Privacy Policy – Pinpointed AI Sommelier (Shopify App)

Last updated: 24 November 2025

Important: This document is provided for general information only and does not constitute legal advice. Laws vary by jurisdiction and may change over time. You should have this policy reviewed by a qualified lawyer to ensure it meets your legal obligations (including GDPR, UK GDPR, CCPA/CPRA or other applicable laws).

This Privacy Policy describes how Pinpointed (“we”, “us”, “our”) collects, uses, and shares information when you install or use the Pinpointed AI Sommelier application (“the App”) in connection with your Shopify-powered store.

Your use of Shopify itself is governed by Shopify’s own terms and privacy policy. This Privacy Policy applies only to the data processed by our App.

By installing or using the App, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with this Policy, please do not install or use the App.

1. Who We Are & How to Contact Us

Controller / Service Provider:

Pinpointed
29 RUE TRONCHET
75008 PARIS
France

Website: https://pinpointed.dev
Email: [email protected]

If you have any questions about this Privacy Policy or our data practices, you can contact us at [email protected].

If you are located in the EU/EEA or UK, you may also have the right to lodge a complaint with your local data protection authority.

2. Scope – Who This Policy Applies To

This Policy applies to:

  • Merchants who install and use the App on their Shopify store; and
  • End customers / visitors who interact with the AI Sommelier widget or chat experience on a merchant’s store.

We act as:

  • A data controller of merchant data (for example, your account, billing, and configuration data).
  • A data processor of customer data on behalf of the merchant, to provide AI recommendations and related services. In GDPR terms, the merchant is generally the controller of its customers’ data.

3. Information We Collect

3.1 Information We Collect from Merchants

When you install and use the App, we may collect the following information from your Shopify account via the Shopify API:

  • Store information such as store name, URL, Shopify store ID, time zone, currency, and locale.
  • Merchant contact details such as the name of the store owner or main contact and email address.
  • Billing and subscription information related to your use of the App (plan type, subscription status), but not full payment card numbers (payment processing is handled by Shopify or your payment provider).
  • App configuration & usage data, including license key, enabled features (e.g., voice AI, languages, budget ranges), technical logs, and request metadata needed to operate and secure the App.

3.2 Store & Product Data

To provide the AI Sommelier recommendations, the App may access and process:

  • Product catalog data (titles, descriptions, tags, variants, prices, images, stock status, collections).
  • Optional basic order data (e.g., order ID, line items, totals, currency) if needed to provide analytics or conversion measurement. We do not process full payment card details.

We request only the Shopify scopes necessary to provide the App’s functionality and follow a principle of data minimization.

3.3 Information from Store Customers / Visitors

When a customer interacts with the AI Sommelier on your store, we may process:

  • Chat / conversation data, such as:
    • Questions asked (e.g., “I’m eating steak, what wine do you recommend?”)
    • Stated preferences (grape, style, region, sweetness, flavour notes)
    • Budget information (per-bottle or per-order budget, currency)
    • Follow-up messages and responses within the conversation
  • Context from the store:
    • Products viewed or suggested
    • Whether a customer clicked on an AI recommendation
    • Whether a recommended product was added to the cart
  • Technical data:
    • Browser type and version, device type
    • IP address (which may be used to derive approximate location such as country)
    • Timestamps and unique session IDs
    • Cookies or local storage identifiers to maintain session continuity
  • Optional customer identifiers (if configured by the merchant):
    • Shopify customer ID
    • Name or email address, but only if the merchant chooses to send this information to the App.

We encourage merchants to avoid sending unnecessary personal identifiers unless required for the intended functionality.

4. How We Use Information

We use the information described above for the following purposes:

  1. To operate and provide the App
    To deliver AI-generated product recommendations and food/wine pairing suggestions, match customer preferences and budget with products in the store’s catalog, and display or update the AI widget on the merchant’s site.
  2. To provide analytics to merchants
    To measure usage of the AI widget (for example, number of chats, click-through rates, average upsell, popular questions, missing items) and provide aggregated insights that help merchants optimise their product selection and marketing.
  3. To maintain, secure, and improve the App
    To monitor performance, debug issues, detect misuse, improve recommendation quality, and develop new features.
  4. To provide support and manage our relationship with merchants
    To respond to support requests, manage billing and subscription status, and send service-related communications (for example, important changes to features or terms).
  5. To comply with legal obligations
    To respond to lawful requests from public authorities and to comply with tax, accounting, and other regulatory requirements.

5. Legal Bases for Processing (EEA / UK)

If you are located in the EEA or UK, our legal bases for processing your personal data under the GDPR/UK GDPR typically include:

  • Performance of a contract (Art. 6(1)(b)) – where processing is necessary to provide the App to you as a merchant.
  • Legitimate interests (Art. 6(1)(f)) – for security, analytics, product improvement, and fraud prevention, where these interests are not overridden by your rights and freedoms.
  • Consent (Art. 6(1)(a)) – where you or your customers provide consent for specific uses (for example, certain marketing activities or cookies). You can withdraw consent at any time.

As a merchant, you are responsible for ensuring that you have a lawful basis for sharing your customers’ personal data with us and for using the App in compliance with applicable privacy laws.

