• Signed customer identifier (optional): if you pass a user_id parameter when embedding the widget, we verify its HMAC signature and associate chat sessions with that identifier. We do not use this identifier for any purpose other than linking a chat to your customer record.
• Proactive trigger data: Which chat triggers fired based on visitor behavior (time on page, pages viewed, checkout page visits) and customer responses
• Platform usage: How you use the dashboard, manage products, and access features
• Team activity: What Owner and Team Member users do in the system
• Store connection data: How well your store stays connected and synced with our platform
• Billing and usage data: Invoice creation, subscription management, and usage tracking
• Device information and browser details
• IP addresses (used for rate limiting and abuse prevention; not used for geolocation)
• Session information (authentication cookies, CSRF tokens)
• Usage data for billing (conversation counts, webhook event counts)
• Store management activities: When stores are paused/activated, settings changes, and operational activities

2.3 Customer Data

When a customer uses the chat widget on your store, we process customer data on your behalf, including customer questions, product searches, order tracking inquiries, cart operations (products added or removed via chat), satisfaction ratings, and chat history. All customer conversations are kept for exactly 90 days from the conversation date and then automatically deleted. We process this information to generate assistant responses via our LLM subprocessors (see Section 5). When order tracking is enabled, we forward customer order identifiers to your store's order tracking API endpoint and relay the response back through the chat. We do not store order data separately from the chat conversation.

Chat messages are not used to train AI models. Our large language model subprocessor's published API data usage policy states that data submitted via the API is not used to train or improve its models by default. We do not opt in to any model-improvement programs that would change this, and we do not feed chat content into our own training pipelines. Where the subprocessor offers a zero-retention (ZDR) endpoint, we use it. The current named subprocessor is listed on our Subprocessors page.

Human handoff: if a customer's question is escalated to a human (via our handoff feature), the customer's chat messages become visible to your authorized team members in your platform dashboard so they can respond. Handoff availability and behaviour are controlled by you.

2.4 Chat Assistant Data

Our systems process and store:

• Product and page information for search and recommendations
• Conversation history and context for customer service (90-day retention period)
• Language detection and processing data (supporting 65+ languages)
• Aggregate conversation volumes and token counts (used for billing, capacity planning, and abuse detection — we do not use the content of customer chats to improve responses or train AI models)

2.5 Platform Management Data

Our business management features collect and store:

• Store dashboard data: Product and page status, connection monitoring
• Conversion tracking dashboard: Revenue attribution, conversion funnel metrics (sessions, cart adds, checkouts, purchases), chat-attributed revenue
• CSAT dashboard data: Aggregate satisfaction scores and individual low-rated conversation review
• Proactive trigger configuration: Trigger rules, templates, and performance data per store
• Team management data: User access levels (Owner/Team Member), permissions, activity tracking
• Store connection data: Setup configurations, connection status tracking, security logs
• Billing management data: Invoice history, usage tracking, subscription management
• Activity records: Complete records of all platform activities organized by user access level
• Business analytics data: Detailed statistics on usage, performance, and customer interactions
• Chat widget data: Customization settings, positioning, brand colors, and website security rules

3. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain our e-commerce chat assistant services
• Process transactions and manage your account and subscription plans
• Improve platform reliability and performance (operational metrics only — we do not use customer chat content to improve the Service)
• Provide customer support and respond to inquiries
• Send service notifications and important updates
• Conduct aggregate analytics to understand platform-wide usage patterns
• Detect and prevent fraud, abuse, and security threats
• Comply with legal obligations and enforce our terms
• Generate vector embeddings of your product and page content for semantic search
• Track conversion attribution from chat sessions to purchases
• Process and aggregate customer satisfaction (CSAT) ratings
• Deliver proactive chat triggers based on visitor behavior
• Process in-chat cart operations (add, remove, update, checkout)
• Manage team members and role-based access controls
• Process billing information and generate invoices
• Maintain chat history and conversation records (90-day retention)
• Track platform usage and generate analytics reports
• Monitor store status and manage suspension/activation
• Create activity logs and audit trails
• Enable profile management and user updates

4. Legal Basis for Processing (GDPR)

Where GDPR applies, the legal basis under Art. 6(1) for each category of processing we carry out as a controller is:

• Contract performance (Art. 6(1)(b)): account registration and authentication, provisioning the Service, team-member management, subscription management, billing, sending service-related notifications, and responding to support requests.
• Legitimate interests (Art. 6(1)(f)): platform security and abuse prevention (including rate limiting, signature verification, and audit logs), aggregate usage analytics for capacity planning, and product improvement from operational metrics. We have balanced these interests against your rights and concluded they do not override them. You may object under Section 9.
• Consent (Art. 6(1)(a)): optional marketing communications and any non-essential cookies or analytics that require consent under ePrivacy rules. You may withdraw consent at any time without affecting processing carried out beforehand.
• Legal obligation (Art. 6(1)(c)): retention of invoices and tax records, responses to lawful requests from competent authorities, and compliance with GDPR itself (breach notification, subject-rights responses, record-keeping).

