WordPress
Shopify
Docs
Features
Pricing

Privacy Policy

Last Updated: January 2026

Version 2.0 | Effective Date: January 1, 2026

Table of Contents

1. Introduction

This Privacy Policy explains how N8.Chat ("we", "us", or "our") collects, uses, discloses, and safeguards your information when you use our Shopify Theme App Extension and WordPress plugin (collectively, the "Service"). We are committed to protecting your privacy and ensuring compliance with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the UK General Data Protection Regulation (UK GDPR), the Lei Geral de Proteção de Dados (LGPD), and other applicable privacy laws.

Important: N8.Chat is a chat widget that connects your store to your own n8n workflow. We do NOT process or store chat message contents - messages are sent directly to the merchant's webhook endpoint.

By using our Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

2. Data Controller & Data Protection Officer

The data controller responsible for your personal data is:

Stefan Mueller e.U.

Alberlochstraße 29

6911 Lochau

Austria

Data Protection Officer (DPO):

Stefan Mueller

Email: dpo@n8.chat

3. About N8.Chat (Shopify App)

N8.Chat is a Shopify Theme App Extension that embeds an AI-powered chat widget on Shopify storefronts. Understanding how our app works is essential to understanding our data practices:

How N8.Chat Works:

  1. Merchant installs the app from the Shopify App Store
  2. Merchant configures the widget in Shopify Theme Editor (webhook URL, colors, messages)
  3. Widget appears on the merchant's storefront
  4. End customers interact with the chat widget
  5. Messages are sent directly to merchant's n8n webhook (not our servers)
  6. Merchant's n8n workflow processes messages and returns responses

Key Architecture Points:

  • We do NOT process or store chat messages - they go directly to the merchant's webhook
  • We use Supabase for OAuth authentication flow and GDPR compliance logging only
  • The widget runs entirely in the browser (client-side React)
  • No additional API scopes are required from Shopify

4. Data We Collect (App Provider)

As the app provider, N8.Chat collects the following data for app functionality:

Data TypePurposeStorageRetention
Shop domainApp installation trackingSupabaseUntil uninstall + 30 days
Shop nameDisplay in adminSupabaseUntil uninstall + 30 days
Merchant emailSupport communicationSupabaseUntil uninstall + 30 days
OAuth tokensShopify authenticationSupabase (encrypted)Until uninstall
GDPR request logsCompliance audit trailSupabase3 years

Data We Do NOT Collect:

  • Chat message contents (sent directly to merchant's webhook)
  • Payment information
  • Passwords
  • Customer browsing history beyond current session
  • Customer personal data from Shopify stores

5. Data the Widget Sends to Merchant's Webhook

When customers use the chat widget, data is sent directly to the merchant's n8n webhook (NOT to N8.Chat servers). The merchant controls what data is sent via Privacy Mode settings:

Privacy Mode OFF (Merchant's Choice):

  • Customer ID (if logged in)
  • Customer email (if logged in)
  • Customer name (if logged in)
  • Customer tags
  • Order count & total spent
  • Current product being viewed
  • Current collection being viewed
  • Cart contents (items, quantities, prices)
  • Page URL and type
  • Shop information
  • Locale/language
  • Chat messages

Privacy Mode ON (GDPR-Compliant Default):

  • Anonymous session only
  • Current page context (no PII)
  • Cart summary (item count, total - no customer data)
  • Chat messages
  • Shop information
  • Locale/language

Important Notice:

The merchant is the data controller for any customer data sent through the widget. Merchants are responsible for having appropriate privacy policies and obtaining necessary consents from their customers.

7. How We Use Your Data

  • Providing and maintaining the N8.Chat service
  • Authenticating merchants via Shopify OAuth and WordPress licensing
  • Responding to support requests and customer service inquiries
  • Sending technical notices and service updates
  • Processing GDPR data requests
  • Improving our service based on aggregated, anonymized usage patterns
  • Detecting and preventing fraud, abuse, and security vulnerabilities
  • Complying with legal obligations

8. Third-Party Services

We use the following third-party services:

ServicePurposeData SharedPrivacy Policy
Supabase (EU/US)Database, Auth, Edge FunctionsShop data, OAuth tokenssupabase.com/privacy
ShopifyPlatform, OAuthStandard Shopify app datashopify.com/legal/privacy
StripePayment processingPayment data (we don't see full card numbers)stripe.com/privacy
Merchant's n8n WebhookChat processingChat messages + contextVaries by merchant

9. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States via our infrastructure provider Supabase.

