Zoomifi - Bought Together AI Privacy Policy
Zoomifi - Bought Together AI (“the App”) is provided by Zoomifi to merchants who use Shopify to power their stores. The App generates "frequently bought together" product recommendations on storefront product pages by analyzing the co-occurrence of products in past orders. This Privacy Policy explains exactly what data we access, how long we keep it, how we protect it, and what happens when a merchant uninstalls.
1. Information we access
From the merchant's Shopify store
Once a merchant installs the App, we access the following data via Shopify's Admin API and via webhook subscriptions:
| Field | Source | Used for |
|---|---|---|
| Order ID | orders/create webhook + bulk-operations backfill |
Idempotency key only — preventing duplicate ingestion of the same order if Shopify redelivers a webhook |
| Order line item product IDs | Same as above | The only recommendation signal — incremented into a per-shop co-occurrence aggregate (e.g. "product A and product B were in the same order N times") |
| Product handles, titles, and image URLs | Admin API | Rendering the recommendation cards on the storefront (link target, label, thumbnail) |
We do not access or store: customer ID, customer name, customer email, customer phone, customer address, billing address, shipping address, line item quantities, line item prices, order monetary fields (subtotal, total, tax, shipping, currency), discount codes, gift cards, payment method, fulfillment status, tracking, cart abandonment data, browsing history, or session data.
The recommendation engine is intentionally customer-anonymous: every shopper visiting a given product page sees the same recommendations. There is no per-customer personalization, and there is no path in our database from any record back to a specific customer.
From the merchant directly
When a merchant signs up, we receive their store name, email address, and any configuration values they enter in the App's admin (recommendation rules, card style). This is standard merchant-account information.
2. Data retention
Order-level data is retained transiently — only long enough to update the co-occurrence aggregate, then deleted. The Order ID is kept for up to 30 days in an idempotency log to prevent duplicate ingestion if Shopify redelivers a webhook (Shopify's redelivery window is 48 hours; the 30-day cap is a wide safety margin), then purged by a daily scheduled command.
The aggregate co-occurrence index — the actual data structure that
drives recommendations — contains no personally identifiable
information of any kind. It stores only counts: (shop, product
A, product B, count). There is no path from a count back to a
specific customer or order.
3. How we protect data
- In transit: All Shopify API traffic uses TLS 1.3. Inbound webhooks are HMAC-verified against the Partner App secret before any payload is parsed; invalid signatures return 401. Storefront recommendation requests are signed via Shopify App Proxy HMAC and rejected if the signature is missing or invalid.
- At rest: Database storage is on AWS EBS volumes
encrypted with AES-256 using AWS KMS-managed keys. App access
tokens are double-encrypted via Laravel's
Crypt::encryptStringwrapper before being written to MySQL. - Access control: The application database is on a private subnet with no public IP and no public database port. SSH access is restricted to a single IAM-bounded operator account. All merchant-facing admin actions are gated by Shopify session-token verification — only an authenticated merchant admin session can invoke them.
4. What happens when a merchant uninstalls
When a merchant uninstalls the App, all data associated with their store is deleted within seconds:
- The
app/uninstalledwebhook fires immediately. Our handler deletes the store row, all co-occurrence rows, all idempotency-log entries, and the cached access token in a single database transaction. - Shopify's
shop/redactwebhook fires 48 hours later as a safety net. Our handler performs an idempotent re-purge — a no-op if step 1 succeeded, a backstop if it didn't. - The
customers/redactwebhook (fired 10 days after a merchant deletes a specific customer) returns 200 immediately because we don't store any customer-keyed data. - The
customers/data_requestwebhook returns an empty manifest for the same reason.
5. Sharing of data
We do not sell, rent, or share merchant or customer data with third parties for advertising or marketing purposes. The only third parties that touch the data are infrastructure providers necessary to operate the service:
- Amazon Web Services (compute, database) — covered by AWS's data-processing addendum.
- Shopify (the platform the App is built on) — covered by Shopify's Partner Program data-handling terms.
We may also disclose information when required to do so by law, subpoena, court order, or other legal process, or to protect our legal rights.
6. Your rights
If you are a resident of the European Economic Area, the United Kingdom, California, or another jurisdiction with data-protection rights, you have the right to request access to, correction of, or deletion of personal data we hold about you. To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
Data may be stored or processed outside your country of residence, including in the United States and Canada.
7. Changes to this policy
We may update this policy from time to time to reflect changes to our practices or to legal or regulatory requirements. The "Last updated" date at the top of the page reflects the most recent revision.
8. Contact
For any privacy-related question or request, contact us at [email protected].