6. Sharing and Disclosure of Information

We do not sell personal information.

We may share information with the following categories of recipients:

6.1 Service Providers / Processors

We use trusted third-party service providers to help us operate and improve the App. These may include:

  • Cloud hosting and infrastructure providers
  • Security, logging, and monitoring providers
  • AI processing and model providers
  • Customer support and email tools

These providers are bound by contractual obligations to protect personal data and to use it only in accordance with our instructions.

6.2 Shopify

The App integrates with Shopify’s APIs and infrastructure. Data flows between your store and our App via Shopify’s systems and is also subject to Shopify’s own privacy and security practices.

6.3 Legal and Regulatory Authorities

We may disclose information where required by law, court order, or other legal process, or where we believe in good faith that disclosure is reasonably necessary to:

  • Comply with applicable law or legal obligations
  • Enforce our agreements and terms
  • Protect the rights, property, or safety of Pinpointed, our users, or the public

6.4 Business Transfers

In the event of a merger, acquisition, reorganisation, or sale of assets, your information may be transferred as part of the transaction. We will continue to protect your information and will notify you of any material changes where required by law.

7. International Data Transfers

Our primary data centre is located in Germany. Data may also be processed in other countries where our service providers are located.

If your data is transferred from the EEA/UK to a country that does not provide an equivalent level of data protection, we will implement appropriate safeguards, such as:

  • Standard Contractual Clauses (SCCs) approved by the European Commission; and/or
  • Other legal mechanisms permitted under applicable data protection laws.

8. Data Retention & Shopify Erasure Requests

We retain personal data only for as long as necessary for the purposes described in this Policy, including to:

  • Provide and maintain the App;
  • Comply with legal, tax, or accounting requirements;
  • Resolve disputes and enforce our agreements.

In general:

  • Merchant account & configuration data is retained while your store has the App installed and for a reasonable period (for example, up to 24 months) after uninstallation, unless a longer or shorter period is required by law.
  • Customer chat logs & session data may be retained for a limited period (for example, 12–24 months) to provide analytics and improve recommendations, after which it is deleted or anonymised.
  • Aggregated or anonymised data that no longer identifies individuals may be retained indefinitely for statistical and analytical purposes.

Our App is designed to respect Shopify’s mandatory privacy webhooks (such as customers/data_request, customers/redact and shop/redact) where implemented. When we receive a relevant privacy or erasure request via Shopify, we will delete or anonymise the associated personal data from our systems within the timeframes required by Shopify’s policies and applicable law.

Merchants can also contact us directly at [email protected] to request deletion of data related to their store or their customers, subject to any legal obligations requiring retention.

9. Security

We take appropriate technical and organisational measures to protect personal data, including:

  • Encryption in transit (HTTPS) and, where appropriate, at rest;
  • Access controls and authentication for internal systems;
  • Logging and monitoring of key infrastructure;
  • Regular maintenance and updates of our systems and dependencies.

However, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee absolute security. You are responsible for maintaining the security of your Shopify account, access credentials, and devices.

10. Your Rights and Choices

Depending on your location and applicable law (for example, GDPR, UK GDPR, CCPA/CPRA), you may have certain rights in relation to your personal data, including the right to:

  • Request access to the personal data we hold about you;
  • Request correction of inaccurate or incomplete data;
  • Request deletion of your personal data in certain circumstances;
  • Request restriction of processing in certain circumstances;
  • Object to processing based on our legitimate interests;
  • Request data portability where technically feasible;
  • Withdraw consent where processing is based on consent.

If you are a customer of a Shopify store using our App, please direct your privacy requests (for example, access, deletion, or correction) to the relevant merchant. As a processor, we generally act on such requests only upon instruction from the merchant, except where we are legally required to respond directly.

If you are a merchant, you can exercise your rights by contacting us at [email protected]. We may need to verify your identity before responding to your request.

For California residents, we do not “sell” or “share” personal information as those terms are defined under the CCPA/CPRA.

11. Cookies and Similar Technologies

The App may use cookies, local storage, or similar technologies to:

  • Maintain the state of the chat session;
  • Remember user preferences (for example, language);
  • Collect basic analytics about how the widget is used.

Merchants are responsible for providing appropriate cookie notices and obtaining any required consent on their storefronts. We can provide information about our cookies so that merchants can include them in their own cookie or privacy policies.

12. Children’s Privacy

The App is not intended for use by children under the age of 16. We do not knowingly collect personal data from children. If you believe that we have collected personal data from a child, please contact us at [email protected] so that we can take appropriate steps to delete such data.

Merchants are responsible for ensuring that their stores, and their use of our App, are compliant with children’s privacy laws where applicable.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will update the “Last updated” date at the top of this page and, where appropriate, provide additional notice (for example, via email to merchants or through the App interface).

Please review this Policy periodically. Your continued use of the App after any updates indicates that you accept the revised Policy.

14. Contact

If you have any questions, concerns, or requests relating to this Privacy Policy, you can contact us at:

Pinpointed
29 RUE TRONCHET
75008 PARIS
France
Email: [email protected]

Scroll to Top