Privacy Policy

Kepler AI Chat ("Kepler," "we," "our," or "us") provides an AI-powered customer service and sales automation platform for Shopify merchants. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our service.

By using Kepler, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our service.

Key Definitions:

• "Merchant" refers to the Shopify store owner who installs and uses Kepler
• "End User" or "Visitor" refers to customers who interact with the chatbot widget on a Merchant's store
• "Service" refers to Kepler AI Chat application and all related features
• "Personal Data" means any information relating to an identified or identifiable person

Our Service automatically collects certain information when you use it:

• Cookies and Similar Technologies: Session cookies for authentication, preference cookies for settings
• Analytics Data: Performance metrics, error logs, AI model usage statistics
• API Usage: Requests made to our API, response times, error rates
• Integration Data: Data synced from third-party services (Shopify)

We use the collected information for the following purposes:

• Provide the Service: Operate the chatbot, process conversations, generate AI responses, manage human handoffs
• Personalization: Tailor chatbot responses based on visitor behavior, preferences, and history
• Product Recommendations: Suggest relevant products using AI analysis of browsing patterns and cart contents
• Smart Discounts: Offer personalized discounts based on customer segmentation and behavior
• Cart Recovery: Detect abandoned carts and trigger proactive engagement
• Analytics & Insights: Provide merchants with dashboards, reports, and performance metrics
• AI Training: To train AI models to offer customer service and sales support on Merchants' stores, and to improve the chatbot's performance and accuracy
• Customer Support: Respond to inquiries, troubleshoot issues, provide technical assistance
• Security & Fraud Prevention: Detect and prevent unauthorized access, abuse, and fraudulent activity
• Legal Compliance: Comply with applicable laws, regulations, and legal processes
• Service Improvements: Develop new features, optimize performance, fix bugs

We use conversation data to improve our AI models. However:

• Personal identifiable information (names, emails, addresses) is anonymized or removed before training
• Data is aggregated across multiple stores to identify patterns, not individual behaviors
• Sensitive information (payment details, passwords) is never used for training
• Merchants can opt out of contributing their data for AI training in settings

We do not sell your personal data. We may share information in the following limited circumstances:

4.1 Service Providers

We work with third-party service providers who perform services on our behalf:

• AI Providers: OpenAI (GPT-4), Anthropic (Claude), Google (Gemini) for AI processing
• Hosting & Infrastructure: Cloud hosting providers for data storage and processing
• Real-Time Communication: For WebSocket connections and live updates
• Payment Processing: Shopify Billing for subscription management
• Email Services: Email delivery services for notifications and support

These providers are contractually obligated to protect your data and use it only for the purposes we specify.

4.2 Shopify Platform

As a Shopify app, we integrate with Shopify's platform to access your store data. Data sharing with Shopify is governed by:

• Shopify's API Terms of Service
• Your Shopify store's privacy settings
• Explicit permissions you grant during app installation

4.3 Legal Requirements

We may disclose your information if required by law, such as:

• Responding to subpoenas, court orders, or legal processes
• Protecting our rights, property, or safety, or that of our users
• Investigating fraud, security incidents, or violations of our Terms
• Complying with GDPR, CCPA, or other privacy regulations

4.4 Business Transfers

If Kepler is acquired, merged, or undergoes a business reorganization, your information may be transferred to the successor entity. You will be notified via email of any such change.

We implement industry-standard security measures to protect your data:

• Encryption: All data transmitted between your browser and our servers uses TLS encryption
• Database Security: Data at rest is encrypted using AES-256 encryption
• Access Controls: Role-based access control (RBAC) limits who can access data
• Authentication: Multi-factor authentication (MFA) for admin accounts
• Monitoring: 24/7 security monitoring, intrusion detection, and logging
• Backups: Regular automated backups with geographic redundancy
• Penetration Testing: Regular security audits and vulnerability assessments
• Data Isolation: Multi-tenant architecture with strict data isolation between merchants

However, no system is 100% secure. If we become aware of a data breach, we will notify affected users within 72 hours as required by GDPR.

We retain your information for as long as necessary to provide the Service and comply with legal obligations:

• Active Accounts: Data is retained while your account is active
• Chat History: Deleted immediately after you uninstall the app.
• Analytics Data: Deleted immediately after you uninstall the app.
• Billing Records: Financial records are retained for 7 years as required by tax laws
• Account Deletion: If you request to delete your you delete your account, most data is deleted within 30 days
• Legal Hold: Data may be retained longer if required for legal disputes or compliance

If you are located in the European Economic Area (EEA), you have additional rights under GDPR:

• Right to be informed about data collection
• Right to access your personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing
• Rights related to automated decision-making and profiling

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal data is collected
• Right to delete personal data
• Right to opt out of the sale of personal data (we do not sell data)
• Right to non-discrimination for exercising your rights

We use cookies and similar technologies to provide and improve our Service:

8.1 Types of Cookies We Use

• Essential Cookies: Required for authentication and basic functionality (cannot be disabled)
• Session Cookies: Maintain your session ID and conversation continuity
• Preference Cookies: Remember your settings (language, theme, widget position)

8.2 Managing Cookies

You can control cookies through your browser settings. However, disabling essential cookies may prevent the Service from functioning properly.

Most browsers allow you to:

• View and delete existing cookies
• Block third-party cookies
• Block all cookies (not recommended)
• Delete cookies when you close your browser

Our Service integrates with third-party AI providers to power the chatbot:

• OpenAI: See OpenAI Privacy Policy
• Anthropic (Claude): Alternative AI model for certain responses. See Anthropic Privacy Policy
• Google (Gemini): Additional AI capabilities. See Google Privacy Policy

Important: When conversation data is sent to these AI providers for processing, it is subject to their respective privacy policies. However:

• We have agreements with these providers to not use our data for training their models
• Conversations are processed in real-time and not stored by the AI providers
• Sensitive data (passwords) is filtered before sending to AI providers

Kepler operates globally. Your data may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws than your country.

When we transfer data internationally, we ensure appropriate safeguards are in place:

• EU-US Data Privacy Framework: For transfers to the United States
• Standard Contractual Clauses (SCCs): EU-approved data transfer agreements
• Adequacy Decisions: Transfers to countries deemed adequate by the EU Commission
• Data Processing Agreements: Contracts with service providers ensuring GDPR compliance

Kepler is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children under 16.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us via the contact form on the website. We will delete such information from our systems.

Merchants are responsible for ensuring their store complies with applicable children's privacy laws (such as COPPA in the United States).

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons.

When we make material changes:

• We will notify you via email (if you have an account)
• We will display a prominent notice in the dashboard
• We will update the "Effective Date" at the top of this page
• We may require you to accept the new policy to continue using the Service

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes are posted constitutes your acceptance of the updated policy.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us via in-app ticketing system or if you are a non-user, please contact us via the contact form on the website.:

Response Time: We aim to respond to all privacy requests within 3 days. For complex requests, we may extend this period by an additional 30 days and will notify you.

Canadian users have rights under PIPEDA to access, correct, and challenge data accuracy. Contact the Office of the Privacy Commissioner of Canada for assistance.