Privacy Policy

Remora (“we,” “us,” or “our”) operates the customer service platform available at app.remora.cx (the “Service”). This Privacy Policy explains how we collect, use, store, share, and protect personal data when you use our Service, whether you are a Shopify merchant (“Merchant”), a member of a Merchant’s support team (“Agent”), or a customer of a Merchant (“End Customer”).

We provide the same privacy rights to all individuals, regardless of geographic location. If you are located in the European Economic Area (EEA), United Kingdom, or California, additional details relevant to your rights are noted throughout.

1.1 Data collected via the Shopify API

When a Merchant installs the Remora Shopify app and authorizes access, we retrieve the following from the Shopify Admin API:

• Customer records — name, email address, phone number, and shipping/billing addresses
• Order data — order history, line items, fulfillment status, tracking numbers, and transaction summaries
• Product data — product titles, descriptions, variants, and images (used for AI context when resolving support tickets)
• Shop information — store name, domain, currency, timezone, and plan

We request read_customers, read_orders, read_all_orders, read_products, and related scopes. We only access data necessary for customer service operations.

1.2 Data collected directly from Merchants and Agents

• Account information — name, email address, and password (hashed; we never store plaintext passwords).
• Support content — tickets, messages, internal notes, macros, routing rules, and knowledge base articles created within the Service
• Configuration — AI settings, notification preferences, team roles, and onboarding choices
• Usage data — feature usage counts, AI token consumption, and aggregate analytics

1.3 Data collected from End Customers

• Support emails — inbound email content, headers, and attachments forwarded through our email integration (Postmark)
• CSAT survey responses — satisfaction ratings and optional free-text feedback

1.4 Data we do NOT collect

• Payment card numbers or full financial account details (we never request payment scopes from Shopify)
• Social Security numbers or government-issued IDs
• Biometric data
• Data from third-party advertising or tracking networks

We do not sell personal data. We do not use personal data for advertising, profiling, or automated decision-making that produces legal effects.

Remora uses artificial intelligence (powered by Anthropic’s Claude models) to:

• Classify incoming support tickets by category and intent
• Generate draft replies for Agent review before sending
• Summarize conversation threads

Human oversight: By default, AI operates in “sandbox” mode — all AI-generated responses are drafted for human review. An Agent must explicitly approve and send every reply. Merchants may optionally enable graduated autonomy for low-risk ticket categories, with configurable confidence thresholds and automatic rollback.

AI audit logging: Every AI action (classification, draft generation, auto-resolution) is recorded in an append-only audit log with the model used, input/output tokens, confidence score, and whether the output was sent, edited, or discarded.

Opt-out: Merchants can disable AI processing entirely in Settings. End Customers whose records are marked with a processing restriction are automatically excluded from AI processing.

Anthropic’s Claude API does not use customer data for model training. See Anthropic’s Privacy Policy for details.

We share personal data only with the service providers (“sub-processors”) necessary to operate the Service:

We do not share personal data with any other third parties, data brokers, or advertising networks. We may disclose data if required by law, regulation, or valid legal process.

When a Merchant uninstalls the Shopify app, we receive a shop/redact webhook from Shopify and delete all associated shop data within 30 days.

• Encryption at rest: All database data is encrypted using AES-256. Shopify access tokens are additionally encrypted with AES-256-GCM using per-tenant key derivation (HKDF).
• Encryption in transit: All connections use TLS 1.2 or higher. Database connections require verified TLS.
• Backup encryption: Automated database backups are encrypted at rest.
• Access control: Role-based access control (RBAC) with five roles (owner, admin, agent, viewer, billing). Row-level security (RLS) enforced at the database level ensures strict tenant data isolation.
• Authentication: Password hashing with scrypt. Session-based authentication with 24-hour expiry and 1-hour refresh. Rate limiting on login (5 attempts per 15 minutes per IP).
• Staff access: Access to production infrastructure and personal data is limited to essential personnel. Administrative actions are recorded in an audit log.
• Environment separation: Test and production environments use separate databases and credentials.
• Incident response: We maintain a security incident response process. In the event of a data breach affecting personal data, we will notify affected Merchants within 72 hours and affected supervisory authorities as required by applicable law.

Our Service and all sub-processors are located in the United States. If you are located outside the United States (including in the EEA or UK), your personal data will be transferred to and processed in the United States.

For transfers from the EEA/UK, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission (Module 2: Controller to Processor, and Module 3: Processor to Sub-Processor where applicable). Our sub-processors maintain their own data transfer mechanisms:

• Anthropic, Vercel, and Cloudflare participate in the EU-U.S. Data Privacy Framework
• Neon and Postmark operate under Standard Contractual Clauses

Merchants located in the EEA may request a copy of our Data Processing Agreement (DPA) including SCCs by contacting us at the address below.

Regardless of where you are located, you have the following rights with respect to your personal data:

• Access — Request a copy of the personal data we hold about you
• Correction — Request correction of inaccurate or incomplete data
• Deletion — Request deletion of your personal data, subject to legal retention requirements
• Restriction — Request that we restrict processing of your data (e.g., while we verify its accuracy)
• Portability — Receive your data in a structured, commonly used, machine-readable format
• Objection — Object to processing based on legitimate interest
• Withdraw consent — Where processing is based on consent, withdraw it at any time

For Merchants and Agents

Contact us at the address below. We will respond within 30 days.

For End Customers

Your personal data is processed by Remora on behalf of the Merchant. To exercise your rights, contact the Merchant directly. If the Merchant is unable to assist, or if you wish to contact us directly, email us at the address below.

Shopify may also forward data subject requests to us via mandatory compliance webhooks (customers/data_request, customers/redact). We process these within 30 days.

Right to Lodge a Complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local data protection supervisory authority.

We use only essential cookies necessary for the Service to function:

We do not use analytics cookies, advertising cookies, tracking pixels, or any third-party tracking technologies. We do not participate in cross-site tracking or retargeting.

When a Merchant uninstalls the Remora Shopify app:

1. Shopify sends us a shop/redact webhook (delivered 48 hours after uninstall)
2. We revoke the stored Shopify access token immediately upon webhook receipt
3. All Shopify-sourced data (customers, orders, products) is deleted within 30 days
4. Merchant-created content (tickets, knowledge base articles, macros) is retained for 30 days in case of reinstallation, then permanently deleted

Merchants may request immediate deletion at any time by contacting us.

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child under 16, we will delete it promptly.

We may update this Privacy Policy from time to time. If we make material changes, we will notify Merchants via email or an in-app notice at least 30 days before the changes take effect. The “Last updated” date at the top of this page reflects the most recent revision.

For privacy-related questions, data subject requests, or to request a copy of our Data Processing Agreement:

We aim to respond to all requests within 30 days.