Privacy Policy

Last updated: February 28, 2026

1. Who We Are

aserva AI ("aserva", "we", "us", or "our") operates the aserva AI customer service platform, available at https://aserva.io and as a Shopify application. This policy explains how we collect, use, share, and protect information in connection with our services.

2. Information We Collect

2.1 Information You Provide

  • Account registration data: name, email address, company name.
  • Billing information (processed by Stripe or Shopify Billing — we never store raw card numbers).
  • Knowledge base content you upload or create.
  • Support conversation content entered by you or your customers.

2.2 Information from Shopify

When you connect your Shopify store, we access the data permitted by your OAuth scopes: orders, customers, products, returns, and theme assets. We use this data solely to power the customer service features you have enabled.

2.3 Information from Your Customers

When your customers use the aserva chat widget, we collect: messages sent, any images uploaded, session identifiers, and basic browser/device metadata. We act as a data processor on behalf of your organization (the data controller) for this data.

2.4 Automatically Collected Data

  • Usage analytics: pages visited, features used, API call patterns.
  • Log data: IP addresses, request timestamps, error reports.
  • Cookies and session tokens for authentication.

3. How We Use Your Information

  • To provide, operate, and improve the aserva platform.
  • To generate AI-powered responses and suggestions using the conversation content you process through our service.
  • To send transactional emails (e.g., account verification, billing receipts, GDPR notifications).
  • To detect and prevent fraud, abuse, and security incidents.
  • To comply with legal obligations.
  • To analyze aggregate, anonymized usage trends to improve our product.

We do not sell your data or your customers' data to third parties. We do not use your customers' support conversation data to train general-purpose AI models without explicit consent.

4. AI Processing

aserva uses large language models (including OpenAI GPT-4o and Kimi) to process messages and generate responses. Messages sent through the platform may be transmitted to these third-party AI providers for inference. We use API-access agreements with these providers that prohibit them from using your data to train their models.

Uploaded images are analyzed by OpenAI's Vision API. Images are not stored permanently by our AI providers.

5. Data Sharing

We share data only in the following circumstances:

  • Service providers: Supabase (database), Vercel (hosting), Upstash (caching), Pinecone (vector search), OpenAI and Kimi (AI inference), Stripe (payments), Shopify (commerce platform). Each operates under a data processing agreement.
  • Legal requirements: When required by law, court order, or to protect rights and safety.
  • Business transfers: In connection with a merger, acquisition, or sale of assets, with appropriate notice.

6. Data Retention

  • Active account data is retained for the duration of your subscription.
  • Conversation data is retained for 12 months by default. You may configure shorter retention in your settings.
  • Conversations resolved more than 90 days ago are archived (soft-closed) automatically.
  • After account deletion, personal data is purged within 30 days, except where retention is required by law.

7. GDPR — Rights of EU/EEA Data Subjects

If you are located in the European Economic Area, you have the following rights regarding your personal data:

  • Access: Request a copy of the data we hold about you.
  • Rectification: Correct inaccurate data.
  • Erasure: Request deletion of your data ("right to be forgotten").
  • Portability: Receive your data in a machine-readable format.
  • Objection: Object to certain types of processing.
  • Restriction: Request that we limit processing in certain circumstances.

To exercise any of these rights, contact us at privacy@aserva.ai. We will respond within 30 days.

For Shopify merchants: GDPR data deletion and portability requests from your customers are handled automatically via Shopify's mandatory GDPR webhooks (customers/redact, shop/redact, customers/data_request).

8. CCPA — California Residents

California residents have the right to know what personal information we collect, request deletion, and opt out of the "sale" of personal information. We do not sell personal information. To submit a request, contact privacy@aserva.ai.

9. Data Security

We protect your data using industry-standard measures including:

  • AES-256 encryption for integration credentials at rest.
  • TLS 1.2+ for all data in transit.
  • Row-level security enforced at the database layer (multi-tenant isolation).
  • HMAC signature verification on all incoming webhooks.
  • Rate limiting and input sanitization on all API endpoints.

No system is 100% secure. If you discover a security vulnerability, please disclose it responsibly to security@aserva.ai.

10. Cookies

We use strictly necessary cookies for authentication sessions. We do not use advertising or tracking cookies. You may disable cookies in your browser, but this will prevent you from logging in to the dashboard.

11. Children's Privacy

aserva is not directed to children under 16. We do not knowingly collect personal information from children. If we become aware that a child has provided us with personal information, we will delete it promptly.

12. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes by email or by posting a notice in the dashboard at least 14 days before the change takes effect. Continued use of the service after that date constitutes acceptance.

13. Contact

For privacy-related questions or to exercise your rights:

aserva AI
Email: privacy@aserva.ai