Resayil AI by Alphia Back to home
Legal — App B (Shopify App Store)

Privacy Policy

Product: Resayil AI for Shopify  |  Controller: Alphia Ventures Sdn Bhd  |  Last updated: 18 June 2026

This Privacy Policy governs the Resayil AI for Shopify app published on the Shopify App Store ("App B"), operated by Alphia Ventures Sdn Bhd, a company incorporated in Malaysia ("we", "our", or "Alphia").

This policy does not apply to the direct-invite version of our service ("App A"), which is governed by a separate merchant agreement. If you are an existing App A client, please refer to the agreement signed at onboarding.

1. Who We Are

Data controller: Alphia Ventures Sdn Bhd, Kota Damansara, Petaling Jaya, Selangor, Malaysia (Company Registration No. 1392457-T).
Privacy contact: [email protected]  /  [email protected]

Governing law: Malaysia (Personal Data Protection Act 2010) as primary governing law; the GDPR applies to the extent the Controller or any merchant is established in or directed at individuals in the European Economic Area or United Kingdom.

2. Scope and Roles

Resayil AI operates as a data processor on behalf of Shopify merchants who install the app. The merchant (the Shopify store owner) is the data controller for their customers' data. We process data solely on the merchant's instruction to provide the AI store-operations service.

For data we collect directly about merchants and their accounts (subscription, billing, account settings), Alphia Ventures Sdn Bhd is the data controller.

3. Data We Collect and How We Use It

Data type Why we collect it Retention
Store information (store name, domain, currency, plan) Configure the AI agent for your store context; display in the merchant dashboard Until you uninstall the app or request deletion
Shopify OAuth access token (encrypted at rest) Authenticate Admin GraphQL API calls on your behalf Until revoked by you or on shop/redact webhook
Merchant conversation messages (dashboard chat) Provide the AI chat service; maintain short-term context window 90 days rolling; purged immediately on shop/redact
Merchant memory (brand voice notes, preferences) Personalise AI responses across sessions so the agent knows your store Until you instruct the agent to forget, or on shop/redact
Billing and subscription records (via Shopify Billing API) Manage your plan, issue invoices, and comply with financial record-keeping obligations 7 years (accounting/legal retention obligation)
Account credentials (email, hashed password, TOTP secret) Authenticate merchant dashboard login; secure account access Until account deletion or shop/redact
Storefront session identifiers (anonymous UUID — storefront widget only) Maintain a conversation session for a store visitor on the storefront chat widget 30-minute idle TTL in Redis; no PII collected at session level
GDPR data-request records Track compliance with data-subject request SLAs 30 days from request date, then purged
Audit log entries (agent actions, approvals) Tamper-proof record of every agent action for merchant visibility and dispute resolution 1 year (immutable)

4. Protected Customer Data (PCD)

Resayil AI requests the read_orders and read_draft_orders scopes, which grant access to Shopify's Protected Customer Data (PCD) under the PCD Level 2 access programme. The PCD fields our app may receive include: customer name, email address, phone number, shipping and billing address, and order history.

How we handle Protected Customer Data:

  • PCD is accessed solely to answer order and customer queries that the merchant directs the AI agent to handle on their behalf (e.g., "look up my customer's order status", "create a draft order for this customer").
  • PCD is not retained for analytics, advertising, or profiling. Data fetched to answer a query is discarded after the response is delivered.
  • PCD is scoped per merchant: data from one store is never accessible to another merchant's agent session. Per-tenant isolation is enforced at every query layer.
  • When the merchant uses the agent to process a query for a logged-in storefront visitor (storefront widget), PCD is scoped to that visitor's logged_in_customer_id only — never cross-customer.
  • On receipt of a customers/redact GDPR webhook, all data associated with the identified customer is immediately erased from our systems.

What we do not collect via the storefront widget: The storefront chat widget does not present a pre-chat form, does not set cookies, and does not collect visitor names, email addresses, phone numbers, or payment details. Visitor identity is established only via Shopify's injected logged_in_customer_id token when a customer is already authenticated in the store.

5. LLM Processing — Resayil AI Gateway

Merchant messages, store context, and relevant data required to formulate an AI response are transmitted to our self-hosted inference service, Resayil AI Gateway, for AI processing. This gateway is operated by Alphia and is not a third-party consumer AI product.

All transmissions to the gateway are over TLS. The gateway processes prompts exclusively to return a response to the requesting agent session; your data is never used to train AI models. This commitment is enshrined in the Data Processing Agreement (DPA) between Alphia and the gateway operator. A copy of the DPA sub-processing clause is available upon written request.

PCD fields (customer name, email, phone, address, order history) are included in LLM prompts only when the merchant's instruction requires the agent to act on that data (e.g., create a draft order, look up a customer). Sensitive fields are omitted from prompts when the query can be answered without them.

6. Sub-processors

The following sub-processors may process personal data in connection with the service. We execute a Data Processing Agreement (or equivalent) with each sub-processor.

Sub-processor Purpose Data processed Location
Resayil AI Gateway
(operated by Alphia) 		LLM inference — AI response generation Merchant messages, store context, PCD (when required by query) United States (self-hosted Contabo VPS)
Contabo (VPS hosting) Primary application and database hosting All data stored by the service United States
Backblaze B2 Encrypted off-site database backups AES-256 GPG-encrypted snapshots (passphrase held offline by Alphia) United States
Langfuse (self-hosted) LLM observability — trace and span logging for debugging Prompt/response traces, scrubbed of PII before storage Same Contabo VPS — United States
Sentry (SaaS) Application error tracking Error events; PII stripped by our scrubber before transmission United States
Shopify App installation, billing (Shopify Billing API), and GDPR webhook delivery Store identity, billing records, GDPR compliance events United States / international (per Shopify's own privacy policy)

We do not use your data to train any third-party, public, or consumer AI models. All LLM inference runs through the Resayil AI Gateway operated by Alphia.

