Privacy Policy
Effective July 2, 2026
1. Who we are
Cobay is operated by Cobay Technology Private Limited(“Cobay”, “we”, “us”). Cobay is an AI assistant that merchants embed on their Shopify store to help shoppers discover products (sales) and answer questions about orders, shipping, and returns (support). Contact: privacy@cobay.com.
2. Scope & our role
This policy covers two groups: (a) merchants who sign up for Cobay, and (b) shopperswho interact with the Cobay assistant on a merchant’s store. For shopper personal data, the merchant is the data controller and Cobay acts as a data processor on the merchant’s behalf (see our Data Processing Agreement).
3. Personal data we process
From shoppers:
- The messages a shopper sends to the assistant.
- A persistent, randomly-generated web session identifier stored in the shopper’s browser, used to remember the conversation.
- Only when a shopper looks up an order: the email or phone number used to find the order, and that order’s status and tracking information.
- A short, AI-generated summary of the shopper’s stated preferences and goals (“memory”), so the assistant can be helpful across visits.
From merchants:
- Account details (name, email) and store domain.
- Shopify access credentials (stored encrypted) used to read products and look up orders.
- Product catalog and knowledge-base content the merchant connects.
4. How we use it
We use this data solely to provide the assistant: answering questions, recommending products, looking up order status, and maintaining per-shopper memory so the experience is coherent. We do not sell personal data, and we do not use shopper personal data to train AI models.
5. Service providers (sub-processors)
We share data only with the providers needed to run the service, each bound by data-protection terms:
- Anthropic — powers the assistant’s responses.
- OpenAI — generates search embeddings for products and knowledge.
- Supabase — database, authentication, and storage.
- Vercel — application hosting.
- Upstash — short-lived caching and rate limiting.
- Shopify — the source of product and order data.
- Sentry — error monitoring. PostHog — product analytics.
A current list is available on request at privacy@cobay.com.
6. Retention
- Order data is fetched live from Shopify and cached only briefly (about 60 seconds); it is not stored long-term.
- Conversations and shopper memory are retained while the merchant’s account is active, and deleted on request or when the account is closed.
- Merchant account data is retained for the life of the account.
7. Security
We encrypt data in transit (TLS) and at rest, store third-party credentials encrypted, isolate each merchant’s data with database row-level security, restrict staff access, and rate-limit our APIs. We maintain a security incident-response process and will notify affected merchants of a personal-data breach without undue delay.
8. International processing
Cobay’s primary database is hosted in India; our AI and infrastructure providers may process data in the United States and the European Union. Where required, transfers rely on appropriate safeguards such as Standard Contractual Clauses.
9. Your rights
Depending on your location (e.g. GDPR, CCPA), you may have rights to access, correct, delete, port, or object to the processing of your personal data. Shoppers should contact the store (the controller); the store can action requests through Cobay. Merchants or anyone else can reach us at privacy@cobay.com.
10. Children
Cobay is not directed to children under 16 and we do not knowingly collect their personal data.
11. Changes
We will post updates to this policy here and revise the effective date above.