Privacy Policy

Effective Date: 2025-09-23 | Last Updated: 2025-09-23

1. Introduction

Figu Chat ("we," "us," "our") is committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Shopify application and related services (collectively, the "Service").

By installing our app or using our Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our Service.

2. Information We Collect

2.1 Information from Shopify

When you install our app, we collect the following information through Shopify's APIs:

  • Store information (name, domain, email, timezone, currency)
  • Product data (titles, descriptions, prices, inventory, variants, images)
  • Customer information (when shared through chat interactions)
  • Order information (for customer support purposes)
  • Shop owner and staff account information
  • Webhook events (product updates, order creation, customer updates)
  • Theme and storefront data for widget installation
  • Collections, pages, and blog content

2.2 Information from Email Integration

If you connect your Gmail account, we collect:

  • Email messages in specified labels/folders
  • Email metadata (sender, recipient, subject, timestamps)
  • Email attachments (stored temporarily for processing)
  • Gmail labels and folder structure
  • OAuth tokens for Gmail access (encrypted)

2.3 Information from Web Crawling

When you enable web crawling for your website, we collect:

  • Website content (text, FAQ items, product descriptions)
  • Page structure and navigation elements
  • Metadata and schema markup
  • Public information displayed on crawled pages

2.4 Information Collected Directly

We directly collect:

  • Chat messages and conversation data
  • User preferences and settings
  • Contact information provided through forms
  • Industry classification for AI agent customization
  • Custom agent configurations and tool settings
  • Support tickets and feedback
  • Blog post content (if you use our blog feature)

2.5 Automatically Collected Information

We automatically collect:

  • Visitor IDs (stored in browser localStorage/sessionStorage)
  • Session data and interaction patterns
  • Log data (IP addresses, browser type, access times)
  • Device information (type, operating system)
  • Performance metrics and error reports
  • Widget load times and interaction events

2.6 AI and Analytics Data

Our system tracks:

  • AI model usage (tokens, costs, response times)
  • Tool execution patterns and success rates
  • Product search queries and recommendations
  • Conversation sentiment and satisfaction scores
  • Agent performance metrics
  • A/B testing data (internal testing only, not with customer data)

3. How We Use Your Information

We use collected information to:

  • Provide and maintain our AI-powered chat service
  • Process and respond to customer inquiries through multiple channels (widget, email)
  • Generate intelligent responses using AI models
  • Create email drafts and automated responses
  • Provide product recommendations and search results
  • Generate dynamic questions to better understand customer needs
  • Analyze conversation patterns to improve AI responses
  • Create embeddings for semantic search capabilities
  • Monitor agent performance and optimize response quality
  • Generate analytics dashboards and reports
  • Send email notifications for important events
  • Detect, prevent, and address technical issues
  • Comply with legal obligations
  • Calculate and track AI model usage costs
  • Improve our service based on usage patterns (we do not train AI models with your data)

4. Legal Basis for Processing (GDPR)

Under the General Data Protection Regulation (GDPR), we process your personal data based on the following legal bases:

4.1 Legitimate Interest (GDPR Article 6(1)(f))

We use browser storage (localStorage/sessionStorage) for strictly necessary functional purposes to provide our chat support service:

  • Chat session identification: Storing visitor IDs to maintain conversation continuity across page navigations
  • Conversation state management: Preserving chat history and user preferences within active sessions
  • Widget functionality: Technical storage required for the chat widget to operate properly

No consent required: This processing is based on our legitimate interest in providing a functional chat service. These storage mechanisms are strictly necessary for the service to work and do not involve tracking, marketing, or analytics.

Important: We do not use cookies, marketing pixels, or analytics tracking that would require consent. All browser storage is limited to functional purposes only.

4.2 Contract Performance (GDPR Article 6(1)(b))

  • Processing necessary to provide our chat support service as agreed upon installation
  • Managing merchant accounts and billing
  • Responding to customer inquiries and support requests

4.3 Consent (GDPR Article 6(1)(a)) - When Applicable

We will request your explicit consent if we introduce features that require it, such as:

  • Marketing communications (newsletters, promotional emails)
  • Optional analytics or tracking features
  • Non-essential third-party integrations

Currently not applicable: Our current service does not use marketing tracking, analytics cookies, or any features requiring consent. If this changes in the future, we will implement appropriate consent mechanisms.

4.4 Legal Obligations (GDPR Article 6(1)(c))

  • Complying with applicable laws and regulations
  • Responding to valid legal requests from authorities
  • Maintaining records required by law

5. Data Sharing and Disclosure

We may share your information with:

  • OpenAI: For generating AI responses and embeddings (conversations and context are shared)
  • Google (Gmail API): For email integration and management (OAuth tokens stored encrypted)
  • Shopify: For e-commerce integration and order management
  • PostgreSQL with pgvector: For data storage and vector embeddings
  • Redis: For session management and caching
  • Metabase: For analytics and reporting dashboards (data is filtered by account)
  • Web Crawling Services: Playwright/Crawlee for website content extraction
  • Legal Requirements: When required by law or to protect rights
  • Business Transfers: In connection with mergers or acquisitions

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

Note: When using AI services, your conversation data is sent to OpenAI for processing. While we implement security measures, please be aware that AI-generated responses are based on the data provided.

