Privacy Policy

Last updated: 06th January 2026

This Privacy Policy explains how Kuide ("Kuide", "we", "us") processes personal data when:
1. Merchants install and use the Kuide Shopify app (the "App"), and
2. Shoppers interact with the Kuide chat widget on a Merchant's Shopify storefront (the "Widget").

This Privacy Policy explains how Kuide ("Kuide", "we", "us") processes personal data when:
1. Merchants install and use the Kuide Shopify app (the "App"), and
2. Shoppers interact with the Kuide chat widget on a Merchant's Shopify storefront (the "Widget").

Kuide is an embedded AI shopping assistant that helps shoppers discover products through natural conversation and provides merchants with attribution and analytics (e.g., "Assisted GMV").

Important: Shoppers use the Widget on a Merchant's website. In most cases, the Merchant is the data controller for Shopper data, and Kuide acts as a data processor on the Merchant's behalf.

1. Who we are

Service name: Kuide (AI Shopping Assistant for Shopify)

Operator / Legal entity: Buffi Oy

Finnish Business ID: 3179864-1

Business address: Hinkantie 2, 37800 Akaa, Finland

Contact email (privacy): privacy@kuide.fi

Support email: support@kuide.ai

2. Scope

This Privacy Policy covers personal data processed by Kuide in connection with:
• the Kuide Shopify App used by Merchants in Shopify Admin, and
• the Kuide Widget embedded in a Merchant's storefront.

This policy does not cover:
• the Merchant's own website practices outside of the Widget, or
• Shopify's processing of personal data as an e-commerce platform.

Please also review the Merchant's privacy policy and Shopify's privacy documentation.

3. Roles: controller vs processor

3.1 Shopper data (Widget conversations)

For Shopper data processed through the Widget (e.g., chat messages, session identifiers, and attribution events), Kuide typically acts as a data processor and the Merchant is the data controller.

That means:
• The Merchant decides why and how Shopper data is processed on their storefront.
• Kuide processes Shopper data to provide the service to the Merchant (recommendations, attribution, and merchant analytics).

3.2 Merchant data (App / admin)

For Merchant account and configuration data (e.g., shop domain, settings, and billing-related identifiers), Kuide acts as a data controller.

4. Information we collect

We design Kuide to operate without requesting direct identifiers from Shoppers (like names or emails). However, some technical and transactional data is necessary to operate the Widget and measure performance.

4.1 Data from Shoppers (via the Widget)

Depending on how the Merchant configures Kuide and how a Shopper uses the Widget, we may process:

A) Conversation data
• Chat messages a Shopper submits to the Widget
• Kuide's responses
• Optional feedback submitted in the Widget (if enabled)

B) Session & device data
• Anonymous session identifier stored locally in the browser (via localStorage)
• Device type (e.g., mobile/desktop)
• Browser and user agent information
• Basic diagnostic or event data necessary to operate the Widget and measure performance

C) Security & abuse-prevention data
• IP address may be processed (e.g., in server logs) for rate limiting, abuse prevention, and troubleshooting.
• Retention: IP/security logs are retained for up to 90 days, unless we need to keep them longer to investigate abuse, security incidents, or comply with legal obligations.

D) Commerce attribution data
• Cart/session linkage identifiers used to connect a Widget session to downstream events
• Recommendation logs (which products were shown/recommended in a session)
• Order attribution signals received via Shopify

Order data minimization: Kuide stores only the information needed for attribution and analytics (e.g., order IDs, line-item/product IDs, and totals). We do not store customer names, emails, phone numbers, or shipping addresses from Shopify order events.

Note: Shoppers may voluntarily include personal information in free-text chat messages. Please avoid sharing sensitive information in chat.

4.2 Data from Merchants (via the App / Shopify)

We may process:
• Shop domain and store identifiers
• App configuration and assistant settings
• Product catalog data needed to provide recommendations (e.g., product titles, descriptions, images, prices, variants, and merchant-provided metadata)
• Generated product metadata (structured attributes for DIY/hardware stores, or text-based metadata fields for general stores)
• Support communications (messages you send us)

4.3 Data we do not intentionally collect

Kuide does not design the Widget to request or require:
• Shopper account passwords
• Payment card information
• Government identification documents

5. How we use information

We process personal data to:

1. Provide the Kuide service
• Understand Shopper intent and context
• Search and reason over the Merchant's catalog
• Provide product recommendations and explanations

2. Operate analytics and attribution
• Track what products were recommended in a session
• Match purchases against prior recommendations to calculate "Assisted GMV"
• Produce analytics for Merchants (e.g., assisted orders, conversion metrics)

3. Maintain and improve Kuide
• Debug issues, monitor reliability, and prevent abuse
• Evaluate recommendation quality and improve prompts, retrieval logic, and metadata

4. Security and legal compliance
• Detect fraud, misuse, or security incidents
• Comply with legal obligations and enforce our terms.

