Legal

Privacy Policy

How daita collects, uses and protects data — for visitors to daita-ai.com and for merchants who connect the daita AI agent (including the Shopify app).

Last updated: 12 June 2026 · Controller: daita, München, Germany · Contact: info@daita-ai.com

1. Who we are

daita (“we”, “us”) is an AI solutions company based in München, Germany. We provide an embeddable AI agent used on our own website and offered to other businesses (via a one-line script, a WordPress plugin and a Shopify app). For data processed through the agent on a client’s website or store, the client is the data controller and daita acts as a data processor on their behalf.

2. Data we process

  • Conversation content: the messages a visitor sends to the agent and the agent’s replies, plus the language and the page/origin, to generate answers and operate features (lead capture, booking, handoff).
  • Contact details a visitor chooses to share: e.g. name and email when capturing a lead, booking a consultation, or requesting a human handoff.
  • Shopify store data (Shopify app only): on install we store an OAuth access token for the store. Using it, the agent reads — in real time, only to answer a request — product catalog data and, when a shopper proves ownership with a matching order number and email, order status and tracking. We do not copy or retain your customers’ personal data or your order database.
  • Operational metadata: lightweight, privacy-preserving events (e.g. “a product lookup happened”) for reliability and analytics, and an install heartbeat so a workspace owner can confirm the agent is live.
  • Cart data (Shopify storefront): the shopper’s current cart is read in the shopper’s own browser (same-origin) to answer cart questions and is passed transiently to generate a reply; it is not stored.

3. What we do not do

  • We do not sell personal data.
  • We do not use your or your customers’ data to train third-party AI models.
  • We do not store your Shopify customers’ PII or your full order history; order details are fetched on demand and returned only to a verified owner.

4. Where data is processed (EU sovereignty)

By default the agent runs EU-sovereign: persistent data (workspaces, conversations’ derived records, leads, bookings, the Shopify token and events) is stored in a European Google Firestore region (eur3). Our default retrieval and reranking stay within EU-aligned providers. Some capabilities are opt-in by the workspace owner and may route data outside the EU (for example native real-time speech-to-speech voice, or enhanced retrieval using a non-EU provider); these are off unless explicitly enabled in the management panel.

5. Sub-processors

We use a small set of vetted sub-processors strictly to deliver the service:

  • Google Firebase / Cloud (EU region, eur3) — hosting, database, functions.
  • Anthropic — the language model that generates replies.
  • Jina AI (Berlin, EU) — neural reranking for retrieval (when enabled).
  • Resend — transactional email (confirmations, notifications).
  • Cal.com — calendar availability and booking (daita’s own agent).
  • Twilio — phone / WhatsApp channels (when enabled).
  • ElevenLabs — neural text-to-speech (when voice is used); OpenAI — native real-time voice (opt-in only).
  • Shopify — for the Shopify app, the merchant’s store APIs (under the merchant’s authorization).

6. Legal bases (GDPR)

We process data to perform the service requested (Art. 6(1)(b)), on the basis of our and the client’s legitimate interests in operating and securing the agent (Art. 6(1)(f)), and on consent where required (Art. 6(1)(a)), e.g. for optional voice or non-EU features. The EU AI Act informs our design; we apply transparency, human-in-the-loop escalation and auditability.

7. Retention

We keep data only as long as needed for the purpose: conversation-derived records and operational events for a limited operational window, leads/bookings until the client no longer needs them, and the Shopify access token until the app is uninstalled. On uninstall, the store’s token is deleted automatically (via the app/uninstalled webhook). Clients can request deletion at any time.

8. Your rights

Under the GDPR you may request access, rectification, erasure, restriction, portability and objection. Visitors should contact the website/store operator (the controller); for daita-operated data, contact info@daita-ai.com. We honour Shopify’s mandatory privacy webhooks (customers/data_request, customers/redact, shop/redact): because we store no Shopify customer PII, there is nothing to export or erase for those requests, and we acknowledge them as required.

9. Security

Secrets (API keys, OAuth tokens, the Shopify API secret) are held in Google Secret Manager and never exposed to the browser. All traffic is encrypted in transit (HTTPS). OAuth and webhook calls are verified with HMAC signatures. Access to production data is restricted.

10. Children

The service is not directed to children and we do not knowingly collect their data.

11. Changes

We may update this policy; we will revise the “last updated” date and, for material changes affecting clients, notify them.

12. Contact

daita — München, Germany · info@daita-ai.com · Trust & compliance