7. Data Storage and Geography

  • Primary database and application servers: Contabo VPS, United States. Data is encrypted at rest.
  • Encrypted off-site backups: Backblaze B2, United States. Backups are AES-256 GPG-encrypted with a passphrase held offline by Alphia. Backblaze cannot read backup contents.
  • Redis (sessions and queue cache): Same Contabo VPS. Storefront session identifiers have a 30-minute idle TTL; no PII is stored in Redis beyond this TTL.
  • LLM observability (Langfuse, self-hosted): Same Contabo VPS. Trace data is scrubbed of PII (customer names, emails, phone numbers, addresses) before storage.
  • Error tracking (Sentry SaaS): United States. Our Sentry client strips PII fields before transmitting error events.

8. International Data Transfers (EEA / UK)

If you are a merchant located in the European Economic Area (EEA) or United Kingdom, data processed on your behalf may be transferred outside those regions (to our hosting infrastructure and sub-processors listed above).

Transfer mechanism: Standard Contractual Clauses (SCCs) under GDPR Article 46(2)(c) (Module 2: Controller to Processor) for EEA/UK merchant data transferred to the United States. SCCs are incorporated by reference into our Data Processing Agreement with each relevant sub-processor. [TODO: confirm SCCs have been formally executed with each non-EEA sub-processor before going live for EEA merchants.]

A copy of the relevant SCCs or transfer impact assessments is available upon written request to our privacy contact address.

9. Your Rights as a Data Subject

Depending on your jurisdiction, you may have the following rights in relation to personal data we hold about you as a merchant:

  • Right of access — request a copy of the data we hold about your account.
  • Right to rectification — ask us to correct inaccurate personal data.
  • Right to erasure — request deletion of your personal data (subject to legal retention obligations).
  • Right to data portability — request your data in a machine-readable format.
  • Right to restriction — ask us to restrict processing in certain circumstances.
  • Right to object — object to processing based on legitimate interests.

To exercise any of the above rights, contact us at the privacy address in Section 13. We will respond within 30 days. EEA/UK merchants may also lodge a complaint with their local data protection authority.

10. GDPR Compliance Webhooks (Shopify)

Shopify automates data-subject erasure rights through three mandatory compliance webhooks, which we handle as follows:

  • customers/data_request — Triggered when one of your customers requests an export of their data. We fulfil the export within 30 days by compiling all conversation and session records associated with that customer and delivering them to the merchant's email on file.
  • customers/redact — Triggered when a customer requests erasure. We immediately delete the customer's data from our worker memory store, conversation history, and session logs.
  • shop/redact — Triggered 48 hours after the app is uninstalled. We erase all data for your store: conversation history, merchant memory, access tokens, session data, and audit logs. Audit log entries that are within a mandatory 1-year legal hold period are anonymised rather than deleted.

Published blog articles created via the Merchant Content Publisher are written into your Shopify store. They are your content; we do not retain them and do not delete merchant-owned store data.

11. Security Measures

  • Encryption at rest: All Shopify access tokens and account credentials are stored using AES-256 encryption via Laravel's encrypted cast — the raw token is never written to disk in plaintext.
  • Webhook authentication: Every incoming Shopify webhook is verified using HMAC-SHA256 constant-time comparison before processing. Unauthenticated webhook requests are rejected with HTTP 401.
  • Transport security: All connections between the merchant, our servers, Shopify, and the LLM gateway use TLS 1.2 or higher.
  • Per-tenant isolation: Every database query is scoped to a client_id. No merchant's data is accessible to another tenant's agent session.
  • Access controls: The merchant dashboard requires a strong password (minimum 12 characters) and supports TOTP two-factor authentication. Internal admin access requires TOTP 2FA.
  • Breach notification: In the event of a confirmed personal data breach, we will notify affected merchants and, where required, the relevant supervisory authority within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33.

12. EU AI Act Disclosure

Responses and blog articles generated by Resayil AI are produced by an artificial intelligence system. Merchants may enable a per-store AI disclosure toggle in their account settings to automatically append an AI-generated-content notice to published blog articles, supporting compliance with EU AI Act transparency requirements effective August 2026.

13. Billing

Subscription billing is handled exclusively through the Shopify Billing API. Alphia does not directly collect or store payment card numbers. Billing records (plan, amounts, dates) are retained for 7 years to satisfy accounting and legal obligations.

14. Children's Privacy

Resayil AI is a business tool intended solely for Shopify store owners and their authorised team members. We do not knowingly collect personal data from anyone under 18 years of age. If you believe we have inadvertently collected such data, contact us immediately and we will erase it.

15. Changes to This Policy

We will notify active merchants of material changes to this policy via dashboard notification and, where applicable, email, at least 14 days before the change takes effect. The "Last updated" date at the top of this page always reflects the current version. Continued use of the app after the effective date constitutes acceptance of the updated policy.

16. Contact and DPA Requests

For privacy enquiries, data access or erasure requests, DPA copies, or SCC requests:

Alphia Ventures Sdn Bhd
Kuala Lumpur, Malaysia
Email: [email protected]  /  [email protected]
General enquiries: [email protected]
Website: agent.resayil.io

Effective date: 18 June 2026
Last updated: 18 June 2026

This policy is published in English only. An Arabic translation will be added before the Arabic (RTL) interface launches.