§ - Privacy Policy
Parlata - 2026
Legal

Privacy Policy

Last updated: April 25, 2026

1. Who we are

Parlata is operated by the team behind a large e-commerce store in the home-improvement space; the product was born as an internal tool and spun out. Contact: onboarding@parlata.ai. If you're a customer of one of our merchants and want to talk to us directly, the same address reaches us within one business day.

2. What personal data we collect

From merchants who install our Shopify app: shop domain, owner email, store metadata, app settings. From their customers (only via Shopify webhooks): customer email, first name, customer locale, order id, line item information. From customers who record a review or question: the audio file and the AI-generated transcript. From visitors of merchant storefronts who use Customer Q&A: voice or text questions plus optional first name and email. From everyone visiting parlata.ai: standard web analytics (anonymized IP, referrer, user agent).

3. How we collect it

Through the Shopify app installation flow (OAuth scopes the merchant approves explicitly). Through Shopify webhooks (orders/fulfilled, app/uninstalled, scopes_update, plus the three GDPR compliance webhooks). Through direct browser recordings on app.parlata.ai/r/<token> when the customer opens the link emailed to them. Through the Customer Q&A theme block on the merchant's product pages.

4. Why we collect it

To send a single post-fulfillment review request email per order. To transcribe and clean the customer's voice recording. To display approved reviews and Q&A on the merchant's product pages. To honor GDPR data-subject requests when they reach us. We don't profile customers, run advertising, or train models on this data.

5. Legal basis (GDPR)

Our processing is grounded in legitimate interest — communication between a merchant and a customer about an order the customer placed. The merchant remains the data controller for its customers; we act as a processor under that contract. EU customers can rely on the merchant's own privacy notice for the controller-side disclosures.

6. Subprocessors and third parties

Parlata routes data through a small set of named processors, each governed by their own DPA: Shopify Inc. (the platform), Supabase (managed Postgres + Storage, US East-2), OpenAI (Whisper transcription + GPT-4o-mini cleanup, with zero-retention API mode for audio), Resend (transactional email delivery), Fly.io (application hosting). We do not sell your data, and we do not share it with advertisers or analytics vendors beyond the operational processors above.

7. Retention

Voice recordings, transcripts, and review-request rows persist until: (a) the merchant or customer deletes them, (b) thirty days pass after a request expires unused, or (c) one of Shopify's GDPR webhooks fires. The customers/redact webhook deletes everything tied to a customer email within 24 hours; shop/redact wipes every row and audio file for a shop within 48 hours of receipt; customers/data_request triggers a manual export within the 30-day SLA Shopify mandates. Storage cleanup happens in the same operation as the database delete.

8. Your rights

You may request access to, correction of, deletion of, or export of your personal data. Customers in the EU, UK, or California also enjoy the GDPR/CCPA rights of objection, restriction, and data portability. The fastest path is emailing onboarding@parlata.ai with the email tied to your reviews; we respond within 30 days. If you're a customer of a merchant using Parlata, contacting that merchant directly will also reach us through the GDPR webhook chain Shopify provides.

9. Security

All data in transit travels over TLS 1.2+. All data at rest is encrypted on disk by the underlying providers (Supabase Postgres + Storage, Fly volumes). Audio files live in a private Storage bucket; access is granted only via short-lived signed URLs (1-hour expiry). Service-role credentials live in a managed secret store on Fly and never reach the browser bundle. Sessions in the merchant admin are HTTPS-only and signed by Shopify's HMAC.

10. Cookies

Parlata uses session cookies on the Shopify Admin embedded app for OAuth state and CSRF protection. We do not set tracking cookies on the customer-facing recorder page or on parlata.ai marketing pages beyond first-party analytics that respect Do Not Track.

11. International transfers

Data is stored on managed cloud infrastructure in the US (Supabase US-East-2 for Postgres + Storage; Fly.io IAD region for compute). For customers and merchants based in the EU, UK, or other jurisdictions with adequacy or transfer requirements, transfers are covered by Standard Contractual Clauses with our processors and the merchant's own customer notices.

12. Children

Parlata is intended for adult merchants and their customers. We do not knowingly collect data from anyone under 16. If you believe a minor has submitted a recording, contact us and we'll delete it.

13. Changes to this policy

Material changes are announced via email to active merchants at least 14 days before they take effect, and the 'Last updated' date at the top of this page is bumped accordingly. Continued use after the effective date constitutes acceptance.