Last updated: April 9, 2026
LUMI ("we", "us", or "our") is committed to protecting the privacy of Shopify merchants and their customers. This policy explains what data we collect, why we collect it, and how we handle it.
1. Who We Are
LUMI is a Shopify app that provides an AI-powered chat widget for e-commerce stores. Our application is available through the Shopify App Store and is operated by LUMI (use-lumi.com). For privacy-related questions, contact us at: privacy@use-lumi.com
2. Data We Collect
We collect two categories of data:
Merchant Data (Shopify store owners who install LUMI):
- Shopify shop domain and store name
- Merchant email address (for reports and notifications)
- App configuration settings (widget colors, bot name, welcome messages)
- Store policies text (if provided voluntarily)
- Storefront API access token (to enable product search)
- Subscription plan and billing information (processed by Shopify)
Shopper Data (visitors to stores using LUMI):
- Chat messages and conversation history
- Anonymous session identifiers
- Email addresses (only if voluntarily provided during a chat conversation)
- Product interaction data (clicks, viewed products)
- Purchase attribution data (whether a purchase originated from a chat session)
3. How We Use Your Data
For merchants, we use your data to:
- Provide and operate the LUMI chat widget on your store
- Display usage statistics and analytics on your dashboard
- Send monthly performance report emails
- Send usage warning emails when approaching plan limits
- Process billing and subscription management through Shopify
- Respond to support requests
For shoppers, we use your data to:
- Provide AI-powered product recommendations and answers
- Maintain conversation context within a session
- Generate anonymous usage analytics for merchants
- Track conversions to help merchants understand ROI
4. Data Storage and Security
All data is stored securely in our database hosted on Supabase (PostgreSQL). We implement the following security measures:
- All data is encrypted in transit using TLS/HTTPS
- Database access is restricted and authenticated
- API keys and credentials are stored as environment variables, never in code
- We do not store full payment card details — all billing is handled by Shopify
5. Data Sharing
We do not sell your personal data. We share data only with the following third-party services that are necessary to operate LUMI:
- Anthropic — AI chat responses are processed via the Claude API. Chat messages are sent to Anthropic for processing. Anthropic's privacy policy applies.
- Shopify — We use the Shopify API to authenticate merchants and process billing. Shopify's privacy policy applies.
- Resend — We use Resend to deliver transactional emails to merchants. Email content and recipient addresses are shared with Resend.
- Supabase — Our database infrastructure provider. Data is stored on Supabase servers in the US.
- Railway — Our application hosting provider. Application logs may be stored by Railway.
6. Shopper Data and GDPR / CCPA Compliance
LUMI is fully compliant with Shopify's GDPR requirements and supports the following data subject rights for shoppers of stores using our app:
- Right to Access — Upon request, we will provide a copy of personal data we hold about a shopper.
- Right to Erasure — Upon receiving a customer data erasure request from a Shopify store, we will delete the associated conversation data within 30 days.
- Right to Portability — We can provide shopper data in a machine-readable format upon request.
Shoppers who wish to exercise these rights should contact the Shopify merchant whose store they interacted with, or contact us directly at privacy@use-lumi.com.
7. Cookies and Tracking
The LUMI chat widget uses a session identifier stored in the browser's sessionStorage (not persistent cookies) to maintain conversation context. This identifier is anonymous and does not identify individual users across sessions or sites.
No third-party advertising cookies or tracking pixels are placed by LUMI.
8. Data Retention
- Conversation data is retained for 12 months from the date of the conversation, after which it is automatically deleted.
- Merchant account data is retained for the duration of the merchant's subscription plus 90 days after cancellation.
- Usage statistics (aggregated, non-personal) may be retained indefinitely for product improvement.
9. Children's Privacy
LUMI is not directed at children under 13 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@use-lumi.com and we will delete it promptly.
10. International Data Transfers
LUMI is operated from Israel. By using our service, you understand that your data may be processed in the United States (where our infrastructure providers are located). We ensure appropriate safeguards are in place for such transfers in accordance with applicable privacy laws.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. Significant changes will be communicated to merchants via email. Your continued use of LUMI after any changes constitutes acceptance of the updated policy.
12. Contact Us
If you have any questions about this Privacy Policy or how we handle your data, please contact us:
- Email: privacy@use-lumi.com
- Website: use-lumi.com