Privacy Policy

Effective Date: March 11, 2026

1. Introduction

Cybergine ("we," "our," or "us") operates an AI-powered customer service platform that enables businesses to create intelligent WhatsApp chatbot assistants. This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use our website, platform, APIs, and related services (collectively, the "Service").

This policy applies to all users of the Service, including Organisation administrators, team members, and Customer End Users who interact with AI Assistants via WhatsApp or other messaging channels.

2. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, and deletion.
  • "Data Controller" means the entity that determines the purposes and means of processing Personal Data.
  • "Data Processor" means the entity that processes Personal Data on behalf of the Data Controller.
  • "Organisation" means a business entity that uses our Service to create and manage AI Assistants.
  • "Customer End User" means any person who communicates with an AI Assistant via WhatsApp or other channels.

3. Data We Collect

We collect different categories of data depending on how you interact with our Service:

a) Account Data

Name, email address, password (hashed), organisation name, role, and billing information.

b) Communication Data

Messages sent and received through WhatsApp and other channels, including message content, phone numbers, timestamps, and conversation metadata.

c) Knowledge Base Data

Documents, Q&A pairs, and other content uploaded by Organisations to train their AI Assistants.

d) Product Catalogue Data

Product listings, descriptions, images, pricing, and inventory information uploaded by Organisations.

e) Usage & Analytics Data

Page views, feature usage, API call logs, conversation metrics, and performance data.

f) Technical Data

IP addresses, browser type, device information, operating system, and referral URLs collected automatically when you access the Service.

4. How We Collect Data

  • Directly from you: When you register, configure Assistants, upload content, or contact support.
  • Automatically: Through cookies, server logs, and analytics when you use the Platform.
  • From third parties: Via the WhatsApp Business API (message delivery data from Meta), Firebase (authentication tokens), and payment processors.
  • From Customer End Users: When they send messages to your AI Assistants through WhatsApp.

5. Legal Basis for Processing

Under the UK GDPR and EU GDPR, we process your Personal Data based on the following legal bases:

  • Contractual necessity: Processing required to deliver the Service you have subscribed to (account management, AI response generation, message delivery).
  • Legitimate interest: Service improvement, security monitoring, fraud prevention, and analytics - where our interests do not override your rights.
  • Consent: Marketing communications, optional cookies, and any processing for which we specifically request your consent.
  • Legal obligation: Compliance with applicable laws, regulations, court orders, or government requests.

6. How We Use Your Data

  • To provide and operate the Service, including AI response generation
  • To process and deliver WhatsApp messages between Organisations and Customer End Users
  • To authenticate users and manage account security
  • To improve, personalise, and develop new features
  • To generate anonymised analytics and business insights
  • To detect, prevent, and address fraud, abuse, and security incidents
  • To provide customer support and respond to enquiries
  • To comply with legal obligations and enforce our Terms of Service
  • To send service-related communications (updates, security alerts, account notifications)

7. AI Processing & Automated Decision-Making

Our Service uses artificial intelligence to process messages and generate responses. Key information about our AI processing:

  • Messages are processed by third-party Large Language Models (LLMs), including OpenAI's models, to generate responses.
  • We use Retrieval-Augmented Generation (RAG) to search your Knowledge Base and provide contextually relevant answers.
  • AI Assistants operate under configured personas but are clearly automated systems, not human agents.
  • We do not use your data to train foundation AI models. Data sent to LLM providers is for generation purposes only.
  • No fully automated decisions with legal or similarly significant effects are made without human oversight.
  • You have the right to request human review of any AI-generated decision that affects you.

8. Third-Party Service Providers

We share data with the following categories of service providers who process data on our behalf:

Provider Purpose Data Processed
OpenAI AI response generation Message content, Knowledge Base excerpts
Google Cloud Platform Hosting, infrastructure, secret management All service data
MongoDB Atlas Database storage Account, conversation, and configuration data
Elasticsearch Knowledge base search and RAG Knowledge Base content, product data
Firebase (Google) Authentication, real-time messaging sync Authentication tokens, message sync data
Shopify E-commerce platform integration, billing Product catalogue, store policies, page content, billing subscription state
Meta (WhatsApp) Message delivery via WhatsApp Business API Phone numbers, message content, delivery status

All sub-processors are bound by data processing agreements that require them to protect your data in accordance with applicable data protection laws.

