Privacy Policy

1. Overview

This Privacy Policy explains how 2SumTech LLC (“we”, “us”, “our”) collects, uses, discloses, and safeguards information when you install or use DeepThink Chatbot (the “App”) in connection with your Shopify store, and when customers or visitors interact with experiences powered by the App.

The App is intended for Shopify merchants (“Merchants”). Merchants control how the App is configured and what data is processed for each store. Merchants are responsible for providing appropriate notices to customers and ensuring they have the right to process customer data through the App.

Data minimization: We process the minimum personal data required to provide the App’s features, and we encourage Merchants to enable only the features they need.

2. Information We Process

2.1 Merchant and Store Information

• Store identifiers (e.g., shop domain, store ID), installation details, and tokens necessary to connect to Shopify APIs.
• Merchant contact details (e.g., name, email) if available through Shopify or provided by you for support.
• App configuration data (e.g., chatbot settings, enabled features, content sources, prompt/settings).

2.2 Customer / End-User Information (Only If Enabled and Needed)

Depending on Merchant configuration, the App may process certain customer or end-user information to provide features such as order status answers, policy FAQs, and support workflows.

• Chat content (messages submitted by customers or staff through the App UI).
• Order and fulfillment data (e.g., order number, order status, fulfillment tracking) when a feature requires it and the Merchant has granted the necessary Shopify permissions/scopes.
• Customer identifiers (e.g., email) only if the Merchant enables features that require it (such as capturing a customer email, tying a conversation to an order, or follow-up support).

2.3 Merchant Content Used for Answers

• FAQ / policy content provided or selected by the Merchant (e.g., refund/shipping policies, store pages, help articles).
• Knowledge base content uploaded or connected by the Merchant, if the App supports it.

2.4 Technical, Security, and Usage Data

• Operational logs (e.g., timestamps, request IDs, high-level request/response metadata, error logs) to operate and secure the App.
• Device and browser data (e.g., IP address, user agent) as part of standard web requests.
• Analytics events (if enabled) to understand feature usage and improve the App. We avoid collecting sensitive content in analytics where feasible.

3. Purposes for Processing

We process the information described above to:

• Provide, operate, and maintain App features (e.g., answer policy questions, assist with order status inquiries).
• Authenticate with Shopify and perform actions requested by the Merchant within the scopes granted during installation.
• Provide support to Merchants, communicate service messages, and respond to inquiries.
• Improve reliability and safety (e.g., monitoring, debugging, preventing abuse, investigating issues).
• Detect, prevent, and address fraud, misuse, and security incidents.

Purpose limitation: We only process personal data for the purposes described in this Privacy Policy (or as otherwise instructed by the Merchant through App settings and Shopify scopes).

4. Sharing and Disclosure

We do not sell personal information and do not share personal information for cross-context behavioral advertising. We share information only as needed to run the App and provide its features.

4.1 Service Providers

We may share information with trusted service providers that help us host, operate, secure, and improve the App. Examples include:

• Shopify: Core platform APIs, authentication (OAuth), app installation, and (if applicable) billing and webhooks.
• Railway: Hosting and running the app services.
• PostgreSQL: Storing app configuration, merchant content, and conversation records/metadata.
• OpenAI: Generating chatbot responses based on merchant-approved content and/or user messages (as configured by the merchant).

4.2 Legal and Safety

We may disclose information if required by law or legal process, or if we believe disclosure is necessary to protect our rights, protect users, investigate fraud, or respond to a lawful request.

4.3 Business Transfers

If we are involved in a merger, acquisition, financing, or sale of all or a portion of our business, information may be transferred as part of that transaction subject to appropriate confidentiality safeguards.

5. Consent and Merchant/Customer Choices

5.1 Merchant Agreements

Merchants control whether customer data is processed through the App by enabling/disabling features and granting Shopify API scopes. By installing and using the App, Merchants agree to this Privacy Policy and are responsible for obtaining any required consents from customers (for example, where local law requires consent for certain data uses).

5.2 Respecting Customer Consent Decisions

We respect and apply customer choices to the extent they are supported by the Merchant’s configuration and Shopify’s platform capabilities. Where a customer’s request is verified and provided to us by the Merchant, we will assist the Merchant in fulfilling it.

• Access, correction, deletion: Customers should contact the Merchant (the store owner). We support Merchants in fulfilling verified requests.
• Optional features: Customer email capture and similar features are disabled unless the Merchant enables them.
• Non-essential analytics: If used, we provide opt-out or disable options where feasible and avoid using chat content in analytics events where possible.
• No sale of data: We do not sell personal information and do not share personal information for cross-context behavioral advertising.

5.3 Automated Decision-Making

The App provides informational responses (for example, answering order status or policy questions) and is not intended to make automated decisions that produce legal or similarly significant effects on individuals. If we introduce such functionality in the future, we will provide appropriate notice and, where required, offer opt-out mechanisms.

6. Data Retention

We keep personal data only as long as necessary for the purposes described in this policy, unless a longer retention period is required or permitted by law (for example, for security investigations or compliance).

Merchants can request deletion as described in Section 9. If the App is uninstalled, we delete or anonymize store-related data according to the retention schedule above, except where retention is required for legal, security, or operational reasons.

7. Security

We take steps to maintain administrative, technical, and organizational safeguards designed to protect information against unauthorized access, loss, misuse, alteration, or disclosure. No method of transmission or storage is 100% secure, but we take security seriously and maintain a defense-in-depth program appropriate for the App.

7.1 Security Measures

• We take steps to encrypt in transit using TLS (HTTPS) for app traffic and API calls.
• We take steps to encrypt at rest for stored data (database and storage) and encrypted backups.
• We take steps to implement role-based access control (least privilege) for staff access to production systems.
• We take steps to implement strong authentication for staff (unique accounts, strong passwords, and multi-factor authentication where available).
• We take steps to implement access logging and audit trails for administrative access to systems containing personal data.
• We take steps to separate production and non-production environments; test data is not copied from production unless anonymized and approved.
• We take steps to implement secure development and operational practices, including vulnerability patching and dependency updates.
• We take steps to implement an incident response process with internal escalation, containment, remediation, and post-incident review.
• We take steps to implement data loss prevention practices including backup/restore testing and safeguards against accidental deletion.

7.2 Security Incident Response

We maintain an incident response process to triage, contain, investigate, remediate, and document security incidents. Where required by law or contract, we will notify affected Merchants of a confirmed incident involving their store data within a reasonable timeframe, including information about the incident and mitigation steps.

8. International Data Transfers

We may process and store information in countries other than your own, including where our service providers operate. Where required, we rely on appropriate safeguards for cross-border transfers.

9. Requests and Data Deletion

Merchants: You can request deletion of store-related information by contacting us at 2sumtechllc@gmail.com with your Shopify store domain and request details. We may need to verify your identity and store ownership before processing requests.

Customers: If you are a customer interacting with a Merchant’s store, please contact the Merchant directly. The Merchant controls the store and how the App is configured for that store. We support Merchants in fulfilling verified requests.

10. Children’s Privacy

The App is not directed to children, and we do not knowingly collect personal information from children. If you believe a child has provided personal information, please contact us and we will take appropriate steps to delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will update the “Effective date” above and may provide additional notice as appropriate. Continued use of the App after changes become effective means you accept the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or our privacy practices, contact us at 2sumtechllc@gmail.com.