GDPR Compliance for UpsellAgents AI

Last Updated: April 9, 2026

UpsellAgents AI is committed to compliance with the General Data Protection Regulation (GDPR) and respecting the privacy rights of all users, including merchants and their customers in the European Economic Area (EEA), United Kingdom, and Switzerland.

Our Role Under GDPR

Under GDPR, UpsellAgents AI acts as a Data Processor on behalf of the Shopify merchant, who is the Data Controller. We process data only as instructed by the merchant through their use of the App, and only to the extent necessary to provide our services.

Data We Process

UpsellAgents AI processes the following data categories:

• Product catalog data: Product titles, descriptions, prices, images, and inventory status — used to power AI recommendations.
• Order data: Order ID, order number, items purchased, and order total — used for analytics and sales attribution.
• Visitor session data: Anonymized browsing behavior including pages viewed, products browsed, and chat interactions — used for behavioral analytics and AI personalization.

We do not process personally identifiable information (PII) such as customer names, email addresses, physical addresses, phone numbers, or payment information.

Lawful Basis for Processing

Our processing of data is based on:

• Contractual necessity: Processing is required to provide the services the merchant has requested by installing the App.
• Legitimate interest: Anonymous session analytics help merchants understand and improve their customer experience.

Data Subject Rights

Under GDPR, individuals have the following rights regarding their personal data. Since UpsellAgents AI does not collect PII, most of these rights are addressed by design. However, we fully support merchants in fulfilling data subject requests:

• Right of Access: Merchants can request information about the data we hold related to their store at any time.
• Right to Rectification: If any data we hold is inaccurate, merchants can request correction.
• Right to Erasure: All data is automatically deleted when the App is uninstalled. Merchants may also request deletion at any time by contacting us.
• Right to Restriction of Processing: Merchants may request that we limit how we process their data.
• Right to Data Portability: Merchants may request an export of their data in a machine-readable format.
• Right to Object: Merchants may object to specific processing activities.

To exercise any of these rights, contact us at support@upsellagents.ai. We will respond within 30 days.

Data Storage and Security

All data is stored securely using industry-standard infrastructure:

• MongoDB Atlas: SOC 2 Type II certified, encrypted at rest and in transit. Security details
• Pinecone: SOC 2 Type II certified, used for vector embeddings only (no PII). Security details
• AWS (Amazon Web Services): Application hosting with encryption in transit via TLS.

Data Retention

• Data is retained only for as long as the App is installed on the merchant's store.
• Upon uninstallation, all associated data is permanently deleted — including chat history, session data, analytics, and product data.
• We do not retain backup copies of merchant data after deletion.

International Data Transfers

Data may be processed and stored in the United States. We ensure appropriate safeguards are in place for any cross-border data transfers, including reliance on our data processors' compliance certifications (SOC 2 Type II) and contractual protections.

Sub-Processors

We use the following sub-processors to deliver our services:

• MongoDB Atlas — Database storage (USA)
• Pinecone — Vector embedding storage and search (USA)
• Amazon Web Services (AWS) — Application hosting and CDN (USA)
• Anthropic — AI language model provider (USA)

Shopify GDPR Webhooks

UpsellAgents AI implements all required Shopify GDPR webhooks:

• Customer Data Request: Returns any data we hold related to a specific customer (typically none, as we do not store PII).
• Customer Data Erasure: Deletes any data associated with a specific customer upon request.
• Shop Data Erasure: Deletes all data associated with a store when the App is uninstalled or the store is closed.

Data Breach Notification

In the unlikely event of a data breach that affects merchant data, we will:

• Notify affected merchants within 72 hours of becoming aware of the breach.
• Provide details of the breach, including the nature of the data affected and remediation steps taken.
• Cooperate with merchants in fulfilling their own notification obligations to supervisory authorities and data subjects.

Changes to This Policy

We may update this GDPR Compliance page from time to time. Material changes will be communicated through the App or via email. The "Last Updated" date at the top of this page reflects the most recent revision.

Contact Us

For any GDPR-related questions or data subject requests, contact us at support@upsellagents.ai.