6. Data Retention

We retain your information for as long as necessary to:

  • Provide our Service to you
  • Comply with legal obligations
  • Resolve disputes and enforce agreements
  • Maintain backup and disaster recovery capabilities

Our retention periods:

  • Chat conversations: Retained while your account is active
  • Analytics data: Auto-expires after 90 days
  • Email attachments: Temporarily stored during processing, then deleted
  • Visitor IDs: Stored in browser storage (cleared when browser data is cleared)
  • Product data: Updated in real-time via Shopify webhooks
  • Web crawl data: Refreshed based on your configured schedule
  • OAuth tokens: Stored encrypted until revoked
  • Deleted conversations: Soft-deleted and retained for 30 days before permanent deletion

You can request deletion or export of your data at any time via our API. Aggregated analytics data may be retained in anonymized form for service improvement.

7. Your Rights and Choices

7.1 GDPR Rights (European Users)

If you are in the European Economic Area, you have the right to:

  • Access: Request copies of your personal data
  • Rectification: Request correction of inaccurate data
  • Erasure: Request deletion of your data ("right to be forgotten")
  • Restriction: Request limited processing of your data
  • Portability: Receive your data in a structured format
  • Object: Object to processing based on legitimate interests
  • Withdraw Consent: Where processing is based on consent

7.2 CCPA Rights (California Users)

California residents have the right to:

  • Know what personal information is collected
  • Know whether personal information is sold or disclosed
  • Say no to the sale of personal information
  • Access your personal information
  • Request deletion of personal information
  • Equal service and price, even if you exercise privacy rights

7.3 Exercising Your Rights

To exercise any of these rights, please contact us at privacy@figuchat.com. We will respond to your request within 30 days. We may need to verify your identity before processing your request.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal information, including:

  • AES-256-GCM encryption for sensitive data (OAuth tokens, webhook secrets)
  • HTTPS/TLS encryption for all data in transit
  • JWT-based authentication with refresh tokens
  • Role-based access control (Master Admin, Admin, Agent roles)
  • bcrypt password hashing with salt rounds
  • Rate limiting to prevent abuse
  • Input validation and SQL injection protection via Prisma ORM
  • XSS protection with DOMPurify in the widget
  • CORS configuration for secure widget embedding
  • Encrypted storage of Gmail OAuth tokens
  • Session management with Redis
  • Environment-based encryption keys
  • Security audits conducted every 6 months
  • Incident response procedures

However, no method of transmission over the Internet or electronic storage is 100% secure, and we cannot guarantee absolute security. We recommend using strong passwords and enabling two-factor authentication where available.

9. International Data Transfers

Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place for such transfers, including:

  • Standard Contractual Clauses approved by the European Commission
  • Ensuring recipients are in countries with adequate data protection laws
  • Implementing additional security measures where necessary

10. Children's Privacy

Our Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete such information.

11. Browser Storage and Tracking Technologies

We use browser storage technologies including:

  • localStorage: To store visitor IDs for cross-tab session persistence
  • sessionStorage: To maintain session data within a single tab
  • Visitor IDs: Domain-specific unique identifiers for chat sessions
  • JWT tokens: Stored securely for authentication

Our widget specifically uses:

  • Domain-isolated visitor IDs to prevent cross-site tracking
  • Fallback mechanisms for incognito/private browsing modes
  • Session persistence across page navigations
  • No cookies used - only browser storage (localStorage/sessionStorage)

You can clear this data through your browser settings. Note that clearing browser data will reset your chat session and you may lose conversation history if not logged in.

12. Third-Party Links

Our Service may contain links to third-party websites. We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies before providing any personal information.

13. AI and Machine Learning

Our use of AI technology involves:

  • OpenAI Integration: We use OpenAI's GPT models for generating responses
  • Data Processing: Conversations are sent to OpenAI for processing
  • Embeddings: We create vector embeddings for semantic search
  • No Training on Your Data: We do not train any AI models with your data
  • Context Limitations: AI responses are limited to the context provided
  • Human Oversight: AI responses can be reviewed and overridden by human agents

Important: AI-generated responses may occasionally be inaccurate. Critical information should be verified by human agents. We track all AI interactions for quality monitoring and cost management.

The AI model selection is managed on our backend to ensure optimal performance and cost efficiency. OpenAI's data processing is subject to their privacy policy and terms of service. We recommend reviewing OpenAI's policies at openai.com/privacy.

14. Shopify App-Specific Information

For Shopify merchants using our app:

  • App Permissions: We request only necessary Shopify API scopes for functionality
  • Webhook Processing: We receive real-time updates about your store events
  • Theme Integration: Widget code is embedded in your storefront
  • Customer Data: We process customer data only as needed for chat support
  • Uninstallation: Data deletion can be requested upon app uninstallation
  • Compliance: We comply with Shopify's Partner Program Agreement

Shopify merchants remain the data controller for their customer data. We act as a data processor and handle data according to your instructions and this privacy policy.

15. Updates to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by:

  • Posting the new Privacy Policy on this page
  • Updating the "Last Updated" date
  • Sending email notification for material changes

Your continued use of our Service after changes constitutes acceptance of the updated policy.

16. Contact Information

For questions about this Privacy Policy or our data practices, please contact us:

Figu Chat

Email: viktor@figu.com

Data Protection Officer:
Viktor Khon, CTO
Email: viktor@figu.com

17. Service Availability

- Our Service is currently unavailable to users outside the European Economic Area. Our Service is not available to users in the European Economic Area. We do not actively market to or serve customers in the EU/EEA at this time.