AI Compliance Policy – ShopiBot

How ShopiBot ensures compliance with GDPR, UAE PDPL & EU AI Act

Last updated: October 2025

1. Understanding compliance requirements

GDPR (General Data Protection Regulation)

  • Only minimal and necessary data is processed.
  • Full transparency on how AI and data are used.
  • Users can request access, correction, or erasure via the merchant.
  • All processing is temporary, encrypted, and purpose-limited.

UAE PDPL (Federal Decree-Law No. 45 of 2021)

  • Data is processed solely for legitimate business purposes (chat support, analysis, and personalization).
  • No retention beyond what's required for customer service or until the merchant deletes it.
  • Merchants are the primary contact for access or deletion requests.

EU AI Act

  • Clear disclosure that users are interacting with AI.
  • Systems designed to avoid biased or discriminatory outputs.
  • Transparent logic and explainable responses.
  • Continuous monitoring and safeguards for risk management.

2. Roles in data processing

Shopify Merchants = Data Controllers

  • Determine the purposes and means of processing.
  • Must update their store privacy policy to reflect chatbot use.
  • Are responsible for managing customer data access and deletion requests.

ShopiBot = Data Processor

  • Processes chat-related data only to deliver automated responses and analyses.
  • Implements technical and organizational safeguards to ensure compliance.
  • Does not retain or reuse customer information once the session or business purpose ends.

3. How ShopiBot ensures compliance

Data collection & processing

  • Minimal data — only conversations, messages, emails (if provided), and uploaded photos/images used for AI-based analysis.
  • Purpose-limited — processed strictly for support, analysis, or personalized recommendations.
  • Transparency — users are clearly informed they are interacting with AI.
  • Deletion policy — all data resides in the merchant's Shopify database or Prisma instance until the merchant deletes it.
  • No profiling or advertising use.

Security measures

  • All data transmissions use end-to-end HTTPS encryption.
  • Hosting and processing are performed on Fly.io using industry-grade protections.
  • Payments, if any, are managed via Stripe (PCI-DSS compliant).
  • Restricted access — no human review of individual chats or photos.

4. What data is processed & why

For Merchants (Shopify store owners)

  • Shopify account & billing info: for app installation and subscription.
  • Chatbot configuration data: for personalization and analytics.

For End Users (store customers)

  • Chat messages: analyzed to respond intelligently and contextually.
  • Email (optional): used only for sending personalized guides or follow-ups.
  • Uploaded photos/images: temporarily processed to extract results for photo or image analysis (e.g., AI-based suggestions).
  • Conversation history: stored securely in the merchant's Shopify database or Prisma system, until the merchant chooses to delete it.

5. What ShopiBot does not do

  • No storage of chat history on ShopiBot servers beyond processing.
  • No resale, advertising, or third-party sharing of data.
  • No behavioral or cross-site tracking.
  • No analytics derived from customer behavior outside the chatbot context.

6. Deletion & User Rights

  • End Users: may request access, correction, or deletion directly from the merchant.
  • Merchants: can delete conversations, messages, and associated data at any time via their Shopify or Prisma dashboard.
  • ShopiBot automatically deletes all temporary processing data once the interaction is completed or transferred to the merchant's database.

7. Merchant reminder (for your privacy policy)

Disclosure template for your store:

Our store uses ShopiBot AI to provide smart customer support and photo-based recommendations.

  • Conversations, messages, and images are processed only to assist you.
  • No personal data is stored outside our Shopify account.
  • Your information is encrypted and securely managed.
  • We do not use your data for tracking or advertising.

8. Contact

For questions about AI compliance or data handling, contact:

Welcome Middle East FZ-LLC

📧 Email: support@welcomeme.ae

🏢 Dubai, United Arab Emirates