Vendora
Legal

Privacy Policy

What we collect, why, and how we protect it.

Last updated: June 12, 2026

Vendora is an AI sales-assistant app for Shopify stores. This policy explains what information we process when a merchant installs Vendora and when a shopper interacts with the storefront widget. We act as a data processor on behalf of the merchant, who remains the controller of their shoppers’ data.

Information we process

  • Store data. When a merchant installs Vendora, we read catalog data (products, variants, collections, pages, blog articles, and store policies) through the Shopify API to power product recommendations.
  • Account data. The store domain, access token, plan, and the merchant’s app configuration (agent name, tone, colors, and similar settings).
  • Conversation data. Messages a shopper sends to the widget and the agent’s replies, so the assistant can hold a coherent conversation and add items to the cart.
  • Order and customer lookup data. When enabled for a store, Vendora may read limited order and customer information to support order-status questions after shopper verification and to link chat-captured leads to existing Shopify customers in the merchant admin. Vendora does not write customer or order data.
  • Usage events. Anonymous interaction events (for example: widget opened, message sent, product viewed, item added to cart) used for merchant-facing analytics. These events never contain message text or personal identifiers.

How we use it

  • To answer shopper questions using only the store’s real catalog.
  • To recommend products and add them to the Shopify cart.
  • To support order-status questions and assisted-order attribution when the merchant has granted the required read-only Shopify permissions.
  • To show merchants aggregate analytics about widget usage.
  • To operate, secure, and improve the service.

We do not sell personal data and we do not use it for advertising.

Subprocessors

We rely on a small number of infrastructure providers to deliver the service:

  • OpenAI — generates embeddings and written chat responses for the storefront assistant.
  • Supabase — hosts our database (catalog, settings, conversations, and analytics events).
  • Railway — hosts the application runtime.
  • Shopify — the platform our app runs on and the source of catalog and cart data.

Data retention

Catalog and configuration data is kept while the app is installed. Conversations and analytics events are retained to provide history and analytics, and are removed on request or when the app is uninstalled and the store record is redacted under Shopify’s GDPR webhooks.

Your choices

  • Merchants can uninstall the app at any time, which stops all processing.
  • Data deletion requests are honored through Shopify’s mandatory privacy webhooks (customer redact, shop redact).

Contact

Questions about this policy? Email info@workrol.com.