8b. Shopify Integration

When you install Cybergine from the Shopify App Store, we access certain data from your Shopify store to power the AI assistant. We request only the minimum permissions (scopes) needed. We do not bulk-sync customer records or order history - the six scopes below cover store content, order-status lookup, and anonymous widget conversation summaries.

Permission What We Access Why
read_products Product titles, descriptions, prices, images, variants So the AI assistant can answer product questions and make recommendations
read_content Store pages, blog posts, and FAQ content To build the knowledge base for answering customer questions about your store
read_legal_policies Refund, shipping, and privacy policy text So the assistant can accurately communicate your store policies to customers
read_orders Order status and fulfillment details when a customer asks about an order So the assistant can answer order-status support questions without modifying orders
read_metaobjects Cybergine Chat Session metaobjects created by this app So the app can confirm anonymous storefront chat summaries are available in Shopify Admin
write_metaobjects Anonymous storefront widget conversation summaries So merchants can review widget conversation summaries from Shopify Admin

What we do not access: We do not bulk-sync customer records, postal addresses, payment details, or full order history. Order-status data is queried only when needed to answer a support question and is not stored as a separate order database.

Legal Basis for Processing (GDPR)

We process Shopify store data under the following legal bases as defined by the UK GDPR and EU GDPR:

  • Contractual necessity (Article 6(1)(b)): Processing product catalogue data, store content, legal policy text, store identity, order-status data, and app-owned chat-summary metaobjects is required to deliver the AI assistant service you have subscribed to. Without this data the assistant cannot function.
  • Legitimate interest (Article 6(1)(f)): Enabling the Cybergine theme app extension app embed serves your legitimate interest in providing customers with assisted shopping support. We do not use this capability for any other purpose.

How We Handle Shopify Data

  • Storage: Product catalogues, store pages, and policy text are synced into our database and search index to power AI-assisted conversations. Anonymous storefront widget chat summaries are returned to Shopify Admin as Cybergine Chat Session metaobjects. Shopify access tokens are encrypted at rest using Fernet symmetric encryption; the encryption key is stored in Google Cloud Secret Manager.
  • Retention: Shopify data is retained while your app subscription is active. When you uninstall the app, we perform a soft delete immediately. After 48 hours, Shopify sends a shop/redact webhook and we permanently delete all shop data from both our database and search indexes.
  • Billing: Subscription billing is handled entirely by Shopify. We do not store credit card numbers or payment details. We only store your subscription status and plan name.

Your GDPR Rights for Shopify Data

As a Shopify merchant using Cybergine, you have the following rights under GDPR with respect to your store data:

  • Right of access: You can request a summary of all data Cybergine holds about your Shopify store by emailing privacy@cybergine.com. We will respond within one calendar month.
  • Right to rectification: If synced data is inaccurate, contact support to request a manual resync or correct specific records.
  • Right to erasure: You can request deletion of all your store data by uninstalling the app (which triggers automated deletion within 48 hours) or by emailing privacy@cybergine.com. Manual deletion requests are actioned within one calendar month.
  • Right to data portability: You can export your knowledge base and product catalogue from the Cybergine Command Center at any time.

GDPR Compliance via Shopify Webhooks

We implement Shopify's three mandatory GDPR compliance webhooks:

  • Customer Data Request: When a customer requests a copy of their data, we search our records and send a summary report to our compliance team within one calendar month.
  • Customer Data Erasure: When a customer requests deletion of their data, we anonymise conversation records and permanently delete message content, analytics, and real-time chat data associated with that customer.
  • Shop Data Erasure: 48 hours after you uninstall the app, we permanently delete all data associated with your shop - including products, knowledge base, conversations, messages, analytics, search indexes, and widget configurations. No trace of your shop remains in our primary database.

All GDPR webhook requests are verified using HMAC-SHA256 signatures to prevent unauthorised data access or deletion. Processing is logged to a tamper-evident audit trail.

Data Controller for Shopify integration data: Cybergine is the data controller for all Shopify store data processed through this integration. For privacy questions, data access requests, or deletion requests, contact us at privacy@cybergine.com. We will respond within one calendar month of receipt.

9. WhatsApp Business API Compliance

When you use our WhatsApp integration:

  • Message data is transmitted through Meta's WhatsApp Business API infrastructure, subject to Meta's own privacy policies.
  • Cybergine manages WhatsApp phone numbers on behalf of your Organisation. Phone number custody and portability upon termination are subject to Meta's policies.
  • Customer End Users must opt in to receive messages in accordance with WhatsApp's business messaging policies.
  • Message content is processed to generate AI responses and is stored in our systems for conversation history and analytics.

