Deeplumen: AI Chatbot & Live Chat Privacy Policy
Effective date: July 1, 2026
This Privacy Policy explains how DEEPLUMEN PTE. LTD. ("DeepLumen", "we", "us") collects, uses, shares, and protects information in connection with our Shopify application listed as "Deeplumen: AI Chatbot & Live Chat" and also referred to as "Deeplumen: AI Sales Agent" (the "App").
The App is an AI sales assistant for Shopify merchants. It embeds a chat assistant on a merchant's storefront, answers shopper questions using the merchant's catalog and FAQs, recommends products, and can proactively engage shoppers at key moments, such as product-page hesitation or removal of an item from the cart.
This policy applies to the App, the embedded merchant admin experience, the storefront chat widget and behavioral pixel, and our related backend services and websites.
1. Our Role
Our role under data protection laws depends on the type of data:
- Merchant account data: For information about store owners and staff who install, configure, or use the App, DeepLumen acts as a data controller.
- Shopper and end-customer data: For information about visitors and customers on a merchant's storefront who interact with the App or are included in behavioral signals, the merchant is the data controller and DeepLumen acts as a data processor or service provider. We process this data on the merchant's behalf and under the merchant's instructions to provide the App.
Each merchant is responsible for maintaining a compliant privacy notice, establishing a lawful basis for processing, and obtaining any consent required for tracking, pixels, proactive messages, and marketing.
2. Information We Collect
Merchant and Store Data
When a merchant installs and uses the App, we may collect:
- Store identity and settings, such as store domain, store name, timezone, currency, and installation status.
- Authorization data, such as Shopify OAuth access scopes and admin session tokens. Credentials and tokens are not exposed to the browser.
- App configuration, such as assistant persona, widget appearance, theme color, greetings, suggested questions, launcher position, language settings, working hours, proactive-sales strategy settings, and FAQ or knowledge-base content.
- Merchant contact and support data, such as store owner or staff name, email address, role, support messages, attachments, and other information provided when a merchant contacts us at [email protected] or through our support channels.
- Billing information. The App is currently offered free of charge and we do not collect or store merchant card or payment details. If paid plans are introduced, charges will be processed through Shopify's billing system.
Store Catalog and Commerce Data
To provide accurate answers and sales attribution, we may access and index data made available through Shopify scopes granted by the merchant, including:
- Products and collections, such as titles, descriptions, variants, prices, images, tags, status, and related metafields.
- Discounts and price rules, such as codes, amounts, conditions, validity, and usage limits.
- Theme data, read-only, to install and render the storefront widget through a Shopify theme app extension.
- Orders and refunds, including order identifiers, totals, subtotals, currency, refunded amounts, paid timestamps, and order note attributes that link an order to a shopper session or visitor. We use this information to measure AI-assisted sales, conversion, and net revenue.
Access to orders, customer events, and email-derived identifiers depends on Shopify-approved Protected Customer Data permissions.
Shopper and End-Customer Data
When a shopper visits a storefront where the App is active, we may collect:
- Conversation content: messages sent to and from the assistant, including information a shopper voluntarily types, such as a name, email address, or order number.
- Behavioral and session signals: pages and products viewed, searches, add-to-cart events, cart-removal events, checkout events, browsing history within the session, current page or cart context, and dwell or hesitation signals used to trigger proactive onsite messages.
- Identifiers: an anonymous visitor identifier and session identifier stored in the shopper's browser to maintain conversation continuity and attribution. Where a shopper is a logged-in customer or provides an email address, we may link activity using a normalized identity key.
- Email-derived identifier: email addresses are stored only as a per-store, one-way SHA-256 hash in the identity layer and are not stored in plaintext for this purpose. The hashed email identifier may be used for sales attribution, shopper deduplication, personalization continuity across sessions, and frequency capping for proactive onsite messages. We do not use email to send marketing emails.
- Technical and approximate-location data: device type, browser language, and approximate country or region derived from IP address. We use IP-derived information for geolocation and security; we do not store full chat IP logs as a marketing profile.
- Traffic source data: UTM parameters, referrer domain, and landing page, used for source attribution.