We ensure appropriate safeguards for such transfers:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions where applicable (e.g., EU-US Data Privacy Framework)
  • Technical measures including encryption in transit and at rest

You may request a copy of the safeguards by contacting us at privacy@n8.chat.

10. Data Retention

We retain personal data only as long as necessary:

  • Shop data & OAuth tokens: Until app uninstall + 30 days grace period
  • GDPR compliance logs: 3 years (legal requirement)
  • Support correspondence: 2 years after last contact
  • Billing records: 7 years (tax/accounting requirements)

After the retention period, data is securely deleted or anonymized.

11. Your Rights Under GDPR (EU & UK)

If you are in the European Union or United Kingdom, you have the following rights:

Right of Access (Art. 15)

Request a copy of your personal data we hold.

Right to Rectification (Art. 16)

Request correction of inaccurate or incomplete data.

Right to Erasure (Art. 17)

Request deletion of your personal data ("right to be forgotten").

Right to Restriction (Art. 18)

Request restriction of processing your data.

Right to Data Portability (Art. 20)

Receive your data in a structured, machine-readable format.

Right to Object (Art. 21)

Object to processing based on legitimate interests.

Right to Withdraw Consent (Art. 7)

Withdraw consent at any time where processing is based on consent.

To exercise these rights, contact privacy@n8.chat. We will respond within 30 days.

Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in your member state. In Austria, this is the Datenschutzbehörde (DSB).

12. Your Rights Under CCPA (California)

If you are a California resident, you have the following rights under the California Consumer Privacy Act:

  • Right to Know: Request disclosure of the categories and specific pieces of personal information we collect.
  • Right to Delete: Request deletion of personal information we have collected.
  • Right to Correct: Request correction of inaccurate personal information.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

Do Not Sell My Personal Information

We do NOT sell your personal information to third parties. We do not share personal information for cross-context behavioral advertising. Therefore, we do not offer an opt-out for the sale of personal information.

Categories of Personal Information Collected: Identifiers (shop domain, email), commercial information (subscription data), and internet activity (service usage logs).

Sources of Personal Information: We collect personal information directly from you (registration), from Shopify (OAuth integration), and from service providers (payment processing).

To exercise your CCPA rights, California residents can contact privacy@n8.chat. We will respond within 45 days as required by CCPA, which may be extended by an additional 45 days if necessary.

13. Your Rights Under LGPD (Brazil)

If you are in Brazil, you have rights under the Lei Geral de Proteção de Dados (LGPD) similar to GDPR rights, including:

  • Confirmation of processing
  • Access to your data
  • Correction of incomplete or inaccurate data
  • Anonymization, blocking, or deletion of unnecessary data
  • Data portability
  • Information about sharing with third parties
  • Revocation of consent

Contact privacy@n8.chat to exercise these rights.

14. Shopify GDPR Compliance

N8.Chat complies with Shopify's mandatory GDPR requirements by implementing the following webhook handlers:

customers/data_request

When a customer requests their data, this webhook is triggered. Since N8.Chat does not store customer data (messages go directly to the merchant's webhook), we respond with confirmation that no customer data is held.

customers/redact

When a customer requests data deletion, this webhook is triggered. We log the request and confirm no customer data requires deletion on our end.

shop/redact

When a shop uninstalls the app and requests data deletion (48 hours after uninstall), we delete all shop data including OAuth tokens and configuration.

Merchant Responsibility: Merchants are responsible for managing data in their own n8n workflows, deleting conversation data from their external systems, and complying with their customers' data requests.

15. Data Security

We implement appropriate technical and organizational measures to protect your data:

  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • OAuth tokens stored with encryption
  • Access controls with principle of least privilege
  • Regular security assessments
  • Supabase infrastructure with SOC 2 Type II certification
  • HMAC signature validation for all webhooks

No method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

16. Cookies & Local Storage

The N8.Chat widget uses browser localStorage (not cookies) to maintain chat session state. This data stays on the user's device and is not transmitted to our servers.

Our website may use essential cookies for functionality. For detailed information, see our Cookie Policy.

17. Children's Privacy

Our Service is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If you become aware that a child has provided us with personal information, please contact us immediately at privacy@n8.chat, and we will take steps to delete such information.

18. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date.

For material changes, we will notify you via email (for registered merchants) or through the Shopify admin dashboard. We encourage you to review this policy periodically.

19. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us:

General Inquiries

Email: hello@n8.chat

Website: https://n8.chat

Privacy & Data Requests

Email: privacy@n8.chat

DPO: dpo@n8.chat