Passer au contenu principal

Privacy Policy

Last updated: May 9, 2026

1. Introduction

RecoverlyAI ("we", "our", "us") is committed to protecting the privacy of users of our platform. This privacy policy explains how we collect, use, share, and protect your personal information.

By using RecoverlyAI, you agree to the practices described in this privacy policy. If you do not agree with these practices, please do not use our service.

2. Data We Collect

2.1 Data You Provide to Us

  • Account information: name, email address, password
  • Billing information: payment data (processed by Shopify Billing API)
  • Your Shopify store data: products, orders, abandoned carts
  • Brand preferences and AI settings

2.2 Data Collected Automatically

  • Usage data: pages visited, features used
  • Technical data: IP address, browser type, operating system
  • Cookies and similar technologies (see section 5)

2.3 Data from Shopify (Sensitive Customer Data)

When you install RecoverlyAI on your Shopify store, we access the following data via authorized Shopify APIs (OAuth). We explicitly list the collected fields and their purpose:

  • Customer Data (Level 1) :
    • customer.emailto send the abandoned cart recovery email (primary delivery channel)
    • customer.nameto personalize the email (e.g., "Hi Sarah")
    • customer.phonecollected when present, reserved for the upcoming SMS recovery channel (not active today)
  • Order Data (Level 2) :
    • order.line_itemsto reference the products left in the cart (name + image) in the recovery email
    • order.customer_detailsto adapt the email tone (loyal customer vs. first-time buyer)
  • Store data : Store data: products, abandoned carts, promotions, locales/languages, markets.

All sensitive customer data is encrypted at rest (AES-256-GCM) and is never shared with third parties outside the sub-processors listed in section 4.

3. Use of Data

We use your personal data to:

  • Provide and improve our abandoned cart recovery services
  • Generate personalized emails via our AI
  • Analyze the performance of your campaigns
  • Manage your account and subscriptions
  • Communicate with you regarding the service
  • Comply with our legal obligations
  • Detect and prevent fraud

4. Data Sharing

We never sell your personal data. We share your data only with:

  • Sub-processors :
    • SupabaseSupabase (database hosting, EU eu-west-1 region)
    • AnthropicAnthropic (AI email generation — Claude)
    • OpenAIOpenAI (AI email generation — fallback)
    • ResendResend (recovery email delivery)
    • RailwayRailway (backend API hosting)
    All our sub-processors are GDPR-compliant and bound by data processing agreements.
  • Authorized integrations : Shopify (based on your OAuth connections)
  • Legal obligations : if required by law or to protect our rights

5. Cookies and Similar Technologies

We use cookies to improve your experience. You can manage your preferences via our consent banner.

5.1 Types of Cookies

  • Essential cookies : necessary for the site to function (authentication, security)
  • Analytics cookies : Google Analytics, PostHog (audience measurement with your consent)
  • Marketing cookies : personalization of communications (with your consent)

6. Your Rights (GDPR)

In accordance with the General Data Protection Regulation (GDPR), you have the following rights:

  • Right of access : obtain a copy of your data
  • Right to rectification : correct inaccurate data
  • Right to erasure : request deletion of your data
  • Right to data portability : receive your data in a structured format
  • Right to object : object to the processing of your data
  • Right to restriction : restrict the processing of your data
  • Right to withdraw consent : withdraw your consent at any time

To exercise these rights, contact us at contact@recoverlyai.fr. We are committed to responding to any request within a maximum of 30 days in accordance with the GDPR.

6.1 Shopify Merchants: Automated Procedure

Merchants using RecoverlyAI on Shopify may also exercise their rights via Shopify compliance webhooks, which we process automatically:

  • customers/data_requestexport of a customer's data
  • customers/redactdeletion of a customer's data (GDPR erasure)
  • shop/redactdeletion of store data 48 hours after the app is uninstalled

7. Data Retention

We apply strict retention periods based on the nature of the data:

  • User data (merchant account) : retained for the lifetime of the account, then deleted 24 months after the last account activity.
  • Abandoned cart data : retained for up to 90 days after the recovery flow is completed or expires, then automatically purged.
  • Sensitive Shopify customer data (customer.email, name, phone, order.line_items) : deleted immediately upon receipt of a customers/redact webhook from Shopify, and purged 48h after app uninstallation (shop/redact).
  • Billing data : retained for 10 years to meet our legal and tax obligations.
  • Technical logs : retained for a maximum of 90 days.

After account deletion, your personal data is anonymized or deleted within 30 days, unless otherwise required by law.

8. Data Security

We implement appropriate security measures:

  • Encryption of data in transit (TLS/SSL 1.2+) and at rest (AES-256-GCM)
  • Shopify access tokens encrypted at rest with a dedicated master key
  • Secure authentication with password hashing (bcrypt/argon2 via Supabase Auth)
  • Restricted data access following the principle of least privilege
  • HMAC validation of all Shopify webhooks (constant-time comparison)
  • Regular monitoring and auditing of our systems
  • Hosted on secure infrastructure: Supabase (EU region, eu-west-1) and Railway

9. Data Location and International Transfers

Your data is stored in the European Union (Supabase, eu-west-1 region). Our backend API is hosted by Railway (EU region).

Some of our sub-processors may process data outside the EU/EEA (in particular Anthropic and OpenAI for AI generation). These transfers are governed by appropriate safeguards: Standard Contractual Clauses (SCCs) of the European Commission and, where applicable, certification under the Data Privacy Framework (DPF).

10. Changes to This Policy

We may update this privacy policy. In the event of significant changes, we will notify you by email or via a notification on our platform. The date of the last update is shown at the top of this page.

11. Contact

For any questions regarding this privacy policy or the processing of your personal data:

RecoverlyAI
Email : contact@recoverlyai.fr
Data Protection Officer: contact@recoverlyai.fr

You also have the right to lodge a complaint with the relevant supervisory authority in your country (in France: the CNIL — Commission Nationale de l'Informatique et des Libertés) if you believe that the processing of your data does not comply with applicable regulations.

Terms of ServiceBack to home