- Server, diagnostic, and security logs: IP address, user agent, timestamps, request metadata, error logs, and similar technical records used for security, debugging, abuse prevention, and service reliability.
We do not knowingly build cross-merchant consumer profiles or shared identity graphs across different merchants' stores.
3. Information We Do Not Collect
We do not intentionally request or knowingly collect special-category or sensitive personal data. Shoppers should not provide sensitive information in chat messages. If we identify such data, we may delete or anonymize it. We do not collect or store shopper payment card details. Shopper payments are handled by Shopify.
4. How We Use Information
We use the information described above to:
- Provide the App's core service, including answering shopper questions, recommending products, and surfacing relevant discounts and FAQs.
- Power proactive onsite engagement, such as product-page hesitation prompts and cart-removal recovery messages, subject to frequency caps.
- Index merchant catalog, discount, and FAQ content so assistant responses remain accurate.
- Measure performance, including AI-assisted sales, conversion, order and revenue attribution, and merchant analytics dashboards.
- Maintain personalization continuity across sessions where permitted.
- Operate, secure, debug, and improve the App.
- Prevent fraud, abuse, and security incidents.
- Manage billing and provide merchant support.
- Comply with legal obligations.
Where GDPR or similar laws apply, our legal bases may include performance of a contract, legitimate interests of DeepLumen and the merchant, consent where required, and compliance with legal obligations.
5. AI and Automated Processing
The App is powered by artificial intelligence. To generate replies and recommendations, relevant data such as shopper chat messages, page or cart context, merchant catalog, discounts, and FAQ content may be processed through DeepLumen's AI gateway and sent to third-party AI model providers that supply large-language-model or text-embedding capabilities.
We share data with AI sub-processors only to the extent needed to generate responses and recommendations for the merchant's store, and we require them to process data in accordance with their terms and applicable data-protection obligations. AI model providers may include DeepSeek, Qwen, or other providers selected by DeepLumen to support language-model and text-embedding features.
The assistant automatically generates conversational replies, product suggestions, and onsite prompts. These outputs do not produce legal or similarly significant effects on shoppers. A shopper can ignore the assistant's suggestions and complete their purchase normally. We do not make automated decisions that have legal or similarly significant effects.
A current list of material sub-processors, including cloud infrastructure and AI model providers, is available upon request by contacting [email protected].
6. How We Share Information
We do not sell personal data. We share information only with:
- Shopify: the platform on which the App runs and the source of store, commerce, customer event, and webhook data.
- Cloud infrastructure providers: we host databases and services on Amazon Web Services (AWS), including database, cache, message streaming, and search-index infrastructure.
- Third-party AI model providers: accessed through DeepLumen's AI gateway to provide language and recommendation capabilities.
- Service providers: vendors that help us operate, monitor, secure, and support the App, subject to confidentiality and data-processing obligations.
- Legal and safety recipients: where required by law, to enforce our terms, to protect rights, safety, and security, or in connection with a corporate transaction with appropriate safeguards.
7. Protected Customer Data
The App may access Shopify Protected Customer Data, including customer events, orders, and a customer's email address. We request only the protected customer fields needed to provide value to merchants. For email, we use the address only to create a one-way, per-store hashed identifier; plaintext email is not persisted in the identity layer for this purpose.
Our safeguards include technical and organizational controls appropriate to the nature of the App and the data involved, such as:
- Data minimization.
- Encryption in transit and at rest.
- Infrastructure controls intended to protect backups and separate production data from development and testing workflows.
- Multi-tenant isolation by store.
- Least-privilege staff access controls.
- Strong authentication for staff systems.
- Access logging for systems that may contain personal data.
- Data-loss-prevention practices, including sensitive-field redaction from application logs.
- HMAC verification of incoming Shopify webhooks.
- Defined retention periods.
- Deletion or irreversible anonymization upon valid deletion requests.
- A security incident response process.
8. Cookies, Pixels, and Similar Technologies
On the storefront, the App stores a small set of identifiers and state in the shopper's browser, such as an anonymous visitor ID, a session ID, and chat or cart state in session storage, to maintain conversation continuity and attribution.