For personal data processed on behalf of a merchant via the chat widget (for example, customer chat messages), we act as a processor under Art. 28 and process only on the merchant's documented instructions. The merchant is responsible for establishing the legal basis for that processing under their own privacy notice.

Automated decision-making (Art. 22). The Service generates AI-assisted responses to customer chat messages, but it does not make decisions producing legal effects concerning a data subject or similarly significantly affecting them. In particular, we do not use automated processing to deny service, set pricing per individual, or make employment, credit, or similar decisions about any person.

5. Subprocessors and Information Sharing

5.1 Subprocessors

We engage the following categories of third-party subprocessors to deliver the Service. Each is contractually bound to process data only on our documented instructions, to maintain appropriate security, and not to use customer data for training AI models.

• Large language model provider: generates chat responses from customer messages and processes product/page content during catalog sync (summaries and embeddings). We use zero-retention endpoints where available.
• Payment processor: handles subscription billing and stores payment-method data. We do not store full card numbers.
• Cloud hosting and infrastructure provider: runs our application servers, PostgreSQL databases, Redis cache, vector database, and object storage, located in the European Union.
• CDN and edge network provider: fronts our HTTP traffic and the chat widget embed script. Processes IP addresses, request/response metadata, and proxied traffic for caching, DDoS protection, and abuse prevention.
• Error-tracking and observability provider: receives application error reports and performance traces so we can diagnose issues. Payloads may include request metadata, user identifiers for the logged-in platform user, and stack traces. Customer chat message bodies are scrubbed before submission.

The current authoritative list of named subprocessors (including jurisdictions and purposes) is published at our Subprocessors page. We will notify registered account holders at least 30 days before engaging a new subprocessor that processes customer personal data.

5.2 Other Disclosures

• Store order tracking API (optional): when you enable order tracking, customer order identifiers are sent to the endpoint you configure on your own store, using HMAC-signed requests. The response is relayed back to the chat.
• Official platform extensions: if you install one of our extensions (Drupal Commerce, WooCommerce, Sylius, PrestaShop, Shopware, Magento 2 / Adobe Commerce), it runs inside your own store and transmits data to our webhook endpoints. The extension is first-party code we publish, not a third-party recipient.
• Legal Requirements: When required by law or to protect rights and safety
• Business Transfers: In connection with mergers, acquisitions, or asset sales

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

6. Cookies and Tracking Technologies

6.1 Dashboard Cookies (for platform users)

When you access our platform dashboard, we use essential cookies necessary for the operation of the dashboard:

• Session cookies for authentication and security
• CSRF protection tokens
• User preference storage (language, theme, selected store)

6.2 Chat Widget Storage (on end-customer browsers)

When a customer loads the chat widget on your store, the widget uses browser localStorage to maintain conversation state and to count unique visitors:

• Conversation thread identifier: so a customer's chat continues across page navigation within your store.
• Random visitor_id: used only to derive approximate unique-visitor counts via HyperLogLog. Not linked to personally identifying information.

The chat widget does not set third-party advertising or cross-site tracking cookies.

6.3 Managing Cookies and Storage

You can manage your cookie and localStorage preferences through your browser settings. Disabling dashboard cookies will prevent you from logging into the platform. Clearing widget localStorage on an end-customer's browser will end their current chat session but does not otherwise affect their experience of your store.

7. Data Security

We implement appropriate technical and organizational security measures to protect your personal information, including:

• TLS 1.2+ encryption for all data in transit
• Symmetric (Fernet) encryption at rest for webhook signing secrets
• HMAC-SHA256 signature verification on all webhook traffic from your store
• Encrypted database backups
• Access controls and least-privilege permissions for our operations team
• Periodic security reviews and dependency vulnerability scans
• Incident response procedures and breach notification in line with GDPR Art. 33
• Multi-tenant data isolation between stores at the application and database layer
• Data residency: primary application infrastructure and data stores are hosted in the European Union. Customer chat messages are transmitted to our LLM subprocessor (see Section 5), which may process them outside the EU under GDPR transfer safeguards (Section 10).

8. Data Retention

We retain your personal information for as long as necessary to provide our services and fulfill the purposes outlined in this Privacy Policy. Specific retention periods include:

• Account data: Retained while your account is active and for 3 years after closure
• Transaction records: Retained for 7 years for legal and tax purposes
• Chat logs and customer conversations: Retained for 90 days from conversation date, then automatically deleted
• Platform analytics and usage data: Retained for 2 years unless longer retention is required
• Vector embeddings: retained for the lifetime of the underlying product or page. Deleted when you issue a product.deleted or page.deleted webhook, when a reconciling sync.complete marks the item as no longer present, or when your store is terminated.
• Marketing data: Retained until you withdraw consent
• Team member data: Retained while account is active and for 1 year after member removal
• Activity logs: Retained for 2 years for audit and security purposes
• Billing dashboard data: Invoice history retained for 7 years, usage statistics for 2 years
• Store management data: Product/page data retained while store is active, deleted upon store termination

Important: Chat conversations are automatically deleted after 90 days to protect customer privacy. If you need longer retention for business purposes, you should export important conversations before the 90-day limit.

