Privacy Policy

Effective date: April 12, 2026

Last updated: April 12, 2026

Corvify ("we", "us", "our") is a Shopify application operated by Orbilyte. This Privacy Policy explains how we collect, use, store, and protect information when you install and use the Corvify app ("the App") on your Shopify store.

1. Information We Collect

1.1 Store Information

When you install the App, we access and store the following data through the Shopify API:

• Shop domain (e.g., your-store.myshopify.com)
• Shop profile data (store name, currency, locale, plan)
• Session tokens for authenticated API access

1.2 Data Accessed at Request Time (Not Stored)

When you interact with the AI agent, it may read the following data from your Shopify store in real time. This data is not persisted in our databases — it is used only to generate a response within your chat session:

• Theme files (Liquid templates, CSS, JavaScript)
• Product information (titles, descriptions, prices, variants, images)
• Metaobjects and metaobject definitions
• Online store pages, blog posts, and articles
• Order data (order number, status, line items, totals)
• Legal policies (Privacy Policy, Terms of Service, etc.)
• Customer information associated with orders (name, email, address) — displayed in chat responses only, never written to disk

1.3 Chat Conversations

Messages you send to the AI agent and the agent's responses are stored in our database to maintain conversation context and provide an audit trail of actions taken on your store.

1.4 Token Usage Data

We record aggregated token usage (input/output token counts per request) for billing and rate-limiting purposes. This data does not contain conversation content.

1.5 Custom Database Tables

If you use Corvify's custom data table feature, the data you create is stored in a dedicated PostgreSQL database. Each merchant's data is isolated via row-level security policies.

1.6 Bring Your Own Key (BYOK)

Growth and Scale plan users may optionally provide their own Anthropic API key. If provided, this key is encrypted using AES-256-GCM before storage and is only decrypted at request time to make API calls on your behalf.

2. How We Use Your Information

• AI-Powered Store Management: Your store data is sent to the Anthropic Claude API to generate intelligent responses, code modifications, and store management actions.
• Conversation History: Chat messages are stored to maintain context across sessions and provide an audit trail.
• Billing: Token usage is tracked to enforce plan limits and calculate usage.
• Service Improvement: Aggregated, anonymized usage patterns may be used to improve the App.

3. Third-Party Services

We share data with the following third-party services as necessary to operate the App:

We do not sell, rent, or trade your personal information to any third parties for marketing purposes.

4. Data Security

We implement the following security measures to protect your data:

• Encryption in Transit: All data transmitted between your browser, our servers, and third-party APIs uses TLS encryption.
• Encryption at Rest: BYOK API keys are encrypted using AES-256-GCM.
• Row-Level Security: Custom JSONB database tables are isolated per merchant using PostgreSQL row-level security policies.
• Parameterized Queries: All database queries use parameterized statements to prevent SQL injection.
• Session Authentication: All API requests are authenticated via Shopify session tokens.

5. Data Retention and Deletion

5.1 During Active Use

Your data is retained for as long as the App is installed on your Shopify store.

5.2 Upon Uninstallation

When you uninstall the App, all of your data is immediately and permanently deleted, including:

• Chat conversations and messages
• Token usage records
• Agent action logs
• Custom database tables (dropped entirely)
• Shop profile and session data
• Encrypted BYOK keys

As an additional safety measure, Shopify sends a shop/redact webhook 48 hours after uninstallation, which triggers a second cleanup pass to ensure no data remains.

5.3 Customer Data Requests

Corvify does not persistently store identifiable customer data. Order details (including customer names and emails) are read from the Shopify API at request time and displayed only within the chat interface. If a customer data request or redaction request is received via Shopify's GDPR webhooks, we acknowledge it and confirm that no customer data is stored in our systems.

6. Your Rights

You have the right to:

• Access: Request a copy of all data we hold about your store.
• Deletion: Request deletion of all your data at any time by uninstalling the App or contacting us.
• Portability: Request your data in a machine-readable format.
• Rectification: Request correction of inaccurate data.

7. GDPR Compliance

For merchants and customers in the European Economic Area (EEA), we comply with the General Data Protection Regulation (GDPR). Our lawful basis for processing data is:

• Contract Performance: Processing necessary to provide the App's services (Article 6(1)(b)).
• Legitimate Interest: Aggregated usage analytics to improve the App (Article 6(1)(f)).

8. CCPA Compliance

For merchants in California, we comply with the California Consumer Privacy Act (CCPA). We do not sell personal information. You may exercise your rights under the CCPA by contacting us at the address below.

9. Children's Privacy

The App is designed for use by Shopify merchants (business users) and is not directed at children under 16. We do not knowingly collect data from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via the App or by email. The "Last updated" date at the top of this policy indicates when the most recent changes were made.

11. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us:

• Company: Orbilyte
• Email: support@corvify.com
• Website: https://corvify.com