Privacy Policy

CrawlWithAI is a Shopify app and accompanying website operated by Shubh Pranamya, a business registered in Mumbai, India. In this policy "we", "us", "our", and "CrawlWithAI" refer to Shubh Pranamya.

Registered office: Shop No. 33, Ashoka Palace, Makrani Pada Road, Malad East, Mumbai 400097, India.

GSTIN: 27AFIFS3251E1Z1.

Contact for privacy, data requests, and complaints: support@crawlwithai.com.

This policy covers what we collect, why, where it goes, and how to delete it. It is written to comply with EU GDPR, UK GDPR, the California CCPA / CPRA, the Indian Digital Personal Data Protection Act 2023, and Shopify's App Store data-protection requirements. Shopify merchants installing the app should also read the Terms of Use and the Data Processing Agreement.

To make the data flows below readable, here are the six product surfaces:

• AI Mapping. The merchant writes AI-friendly product descriptions and a store identity inside the Shopify admin. Merchant-authored text. No shopper data.
• AI Network. The merchant's catalog is made discoverable to AI shopping agents (ChatGPT, Claude, Cursor, Perplexity, and similar) via public endpoints we host. Public product data only.
• Sales AI widget. Optional storefront chat bubble. Shoppers ask questions; messages flow to Anthropic's Claude API for replies. Available on Pro, Growth, and Network.
• AI Optimizer. Scores product pages on AI-readiness inside the admin. No shopper data.
• AI Orders + Attribution. When a Shopify order is placed, we record which AI source (if any) drove the visit. Used for revenue reporting and commission billing. We never store the customer's name, email, address, or payment details.
• Multi-Protocol Reach. The merchant's catalog is exposed via MCP, A2A, OpenAPI, and UCP (Google's Universal Commerce Protocol) so AI agents can read it in their native protocols. Public product data only.

The marketing website at crawlwithai.com is informational only. No merchant or shopper account data is processed there.

3.1 From merchants (when you install the app). Shopify gives us:

• Your shop domain (e.g. example.myshopify.com), shop name, timezone, primary currency, and locale.
• Your product catalog (titles, descriptions, prices, images, tags, variants).
• Your collections, blog posts (if any), shipping and return policies, and discount codes.
• Order events when a sale happens (see 3.4 below for what we keep).
• An OAuth access token used to call Shopify APIs on your behalf.

3.2 Merchant-authored content. Anything you type into the AI Mapping, AI Optimizer, or Sales AI configuration screens is stored against your shop. You can edit or delete it from the admin at any time.

3.3 Shopper data via the AI Network. When an AI shopping agent (ChatGPT, Claude, Cursor, etc.) requests your catalog through one of our public endpoints, we log the request URL, timestamp, and the source platform (when identifiable). We do not see the shopper themselves, only the AI agent acting on their behalf.

3.4 Shopper data via attribution. When a shopper clicks an AI-generated link into the Merchant's store, we set short-lived cookies and store, against the click:

• The AI source platform (Google, OpenAI, Anthropic, Perplexity, etc.), derived from referer + user-agent.
• A truncated SHA-256 hash of the visitor's IP address. The raw IP is never written to disk; only the hash is stored, and only the first 16 hex characters of that hash.
• The session ID and visitor ID cookies (see the Cookie Policy).
• If the shopper checks out, the Shopify-issued numeric customer ID (e.g. gid://shopify/Customer/12345). Not the customer's name, email, address, or payment method.

This attribution data is collected indirectly via the merchant's storefront and the AI agent's request headers, not directly from the shopper. The shopper has not given us a contact address; we have no way to notify them individually. The lawful basis is the merchant's legitimate interest in measuring AI-driven revenue (see section 4). We provide opt-out mechanisms through cookie blocking, "Do Not Track", and Global Privacy Control (see section 13).

3.5 Shopper data via the Sales AI widget. When a shopper sends a message in the chat widget, we store the conversation transcript (their messages plus the AI's replies) for up to 90 days. Conversations are tied to a session, not to a named individual. Shoppers are not asked to log in or provide contact details. Emails and phone numbers in shopper messages are stripped at the server before they reach Anthropic or our database.