9. Your Rights

If GDPR applies to the processing of your personal data, you have the following rights in respect of the personal data we hold about you as a controller:

• Access (Art. 15): obtain confirmation of whether we process your personal data and receive a copy.
• Rectification (Art. 16): have inaccurate or incomplete data corrected.
• Erasure (Art. 17): have your personal data deleted where the grounds in Art. 17(1) apply.
• Restriction (Art. 18): request limitation of processing in the circumstances set out in Art. 18(1).
• Portability (Art. 20): receive the personal data you provided to us in a structured, commonly used and machine-readable format, and have it transmitted to another controller where technically feasible.
• Objection (Art. 21): object to processing based on our legitimate interests, including to profiling. We will stop processing unless we demonstrate compelling legitimate grounds that override your interests.
• Withdraw consent (Art. 7(3)): withdraw any consent you have given, at any time, without affecting the lawfulness of processing carried out beforehand.
• Right not to be subject to solely automated decision-making (Art. 22): see Section 4 for our position on automated decision-making.
• Lodge a complaint with a supervisory authority (Art. 77): in particular in the EU Member State of your habitual residence, place of work, or the place of the alleged infringement. Our lead supervisory authority is the Commission for Personal Data Protection of the Republic of Bulgaria (cpdp.bg).

To exercise these rights, contact us at [email protected]. We will respond without undue delay and at the latest within one month of receiving your request, extendable by a further two months where necessary under Art. 12(3). We may need to verify your identity before acting on a request.

If your request concerns chat messages or customer data processed on behalf of a merchant, the merchant is the controller of that data. We will forward such requests to the merchant and assist them in responding, in line with our processor obligations under Art. 28.

10. International Data Transfers

Our primary application infrastructure and PostgreSQL, Redis, vector database, and object storage are hosted in the European Union. Some personal data is transferred outside the European Economic Area (EEA) in the course of delivering the Service, specifically:

• United States: our large language model subprocessor, our payment processor, our error-tracking subprocessor, and our CDN / edge-network subprocessor are based in the United States. Chat message content, technical error context, and HTTP request metadata may be transmitted to their US systems for processing. Each transfer is governed by Standard Contractual Clauses (SCCs) approved by the European Commission under Decision 2021/914, supplemented by the additional safeguards each provider makes available (including Data Privacy Framework certification, where applicable).

Before relying on any new transfer mechanism, we assess whether the destination country's law ensures an essentially equivalent level of protection, following the approach set out by the European Court of Justice in Schrems II. Where necessary we apply additional technical measures (for example, using zero-retention endpoints and TLS 1.2+ in transit) to protect transferred data. You may request a copy of the relevant SCCs by contacting us at [email protected].

11. Compliance and Breach Notification

We comply with applicable data protection laws, including the General Data Protection Regulation (Regulation (EU) 2016/679), the Bulgarian Personal Data Protection Act, and the California Consumer Privacy Act (CCPA) where applicable.

Breach notification. In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach (Art. 33). Where the breach is likely to result in a high risk, we will also notify affected data subjects or, for data processed on behalf of a merchant, the merchant-controller without undue delay (Arts. 33(2) and 34).

Data Processing Addendum. If you are a merchant processing personal data of EU residents through the Service, you are the controller and we are the processor. A Data Processing Addendum (DPA) incorporating the Standard Contractual Clauses is available on request by contacting us at [email protected].

12. California Privacy Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you additional rights regarding your personal information:

• Right to Know: You can request disclosure of the categories and specific pieces of personal information we have collected about you
• Right to Delete: You can request deletion of your personal information, subject to certain exceptions
• Right to Opt-Out of Sale: We do not sell your personal information to third parties. If this changes, we will provide a "Do Not Sell My Personal Information" option
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

Categories of personal information collected: Identifiers (name, email), commercial information (subscription and billing data), internet activity (usage logs, chat data), and professional information (business details). See Section 2 for complete details.

To exercise your California privacy rights, contact us at [email protected]. We will respond to verifiable requests within 45 days.

13. Children's Privacy

Our Service is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If you become aware that a child has provided us with personal information, please contact us.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date. You are advised to review this Privacy Policy periodically for any changes.

15. Contact Information

If you have any questions about this Privacy Policy or you wish to exercise your data-protection rights, please contact us:

16. Governing Language

This Privacy Policy is published in English. Translations into other languages are provided for convenience only. In case of any discrepancy or inconsistency between the English version and any translation, the English version shall prevail.