6. Legal bases for processing (EEA/UK)

Where GDPR / UK GDPR applies, legal bases may include:
• Performance of a contract (Merchant data): to provide the App and related services to Merchants.
• Legitimate interests (Shopper data, on behalf of Merchant): enabling the Merchant to provide shopping assistance through the Widget and measure performance (attribution/analytics).
• Consent (where required): for certain tracking technologies or optional features, depending on local law and Merchant configuration.
Merchants are responsible for providing appropriate notices to Shoppers on their storefronts and, where required, collecting consent for local storage / tracking technologies.

7. AI processing and automated recommendations

Kuide uses AI models to generate responses and product recommendations. This may involve sending relevant inputs (e.g., chat messages and product data) to AI service providers.
• Kuide's recommendations are intended to help with product discovery and shopping assistance.
• Kuide does not make decisions that produce legal or similarly significant effects (e.g., credit decisions) about Shoppers.

8. Sharing and disclosure

8.1 Sharing with Merchants

Merchants may access Widget conversations, recommendations, and analytics for their own store as part of providing customer support, reviewing quality, and measuring performance.

8.2 Service providers (subprocessors)

We use third parties to host infrastructure and provide AI processing. Depending on configuration, this may include:
• Google (Gemini API) – AI responses & embeddings
• Anthropic (Claude API) – AI responses
• Neon – database hosting (PostgreSQL)
• Railway – application hosting
• Shopify – app platform, product data access, and order events (webhooks)
We require service providers to protect personal data and process it only for the purposes of providing services to us.

8.3 Legal disclosure

We may disclose information if required by law, regulation, legal process, or enforceable governmental request, or to protect rights, safety, and security of Kuide, Merchants, Shoppers, or the public.

8.4 No sale/sharing for cross-context behavioral advertising

Kuide does not sell personal information and does not share personal information for cross-context behavioral advertising.

9. International data transfers

Kuide may process and store personal data in countries outside the EEA/UK (including the United States), depending on our and our vendors' hosting locations.
Where required, we rely on appropriate safeguards such as:
• Standard Contractual Clauses (SCCs), and/or
• Adequacy decisions and other recognized transfer mechanisms (where applicable).

10. Data retention

We retain personal data only as long as necessary for the purposes described in this policy, unless a longer retention period is required or permitted by law.

• In the Shopper's browser (localStorage): the Widget stores an anonymous session ID for up to 7 days (or until cleared by the user/browser settings).

• Chat transcripts (server/database): we retain Widget chat transcripts for up to 12 months from the end of the conversation (or the last interaction in that conversation), after which we delete them from our primary systems (subject to backups and legal obligations).

• Recommendation and attribution data: we may retain recommendation logs and attribution records (e.g., product IDs recommended, order IDs, line-item/product IDs, totals) while the Merchant uses Kuide and for a reasonable period thereafter for analytics, accounting, security, and dispute resolution, unless the Merchant requests deletion or uninstalls the App.

• IP/security logs: retained for up to 90 days, unless we need to keep them longer to investigate abuse, security incidents, or comply with legal obligations.

11. Security

We implement appropriate technical and organizational measures designed to protect personal data, including:
• Encryption in transit (TLS/HTTPS)
• Access controls and least-privilege permissions
• Secure handling of API keys and secrets
• Logging and monitoring for reliability and incident response
No system is 100% secure. If you believe your data has been compromised, please contact us.

12. Your choices and rights

12.1 Shoppers (Widget users)

Because the Merchant is typically the controller for Shopper data, Shoppers should first contact the Merchant to exercise privacy rights (access, deletion, objection, etc.) related to Widget conversations on that store.

If the Merchant cannot fulfill your request or instructs you to contact us, you may contact Kuide at: privacy@kuide.fi

To help locate your data, include:
• the Merchant's shop domain, and
• approximate date/time of the conversation, and
• any relevant context (e.g., what you asked).

12.2 EEA/UK rights (GDPR / UK GDPR)

Where applicable, individuals may have rights to access, correct, delete, restrict or object to processing, and data portability, and to lodge a complaint with a supervisory authority.

12.3 California and other US state privacy rights

Where applicable, individuals may have rights to know/access, delete, correct, opt out of "sale" or "sharing", and not be discriminated against for exercising privacy rights. Kuide does not sell personal information and does not share it for cross-context behavioral advertising.

13. Cookies, localStorage, and similar technologies

Kuide's Widget uses localStorage to store an anonymous session identifier and support conversation continuity and attribution. We do not intentionally set advertising cookies through the Widget.
However, the Merchant's storefront and Shopify may use cookies and other technologies. Please refer to the Merchant's cookie notice and Shopify documentation.

14. Children's privacy

Kuide is not directed to children and is not intended for use by children. We do not knowingly collect personal data from children.

15. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We will revise the "Last updated" date above. Material changes may be communicated through the App, our website, or other appropriate channels.

16. Contact us

For privacy-related questions or requests:
Email: privacy@kuide.fi
Support: support@kuide.ai
Address: Buffi Oy, Hinkantie 2, 37800 Akaa, Finland