Privacy Policy

SaleSense ("we", "us", "our") operates the website at salesense.co and provides an AI-powered sales assistant platform for e-commerce merchants (the "Service"). For the purposes of the EU General Data Protection Regulation (GDPR) and applicable privacy law, SaleSense is the Data Controller of the personal data of merchants and their account holders who use our platform directly.

With respect to personal data of end consumers who interact with a SaleSense chat widget embedded on a merchant's website, SaleSense acts as a Data Processor on behalf of the merchant (who is the Data Controller for that data).

We collect different categories of data depending on how you interact with SaleSense:

2.1 Merchant Account Data

When you create a SaleSense account, we collect:

• Email address and name (for account identity and communications)
• Business/store name and website URL
• Google account information (sub, email, name) — if you sign in with Google
• Hashed password — if you register with email/password (we never store plaintext passwords)
• Billing information — processed by Paddle.com (our Merchant of Record); we do not store card numbers
• API keys and access tokens — encrypted at rest

Legal basis (GDPR): Contractual necessity (Art. 6(1)(b)) and legitimate interests (Art. 6(1)(f)).

2.2 Shopify Integration Data

For Shopify merchants, we receive and store:

• Shop domain and OAuth access token (scoped to: read_products, read_inventory, read_orders)
• Product catalog: titles, descriptions, prices, inventory levels, images, collections
• Order data (when Order Tracking is enabled): order IDs, product handles, and customer email (used only to answer customer queries — never retained separately)

Legal basis: Contractual necessity (Art. 6(1)(b)); Shopify Partner Agreement.

2.3 Chat Widget and Visitor Data

When a visitor interacts with a SaleSense-powered widget on a merchant's website:

• Chat messages (the conversation between the visitor and the AI)
• A randomly generated anonymous session ID stored in the browser's localStorage — not linked to any personal identity
• Email address — only if the visitor voluntarily provides it via an optional email capture form configured by the merchant
• Product interactions: which products were recommended or added to cart during the session

Legal basis: Legitimate interests of the merchant in providing customer service (Art. 6(1)(f)), or consent where required.

2.4 Technical and Usage Data

• IP addresses — used for rate limiting and DDoS protection; not used for tracking
• Server logs — request method, path, response status, timestamp; retained for 30 days
• Conversation analytics — aggregated counts (e.g., conversations per day, sentiment trends) for merchant dashboards

Legal basis: Legitimate interests in security and service improvement (Art. 6(1)(f)).

• To provide, operate, maintain, and improve the Service
• To authenticate your identity and keep your account secure
• To process payments and enforce plan limits
• To send transactional emails (account verification, password reset, billing receipts)
• To generate AI responses to chat messages by sending them to our AI provider (Google Gemini API)
• To provide merchant analytics dashboards (conversation history, sentiment, conversion data)
• To detect, prevent, and respond to abuse, fraud, and security incidents
• To comply with legal obligations

We do not: sell personal data to third parties; use data for behavioural advertising; profile individual end consumers; share data between unrelated merchants; use chat conversations to train AI models without explicit consent.

We share data with the following carefully selected processors:

SaleSense primarily stores and processes data within the EU (Frankfurt, Germany). Where data is transferred to third countries (e.g., the United States for Google APIs), we rely on appropriate safeguards including EU Standard Contractual Clauses (SCCs) approved by the European Commission under GDPR Article 46(2)(c). By using the Service, you acknowledge these transfers.

For UK users, equivalent safeguards apply under UK GDPR and the ICO's International Data Transfer Agreement (IDTA).

• Merchant account data: Retained while your account is active and for 90 days after account deletion to allow recovery and comply with legal obligations.
• Chat conversations: Retained for up to 90 days by default. Merchants may configure shorter retention in their settings.
• Prospect data: Retained for up to 180 days.
• Server logs: Retained for 30 days, then automatically deleted.
• Shopify uninstall: When a Shopify merchant uninstalls the app, all associated data (store credentials, product cache, conversations) is permanently deleted within 48 hours, in compliance with Shopify's mandatory data deletion requirements.
• Billing records: Retained for 7 years to comply with financial and tax regulations.

If you are located in the EU, EEA, or UK, you have the following rights under GDPR / UK GDPR:

• Right of access (Art. 15): You can request a copy of all personal data we hold about you.
• Right to rectification (Art. 16): You can request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17): You can request deletion of your personal data, subject to legal retention obligations.
• Right to restriction (Art. 18): You can request that we restrict processing of your data in certain circumstances.
• Right to data portability (Art. 20): You can request your data in a structured, machine-readable format.
• Right to object (Art. 21): You can object to processing based on legitimate interests.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting prior processing.
• Right to lodge a complaint: You may file a complaint with your local Data Protection Authority (DPA). For a list of EU DPAs, visit edpb.europa.eu. For UK residents: ico.org.uk.

To exercise any of these rights, contact us at support@salesense.co. We will respond within 30 days. Identity verification may be required.

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) as amended by the CPRA:

• Right to Know: You may request disclosure of the categories and specific pieces of personal information we collect, use, disclose, or sell.
• Right to Delete: You may request deletion of your personal information, subject to exceptions.
• Right to Correct: You may request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell or share personal information for cross-context behavioural advertising. No opt-out is required.
• Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information beyond what is necessary to provide the Service.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To submit a CCPA request, email support@salesense.co with the subject line "CCPA Request". We will respond within 45 days.

Categories of personal information collected in the past 12 months: identifiers (email, name); commercial information (subscription plan, billing history); internet activity (chat conversations, product interactions); inferences drawn from the above.

We implement industry-standard technical and organizational security measures to protect your data, including:

• TLS encryption for all data in transit
• Bcrypt hashing for passwords (cost factor 12)
• JWT tokens with short expiry for session management
• CSRF protection on all state-changing requests
• DDoS protection with automatic IP rate limiting and blacklisting
• HMAC signature verification for all Shopify webhooks
• Access controls limiting employee access to customer data

Despite these measures, no system is completely secure. In the event of a data breach affecting your rights and freedoms, we will notify affected users and, where required, the relevant supervisory authority within 72 hours of becoming aware of the breach (GDPR Art. 33).

We use cookies and similar technologies on salesense.co. For full details of which cookies we use, why, and how to manage your preferences, please see our Cookie Policy.

The Service is intended for use by businesses and is not directed at children under the age of 16 (or the applicable minimum age in your jurisdiction). We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at support@salesense.co and we will delete it.

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email (for account holders) or by displaying a prominent notice on our website at least 30 days before the changes take effect. The "Last updated" date at the top of this page will always reflect the most recent revision. Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.

For EU/EEA merchants who require a formal Data Processing Agreement under GDPR Article 28, please contact support@salesense.co with the subject "DPA Request". We will provide a signed DPA incorporating the Standard Contractual Clauses (SCCs) for controller-to-processor transfers.

For any privacy-related questions, requests, or complaints, contact our privacy team:

If you are not satisfied with our response, you have the right to lodge a complaint with your local Data Protection Authority. EU residents may use the EU Online Dispute Resolution platform.