Privacy Policy

AskZoye is an AI-powered customer service platform for e-commerce stores running on Shopify and WooCommerce. We provide a chat widget that merchants embed on their storefronts so end customers can ask questions about products, orders, shipping, and returns — answered automatically by an AI agent trained on the merchant's catalog and policies.

We act in two distinct roles depending on whose data we're handling:

• Data controller — for merchant account data (the people who sign up for AskZoye, manage their dashboards, and pay us).
• Data processor — for end-customer chat data and store data we process on a merchant's behalf. The merchant decides what is collected, how long it's kept, and what happens to it.

Merchant account data (we are the controller)

• Name, email, password hash, business name, country
• OAuth profile from Google or GitHub if you sign in with one of those providers
• Billing information (handled by Paddle or Safepay — we never store your card details)
• Support tickets, feedback, and email correspondence with our team
• Workspace settings, API keys, integration tokens for Shopify or WooCommerce

End-customer chat data (we process on the merchant's behalf)

• Chat transcripts between the end customer and the AI
• Any details the end customer provides (name, email, order number, etc.)
• Page URL where the chat occurred and a session identifier
• Product, order, and shipping data fetched from the merchant's store APIs

Automatically collected data

• IP address, device type, browser, operating system, referrer
• Cookies and session storage used for authentication and preferences
• Aggregate analytics (page views, feature usage) via Vercel Analytics
• Server and error logs needed to diagnose issues and prevent abuse

We use the data we collect to:

• Provide, maintain, and improve the AskZoye service
• Generate AI responses for end customers using our LLM providers
• Process payments and prevent fraud
• Send service updates, security notices, and (with your consent) product news
• Respond to support requests and bug reports
• Detect, investigate, and prevent abuse, spam, and security incidents
• Comply with legal obligations

Under GDPR, our legal bases for processing are: performance of a contract, our legitimate interests in operating and securing the service, your consent (for marketing emails and non-essential cookies), and compliance with legal obligations.

AskZoye uses large language models (LLMs) from OpenAI and Anthropic to generate answers. When an end customer sends a message, the relevant text — together with retrieved product or order data from the merchant's store — is sent to one of these providers over a zero-retention API endpoint to produce a reply.

We do not allow our LLM providers to train any model on Customer Data. OpenAI and Anthropic contractually commit not to use API inputs or outputs to train their models, and we use endpoints that do not retain content beyond the time needed to return a response.

AI outputs are probabilistic. They may occasionally be inaccurate, incomplete, or out of date. AskZoye is designed to support — not replace — human judgment, and the merchant remains responsible for the information their store presents to customers. We do not use AskZoye to make legal or similarly significant automated decisions about individuals.

We rely on a small set of vetted vendors to run AskZoye. Each one has a Data Processing Agreement in place with us and is bound to confidentiality and security obligations.

We will give merchants at least 30 days' notice before adding or replacing a subprocessor that handles personal data, so you have time to object.

AskZoye is operated from Pakistan, and several of our subprocessors are based in the United States, the European Union, and the United Kingdom. When we transfer personal data across borders, we rely on the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum where applicable, and a Transfer Impact Assessment to ensure your data receives an equivalent level of protection.

If you are in the EU or UK and would like a copy of the SCCs we have in place with a specific subprocessor, email privacy@askzoye.com.

• Account data: for the lifetime of your account, plus 90 days after cancellation to handle billing reconciliation and reactivation.
• Chat transcripts: retention is configurable by the merchant. By default we keep transcripts for 12 months and then delete them. Merchants can request deletion at any time and we will action it within 30 days.
• Backups: rolling 30-day window, then permanently deleted.
• Billing and tax records: retained for 7 years, or longer where required by tax law.
• Security and audit logs: up to 12 months for incident response.

We protect your data with industry-standard safeguards including TLS 1.3 encryption in transit, AES-256 encryption at rest, scoped API tokens, role-based access control on our internal systems, and least-privilege access for our team. We log administrative actions and review them regularly.

No system is perfectly secure. If we learn of a security incident affecting your personal data, we will notify affected merchants without undue delay and, where required, within 72 hours of discovery.

Depending on where you live, you may have the right to:

• Access the personal data we hold about you
• Correct inaccurate or incomplete data
• Delete your data (the “right to be forgotten”)
• Receive a portable copy of your data
• Object to or restrict certain processing
• Withdraw consent for marketing or non-essential cookies at any time
• Lodge a complaint with your local data protection authority

To exercise any of these rights, email privacy@askzoye.com and we will respond within 30 days. If you are an end customer chatting on a merchant's storefront, please contact that merchant first — they are the controller of your data.

California residents have additional rights under the CCPA/CPRA, including the right to know what personal information we collect, the right to delete, the right to correct, and the right to opt out of any “sale” or “sharing” of personal information. AskZoye does not sell personal information.

We use a small number of cookies and similar technologies:

• Strictly necessary: authentication, CSRF protection, load balancing. These cannot be disabled without breaking the service.
• Functional: remember your preferences, such as theme or language.
• Analytics: Vercel Analytics gives us aggregate, privacy-friendly usage stats. We do not use cross-site advertising trackers.

Visitors from the EU and UK will see a cookie banner on their first visit and can adjust their preferences at any time.

AskZoye is built for businesses and is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided personal data through AskZoye, contact us and we will delete it.

We may update this Privacy Policy from time to time. When we make material changes, we will notify merchants by email and update the “Last updated” date at the top of this page at least 30 days before the changes take effect. Continued use of AskZoye after that date means you accept the updated policy.