3.6 From you when you contact us. If you email support@crawlwithai.com, we keep the email content, your address, and our reply so we can follow up.

3.7 What we never collect. We do not collect or store shopper names, email addresses, postal addresses, phone numbers, payment card details, government IDs, or any "sensitive personal data" as defined under GDPR Art. 9 or India's DPDP Act 2023.

For merchant data, our basis is the contract you accepted when you installed the app. For shopper attribution data, our basis is the legitimate interest of the merchant in understanding which AI sources drive their revenue, balanced against the very limited identifiability of the data we keep. For email communications, our basis is your consent (you started the conversation) plus our legitimate interest in providing support.

EEA or UK shoppers who object to attribution tracking can opt out by blocking cookies on the merchant's store, by enabling "Do Not Track" or Global Privacy Control in the browser (both honoured), or by emailing support@crawlwithai.com.

CrawlWithAI uses the following sub-processors. This is the complete set of third parties that receive any data we process. If we add or remove one, we update this section.

We do not sell personal information. We do not share data with advertising networks. We do not use shopper data to train third-party AI models. Anthropic and Voyage AI both contract not to train on customer-API inputs.

We keep data only as long as we need it for the service or to meet a legal obligation.

• Merchant account + Shopify product catalog. Kept while your app is installed. Within 48 hours of uninstall (or your deletion request), Shopify sends us a shop/redact webhook and we delete all rows tied to your shop.
• Attribution events (clicks, sessions, hashed IPs): 24 months from the event.
• Sales AI widget conversations. 90 days from the last message, then deleted by a daily automated job. Pseudonymous (session-scoped, no named individual).
• Order attribution rows. Kept while the app is installed; deleted on uninstall.
• PPT cart correlation data (short-lived tracking artefact linking a click to a checkout): 30 days.
• API key hashes. Kept until you revoke the key. We never store the plaintext, only an scrypt hash.
• Support emails. 24 months.
• Backups. Encrypted, 14 days, then overwritten.

If a longer retention is required by law (e.g. tax records) we retain only the minimum necessary fields, locked from further processing.

• Encryption. All traffic uses TLS 1.2 or higher. The database is encrypted at rest using AES-256.
• IP addresses are hashed. We never write a raw IP to disk. The IP is SHA-256 hashed with a non-public salt and truncated to 16 hex characters.
• API keys are hashed. We store an scrypt hash of every key. The plaintext is shown once at creation and discarded.
• OAuth tokens. Stored encrypted; never logged.
• Access control. Production database access is restricted to the operator (Shubh Pranamya). No third party has direct database access.
• Mandatory Shopify webhooks. We implement customers/data_request, customers/redact, and shop/redact as required by Shopify's app-developer contract.

No service can guarantee absolute security. If a breach affects your data, we will notify you and the relevant regulators within 72 hours of detection, as required by GDPR Art. 33 and India's DPDP Act.

The CrawlWithAI servers and database are in the European Union (Railway, EU region). Some sub-processors are in the United States (Anthropic, Voyage AI, Microsoft) or operate globally (Shopify, Open Exchange Rates). Where personal data leaves the EEA or UK, we rely on:

• Anthropic (Claude API): Standard Contractual Clauses, signed as part of Anthropic's commercial terms.
• Voyage AI: Standard Contractual Clauses, signed as part of Voyage AI's commercial terms.
• Microsoft (IndexNow): EU-U.S. Data Privacy Framework where Microsoft has self-certified, otherwise Standard Contractual Clauses. Note: IndexNow only receives public product URLs - no personal data flows here.
• Shopify: Standard Contractual Clauses and the European Commission's adequacy decision for Canada, where Shopify Inc. is headquartered.
• UK data: the UK International Data Transfer Addendum to the SCCs applies in addition to the above.
• Indian data: transfers comply with the Indian DPDP Act 2023 framework as it is operationalised.

If a sub-processor's transfer mechanism changes (for example, if a new EU adequacy decision lands), we update this section.

