This Privacy Policy explains how Alcemi ("Alcemi", "we", "us", or "our") collects, uses, shares, and protects personal data when you visit alcemi.ai, install or use our AI shopping agent for Shopify, or otherwise interact with our services (together, the "Services").
By using the Services you agree to the practices described here. If you do not agree, please do not use the Services.
1. Who we are
Alcemi provides an AI-powered shopping agent that merchants install on their Shopify stores to power product discovery, personalized consultations, and automated customer support. Alcemi is established in the European Union, and we store and process personal data primarily within the European Economic Area (EEA).
For the purposes of data protection law, Alcemi acts as a data controller for personal data collected through our marketing website and our direct relationships with merchants, and as a data processor for the merchant and shopper personal data we process on behalf of merchants who use our app, under their instructions and our data processing agreement with them.
2. Information we collect
2.1 Information we collect through Shopify's APIs
When a merchant installs the Alcemi app, we access store and customer data through Shopify's APIs, only with the merchant's authorization and only to the extent needed to provide the app. This includes:
- Store and catalog data — products, collections, inventory, pricing, and store configuration.
- Customer profiles — customer name, email address, postal address, and phone number.
- Order and purchase history — orders, line items, fulfillment status, and related transaction details (excluding full payment card data, which we do not access).
This data is treated as Shopify protected customer data. We apply data minimization, request only the data fields required for the app's functionality, and handle it in line with Shopify's protected customer data requirements.
2.2 Information we collect directly from merchants
- Account and contact data — name, email address, company, and details shared when you install the app, book a demo, or request support.
- Communications and support data — messages you send us, and the content of support requests.
- Usage logs — automated logs about how the merchant configures and uses the app.
2.3 Information we collect from shoppers
- Conversation data — messages, questions, and context shoppers provide to the agent, and the responses generated.
- Interaction data — products viewed or discussed and related session context used to provide and improve the consultation.
We process shopper data on behalf of, and under the instructions of, the merchant operating the store. Shoppers should also review the merchant's own privacy policy.
2.4 Information we collect on our marketing website
- Usage and device data — IP address, browser type, device, pages viewed, referring URLs, and interaction events.
- Cookies and similar technologies — see Cookies and analytics below.
3. How we use information
- To provide, operate, and improve the app and our website.
- To generate product recommendations, consultations, and support responses.
- To respond to enquiries, schedule demos, and provide merchant support.
- To measure performance, analyze usage, maintain security, and prevent fraud or abuse.
- To send service and, where permitted, marketing communications. You can opt out at any time.
- To comply with legal obligations and enforce our terms.
We do not sell personal data, and we do not use protected customer data for purposes beyond providing and improving the app's functionality to the merchant.
4. How AI is used
The agent generates responses using third-party large language models provided by Google (Gemini), acting as our sub-processor. Conversation content and the context needed to generate a response are sent to this provider solely to produce the agent's output. We do not permit our AI sub-processor to use this data to train its general-purpose models.
5. Legal bases for processing
Under the GDPR we rely on: performance of a contract (to deliver the Services to merchants), legitimate interests (to operate, secure, and improve the Services), consent (for certain cookies and marketing), and legal obligation (to meet regulatory requirements). Where we act as a processor for a merchant, the merchant is responsible for the legal basis for the underlying processing.
6. Cookies and analytics
On our marketing website we use cookies and similar technologies to run the site, remember preferences, and understand usage. We use Google Analytics to measure website traffic and engagement, which involves collection of usage and device data by Google. You can control cookies through your browser settings and, where shown, our consent controls. Disabling some cookies may affect functionality.
7. How we share information & sub-processors
We do not sell personal data. We share it only as follows:
- Google — as AI sub-processor (Gemini models, to generate agent responses) and as our website analytics provider (Google Analytics).
- Shopify — the platform through which the app operates and through which merchant and customer data is exchanged.
- Hosting and infrastructure — cloud hosting and content-delivery providers (including Cloudflare) used to operate the Services.
- Merchants — where a shopper interacts with the agent on a merchant's store, relevant data is made available to that merchant.
- Legal and safety — when required by law or to protect rights, safety, and security.
- Business transfers — in connection with a merger, acquisition, or sale of assets.
All sub-processors are bound by confidentiality and data-processing terms.
8. Data subject requests and Shopify compliance webhooks
We honour data subject requests (such as access, correction, and deletion) for all individuals, regardless of location. As an app distributed through the Shopify App Store, we implement Shopify's mandatory compliance webhooks:
- customers/data_request — when a shopper requests their data from a merchant, we provide the relevant data we hold.
- customers/redact — we delete the personal data of the specified customer for that store.
- shop/redact — 48 hours after a merchant uninstalls the app, we delete the store's personal data.
9. International data transfers
We store and process personal data primarily within the EEA. Where a sub-processor processes data outside the EEA, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses or an adequacy decision.
10. Data retention
We retain merchant and shopper personal data for as long as the merchant uses the app. Following uninstall, store personal data is deleted in response to Shopify's shop/redact webhook (received 48 hours after uninstall), and individual customer data is deleted on receipt of a customers/redact request. We retain account, billing, and website data only as long as needed for the purposes described here or to meet legal obligations, after which we delete or anonymize it.
11. Data security
We use technical and organizational measures designed to protect personal data against unauthorized access, loss, or misuse, including encryption in transit and access controls. No method of transmission or storage is fully secure, so we cannot guarantee absolute security.
12. Your rights
Depending on where you live, you may have the right to access, correct, delete, or port your personal data; to object to or restrict certain processing; and to withdraw consent. Residents of the EEA/UK (GDPR) and California (CCPA/CPRA), among others, have specific rights, including the right to lodge a complaint with a supervisory authority. To exercise any right, contact us using the details below; where we process data on a merchant's behalf, we will direct your request to that merchant. We respond as required by applicable law.
13. Children's privacy
The Services are not directed to children under 16, and we do not knowingly collect their personal data. If you believe a child has provided us data, contact us and we will delete it.
14. Third-party links
Our Services may link to third-party websites and tools that we do not control. Their privacy practices are governed by their own policies.
15. Changes to this policy
We may update this Privacy Policy from time to time. We will post the revised version here and update the "Last updated" date. Material changes may be communicated through the Services.
16. Contact us
For questions about this policy or your personal data, or to exercise your rights, contact us:
| Controller | Džiugas Balčiūnas, conducting individual activity (individuali veikla) No. 1091771, Lithuania, trading as “Alcemi” |
| hello@alcemi.ai | |
| Website | alcemi.ai |