Help Pilot — Privacy Policy

Last updated: 2026-05-28

This policy explains what data Help Pilot ("we", "us") collects when a Shopify merchant installs our app and when a shopper interacts with the chat widget on the merchant's storefront.

1. Data we collect

From the merchant store (with the merchant's permission, via Shopify OAuth):

Shop domain, contact email, and currency.
Product catalog data (titles, descriptions, prices, inventory, variants) — read on-demand when a shopper asks a relevant question.
Order data (order name, email, financial/fulfillment status, line items, tracking) — read only after a shopper completes an email + order-number verification challenge.
Store policies (refund, shipping, privacy, terms) — read on demand.

From storefront shoppers using the widget:

Conversation transcripts (the shopper's messages and our assistant's replies).
An opaque session identifier we set in the shopper's browser sessionStorage so we can group their messages into a single conversation.
Source IP address (used only for rate limiting and abuse mitigation; not exposed to merchants).
Locale and language settings (sent by the shopper's browser).
For order verifications: the email and order number entered during the verification challenge. These are validated against the merchant's Shopify orders and then we retain only the verification status + the matched order's Shopify ID for 30 minutes. The verified email is also stored on the conversation so the merchant can follow up with the shopper if needed.
For human-handoff requests: if the shopper asks for a human follow-up, the assistant may ask for their email and store it on the conversation alongside a short reason (e.g. "refund dispute"). This is shown only to the merchant in their admin.

2. Data we automatically redact

Before any chat message is written to our database, we run an automatic redaction step that masks sensitive data the shopper may have pasted into the conversation. Specifically:

Payment card numbers — any 13–19 digit run that passes the Luhn checksum is replaced with [card redacted ****1234] (only the last four digits are kept).
Card security codes (CVV/CVC/CV2) — masked entirely.
U.S. Social Security Numbers — masked entirely.

We do not knowingly accept payment card data through the chat widget and the assistant is instructed to refuse to handle it; the redaction layer is defense-in-depth so that pasted data is never persisted in plaintext. Email addresses and order numbers are intentionally preserved because they are required by the order-verification flow.

3. How we use the data

To answer the shopper's question via OpenAI.
To show merchants their conversation history in the embedded admin UI.
To enforce rate limits and per-shop monthly message quotas.
To bill merchants according to their chosen plan via Shopify-managed pricing.

We do not sell shopper or merchant data to any third party.

4. Third parties we share data with

OpenAI — we send each shopper's message, conversation context and tool-call results to OpenAI to generate the assistant's response. Merchants can opt into "Bring Your Own Key" mode to send these requests through their own OpenAI account instead. See OpenAI's privacy policy and enterprise data policy for details on their handling.
Shopify — product, order, policy and shop-info queries flow through the Shopify Admin API on behalf of the merchant.
Our hosting providers — Fly.io (compute) and Fly Postgres (database).

We never share shopper personal data with the merchant beyond what is necessary to display conversation transcripts in the merchant admin.

5. Retention

Conversation transcripts: 90 days on Free and Starter plans; 365 days on Pro.
Verified-order tokens: 30 minutes.
Verification audit log: 90 days.
Aggregate per-shop monthly usage counters: 24 months.

Conversations older than the per-plan window are deleted by an automatic sweep that runs at least once per release. Merchants can shorten retention further by uninstalling the app, at which point the Shopify shop/redact webhook triggers full deletion 48 hours later.

6. Mandatory Shopify compliance webhooks

We respond to the three GDPR webhooks Shopify requires of every public app:

customers/data_request — we acknowledge and provide a summary of any conversations linked to the customer's email.
customers/redact — we delete any conversation rows that reference the customer's email.
shop/redact — we delete all merchant and shopper data for the uninstalled shop.

7. Contact

Email privacy@help-pilot.app to request a data export or deletion.