Behavioral events are collected through Shopify Web Pixels and the storefront widget. Obtaining any consent required for non-essential cookies, tracking, pixels, proactive marketing messages, or related processing is the merchant's responsibility as the controller of the storefront.
The App is designed to support consent-aware operation where Shopify or merchant consent signals are made available and integrated. Until such controls are enabled for a store, merchants should not enable non-essential tracking or proactive marketing features unless they have an appropriate lawful basis and consent mechanism. The chat assistant may still process messages that a shopper voluntarily sends.
Where used, browser storage may include an anonymous visitor ID, a session ID, and chat or cart state. Session storage generally lasts until the browsing session or browser tab ends. Persistent browser storage may remain until it is deleted by the shopper, cleared by the browser, reset by the App, or removed when the merchant disables or uninstalls the App. Server-side records linked to these identifiers are subject to the retention practices described below.
9. International Data Transfers
DeepLumen is established in Singapore and hosts data on AWS. Our service providers, including AI model providers, may process data in other countries. Where personal data is transferred across borders, we rely on appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms where required.
10. Data Retention
We retain personal data only for as long as needed to provide the App, comply with legal obligations, resolve disputes, and enforce agreements.
- Merchant configuration and store data are retained while the App is installed.
- Conversation, event, attribution, and analytics records are intended to be retained for no longer than 12 months, unless a longer period is needed for security, legal compliance, dispute resolution, or service continuity.
- Server, diagnostic, and security logs are generally retained for up to 90 days, unless a longer period is needed for security, fraud prevention, debugging, legal compliance, or dispute resolution.
- When the App is uninstalled and Shopify sends a
shop/redactrequest, we erase the store's data within 30 days of receiving a valid request, unless we are legally required to retain it. - When Shopify sends a valid
customers/redactrequest, we delete or irreversibly anonymize the relevant customer's data within 30 days, unless we are legally required to retain it. - We may retain aggregated or de-identified data that can no longer identify an individual.
11. Security
We use technical and organizational measures appropriate to the risk, including encryption in transit, encryption at rest, infrastructure backup controls, multi-tenant isolation, least-privilege access controls, strong staff authentication, access logging, webhook HMAC verification, and sensitive-field redaction from application logs, including fields such as email, phone numbers, cookies, authorization headers, and session tokens where supported by our logging systems.
No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.
12. Your Rights
Depending on your location, you may have rights to access, correct, delete, port, restrict, or object to processing of your personal data, and to withdraw consent.
Under CCPA/CPRA, California residents may request to know, access, correct, and delete personal information and opt out of "sale" or "sharing." We do not sell personal information or share personal information for cross-context behavioral advertising as those terms are defined under CCPA/CPRA.
- Shoppers: because the merchant is the controller of storefront data, please direct requests to the store you interacted with. Shopify may also send us standardized
customers/data_requestorcustomers/redactwebhooks, and we respond by providing, deleting, or anonymizing the relevant data as required. - Merchants: contact us at [email protected].
We will not discriminate against individuals for exercising privacy rights.
13. Merchant Responsibilities
Merchants who install the App act as data controllers for their shoppers' personal data. Merchants are responsible for maintaining a compliant privacy policy that discloses use of an AI assistant, behavioral tracking, proactive onsite messages, and any marketing-related processing; establishing a lawful basis; obtaining any required consent; and responding to shopper data-subject requests with our support.
14. Children's Privacy
The App is not directed to children, and we do not knowingly collect personal data from individuals under the age of 16 or the age defined by applicable local law. If you believe a child has provided personal data through the App, contact us so we can delete it.
15. Changes to This Policy
We may update this Privacy Policy from time to time. We will post the updated version with a new effective date and provide additional notice where required. Continued use of the App after changes take effect constitutes acceptance of the updated policy.
16. Contact Us
DEEPLUMEN PTE. LTD.
Singapore company registration no. 202542142Z
91 Bencoolen Street, #12-03 Sunshine Plaza, Singapore 189652
Privacy and support: [email protected]
Website: https://www.deeplumen.com/
This policy is governed by the laws of Singapore.