Data & privacy

cobay reads the minimum it needs to sell and support, answers only from that data, and logs every human touch of customer PII. Here's exactly how it works.

Grounded answers, by design

Every answer your agent gives is grounded in your real Shopify data and the knowledge you’ve added. It never invents orders, prices, stock levels, or policies. When a question falls outside what it knows, it says so and hands off to a human — that’s a feature, not a failure.

What cobay reads from Shopify

  • Catalog — products, prices, inventory, and store policies, kept in sync as your store changes.
  • Orders— looked up live so the agent can answer “where’s my order?”, returns, and shipping questions from real order status.

Shopify shows you the exact scope of access when you connect, and you can revoke it at any time from your Shopify admin.

Customer conversations and memory

Conversations are stored so the agent can remember customers — the “one brain” that connects a shopper’s past chats across sessions and devices. That memory exists to serve your customers, and it comes with controls:

  • Audit-logged PII access. When our staff access customer personal data (for example, to debug an issue you report), that access is logged — a Shopify Protected Customer Data requirement we build for, not around.
  • GDPR requests honored automatically. cobay implements Shopify’s mandatory compliance webhooks: customer data requests, customer data deletion, and full shop data deletion are handled without you lifting a finger.
  • Uninstall = deletion. Removing the app stops billing and your data is deleted per our privacy policy.

The paperwork, in plain sight

Everything above is written down where lawyers (and Shopify reviewers) can check it:

A question we haven't answered here?

Email support@cobay.com — privacy questions get a real answer from the team, not a template.