10. Multi-Tenant Data Isolation

Cybergine operates a multi-tenant architecture where multiple Organisations share the same infrastructure. We implement logical data separation to ensure that each Organisation's data - including conversations, Knowledge Base content, product catalogues, and user information - is isolated and not accessible by other tenants. Access controls are enforced at the application level to prevent cross-tenant data exposure.

11. Data Retention

We retain your data for as long as necessary to fulfil the purposes described in this policy:

  • Account data: Retained for the duration of your account plus 30 days after account deletion.
  • Conversation history: Retained while your account is active. Configurable retention periods may be available per Organisation.
  • Knowledge Base data: Retained until deleted by the Organisation or upon account termination.
  • Analytics data: Aggregated analytics retained for up to 2 years. Individual usage logs retained for up to 12 months.
  • Audit logs: Retained for up to 7 years for security and compliance purposes.
  • Billing records: Retained for up to 7 years as required by financial regulations.

Upon account termination, you have a 30-day grace period to export your data before it is permanently deleted.

12. Data Security

We implement industry-standard security measures to protect your data:

  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
  • Encryption at rest: Data stored in our databases is encrypted at rest using industry-standard encryption.
  • Secret management: Credentials and API keys are managed through Google Cloud Secret Manager.
  • Access controls: Role-based access control (RBAC) limits access to data based on user roles and responsibilities.
  • Audit logging: Security events are logged and monitored for anomalous activity.
  • Regular reviews: We conduct periodic security assessments of our infrastructure and application.

While we take reasonable precautions to protect your data, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

13. International Data Transfers

Our primary infrastructure is hosted in Europe (Google Cloud europe-west1). However, some data processing may involve transfers to countries outside the UK and European Economic Area (EEA), particularly:

  • OpenAI API calls: Message content may be processed in the United States for AI response generation.
  • Meta/WhatsApp: Message delivery infrastructure operates globally.

Where data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs), adequacy decisions, or other legally recognised transfer mechanisms.

14. Your Rights (GDPR)

Under the UK GDPR and EU GDPR, you have the following rights regarding your Personal Data:

  • Right of access: Request a copy of the Personal Data we hold about you.
  • Right to rectification: Request correction of inaccurate or incomplete data.
  • Right to erasure: Request deletion of your Personal Data (subject to legal retention requirements).
  • Right to restriction: Request that we limit how we process your data in certain circumstances.
  • Right to data portability: Receive your Personal Data in a structured, machine-readable format.
  • Right to object: Object to processing based on legitimate interest or for direct marketing purposes.
  • Right regarding automated decisions: Not be subject to decisions based solely on automated processing that produce legal effects.

To exercise any of these rights, contact us at privacy@cybergine.com. We will respond within one calendar month. You also have the right to lodge a complaint with a supervisory authority, including the UK Information Commissioner's Office (ICO).

15. Your Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to know: Request disclosure of the categories and specific pieces of Personal Data we have collected.
  • Right to delete: Request deletion of your Personal Data.
  • Right to opt out of sale: We do not sell your Personal Data to third parties.
  • Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.

16. Cookies & Tracking

We use cookies and similar technologies to operate and improve the Service:

  • Essential cookies: Required for authentication, session management, and security (e.g., Flask session cookies, CSRF tokens).
  • Authentication tokens: Firebase authentication tokens for user session management.
  • Analytics cookies: Used to understand how you interact with the Platform and to improve our Service.

We do not use third-party advertising or tracking cookies. You can manage your cookie preferences through the cookie consent banner or your browser settings. Disabling essential cookies may affect the functionality of the Service.

17. Children's Privacy

The Service is not directed at individuals under the age of 16. We do not knowingly collect Personal Data from children. If you believe that a child has provided us with Personal Data, please contact us at privacy@cybergine.com and we will take steps to delete such information promptly.

18. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:

  • We will notify you via email or an in-app notification at least 30 days before the changes take effect.
  • The "Effective Date" at the top of this page will be updated.
  • Continued use of the Service after the effective date constitutes acceptance of the updated policy.

We encourage you to review this policy periodically.

Questions about your privacy? privacy@cybergine.com