Shubh Pranamya is established in India and does not maintain an establishment in the European Union or United Kingdom. Under Article 27 of the EU GDPR, a non-EU controller is generally required to appoint a written-authorised representative in the EU. The exemption in Article 27(2)(a) applies to processing that is:

• Occasional, and
• Does not include, on a large scale, processing of special categories of data or data relating to criminal convictions, and
• Is unlikely to result in a risk to the rights and freedoms of natural persons.

We rely on this exemption today because:

• We process no special-category data (no health, biometric, racial, religious, political, sexual-orientation, or trade-union data).
• We process no criminal-conviction data.
• Shopper attribution data is pseudonymous: IP addresses are SHA-256 hashed and truncated before storage, no shopper names / emails / addresses / phone numbers are collected, and the only identifier that could link an attribution row to a person is the Shopify customer ID, which we receive only when a sale completes (not on browsing).
• Sales AI widget messages have emails and phone numbers stripped server-side before storage and before they reach Anthropic.
• Pre-launch: the app has zero installed merchants and zero EU shoppers at the date of this policy. We expect EU exposure to remain limited in the early stages.

If the scale of our EU processing materially increases (for example, the first 100 EU merchants installing the app, or a complaint from an EU data subject that we cannot resolve directly), we will appoint a formal Article 27 representative and update this section with their name and address.

For any GDPR-related question or complaint in the meantime, EU and UK data subjects can contact us directly at support@crawlwithai.com. We respond within 30 days.

Depending on where you are, you have the following rights over your personal data:

• Access. Ask for a copy of the data we hold about you.
• Correction. Ask us to fix incorrect data.
• Deletion. Ask us to delete your data. Merchants can trigger this by uninstalling the app. Shoppers can ask the merchant to invoke Shopify's customers/data_request / customers/redact flow, or contact us directly.
• Portability. Receive your data in a structured, machine-readable format.
• Restriction. Pause certain processing while a dispute is resolved.
• Objection. Object to processing based on legitimate interests.
• Withdraw consent. Withdraw any consent you previously gave (without affecting prior processing).
• Complain to a regulator. EEA: your local Data Protection Authority. UK: the ICO. India: the Data Protection Board once constituted. California: the California Privacy Protection Agency.

To exercise any of these rights, email support@crawlwithai.com. We respond within 30 days (often sooner). We may need to verify your identity to prevent fraudulent requests.

Automated decision-making. We do not make decisions about you based solely on automated processing that produce legal effects or similarly significant effects (Art. 22 GDPR). The Sales AI widget generates product recommendations, but a recommendation is not a decision with legal effect, and a human shopper remains in the loop for any purchase.

CrawlWithAI sets a small number of cookies on Merchant storefronts for attribution. The full list, durations, and how to opt out are in our Cookie Policy.

The Sales AI widget uses browser sessionStorage to keep a conversation alive across page loads on the same store. That data is local to the shopper's browser and not shared with us beyond the messages they send.

CrawlWithAI is a business-to-business product. We do not knowingly collect data from anyone under 16. If you believe we have, email support@crawlwithai.com and we will delete it.

If you are a California resident:

• The categories of personal information we collect are described in section 3 above.
• We do not sell personal information and we do not share it for cross-context behavioural advertising. Our Shopify Web Pixel is configured with sale_of_data="disabled".
• You have the right to know, delete, correct, and opt out. To exercise any right, email support@crawlwithai.com.
• We honour the Global Privacy Control (GPC) browser signal.

Shubh Pranamya is registered in Mumbai, India and acts as the Data Fiduciary for personal data we determine the purposes of processing. For shopper data processed on behalf of a Merchant, we act as a Data Processor. Data Principals in India may exercise their rights of access, correction, erasure, and grievance redressal by emailing support@crawlwithai.com. If we have not resolved your complaint within 30 days, you may approach the Data Protection Board of India once it becomes operational.

For material changes (a new sub-processor, a longer retention window, a new data category), we update this page, change the effective date at the top, and email active merchants on file at least 14 days before the change takes effect.

Privacy questions, data-subject requests, or complaints: support@crawlwithai.com.

Postal address for legal notices: Shubh Pranamya, Shop No. 33, Ashoka Palace, Makrani Pada Road, Malad East, Mumbai 400097, India.