1. Introduction
Blabbe (“we”, “our”, “us”) provides an AI-powered shopping assistant designed for Shopify stores. This Privacy Policy explains how data is collected, processed, and protected when:
- Merchants install and use Blabbe
- Shoppers interact with the assistant on a storefront
- Users access related services, APIs, or interfaces
Blabbe is built as a store-scoped, multi-tenant system with strict isolation, where each Shopify store operates as an independent environment with controlled data boundaries.
2. Roles and Scope of Processing
2.1 Merchant as Data Controller
For shopper data processed through the assistant, the merchant acts as the data controller, determining the purpose of data collection.
2.2 Blabbe as Data Processor
Blabbe acts as a data processor, processing data strictly on behalf of the merchant and only within the scope required to deliver the service.
2.3 Independent Controller Activities
Blabbe may act as a data controller for limited purposes such as:
- Billing and subscription management
- Platform security and abuse prevention
- Support communications
3. Core Privacy Principles
Blabbe is designed around:
4. Categories of Data Processed
4.1 Merchant Data
- Shopify store identifiers (domain, shop ID)
- OAuth tokens and authentication metadata
- Billing and subscription data
- Usage metrics and request counts
- Configuration settings and preferences
- Featured product selections
- Support communications
4.2 Shopper Data
- Messages submitted via the assistant
- AI-generated responses
- Session identifiers
- Interaction timestamps
- Optional cart interaction events
This data is processed in real time and may be stored to support continuity and merchant analytics.
4.3 Store Data (Retrieved from Shopify)
- Products and variants
- Collections
- Store policies (shipping, returns, privacy, terms)
- Public store pages and content
This data is used to construct store-aware responses.
4.4 Technical Data
- API logs
- Error and diagnostic logs
- Rate-limiting and abuse-prevention data
- Security-related metadata
5. Legal Bases for Processing (GDPR)
Where GDPR applies, Blabbe relies on the following lawful bases:
Processing required to deliver the Blabbe service to merchants.
Maintaining system security, preventing abuse, and improving reliability and performance.
For optional features or where required by law (e.g., cookies).
Important: Merchants are responsible for establishing lawful bases for their own data collection from shoppers.
6. How Data Is Used
Blabbe processes data to:
- Generate AI responses
- Retrieve relevant store data
- Maintain conversation continuity
- Provide merchant analytics
- Enforce usage and billing rules
- Ensure platform security and stability
7. Data Flow and Processing Architecture
Blabbe operates through a controlled pipeline:
- Shopper message is submitted
- Request is authenticated and scoped to a store
- Intent and context are analyzed
- Store data is retrieved
- AI generates a response
- Response is streamed back
Processing is stateless where possible, with limited session state retained for continuity.
8. AI Processing Transparency
Blabbe uses AI to generate responses based on shopper input, store data, and recent conversation context.
- Responses may vary and are probabilistic
- Outputs depend on available data
- The assistant does not replace human judgment
Blabbe is not intended for legal advice, financial advice, or account-specific support.
9. Data Retention
Blabbe retains data only as necessary:
- Chat sessions: retained for merchant visibility and analytics
- Usage data: retained for billing cycles and reporting
- Store knowledge: refreshed periodically
Retention periods may vary depending on operational and legal requirements. Merchants may request deletion of their store data.
10. Data Sharing and Subprocessors
Blabbe does not sell personal data. We share data only with subprocessors necessary to operate the service:
- Cloud hosting and infrastructure providers
- Database and storage providers
- AI processing providers
All subprocessors are selected based on security and reliability standards and are contractually bound.
11. International Data Transfers
Data may be processed in jurisdictions where our infrastructure providers operate. Where required, we rely on safeguards such as Standard Contractual Clauses (SCCs) and contractual data protection commitments.
12. Data Subject Rights (GDPR)
Where applicable, individuals have the right to access, rectify, or request deletion of their personal data. Requests should be directed to the merchant (data controller), or to Blabbe where applicable.
13. CCPA / CPRA Rights (California)
California residents may have the right to know, delete, or correct their data. Blabbe does not sell personal data.
14. Cookies and Tracking
Blabbe may use limited cookies for session management, authentication, and performance monitoring. We do not use cookies for third-party advertising or cross-site tracking.
15. Security Measures
Blabbe uses a multi-layered security model including store-scoped authentication, domain verification, rate limiting, and API access controls.
16. Children’s Data
Blabbe is not intended for use by children. We do not knowingly collect personal data from children.
17. Merchant Responsibilities
Merchants are responsible for ensuring compliance with applicable privacy laws and maintaining accurate store policies.
18. Changes to This Policy
We may update this Privacy Policy periodically. Significant changes will be communicated via email or on this page.
19. Contact
For privacy-related inquiries, please contact us at:
Our team is ready to provide deeper technical insights into our data practices.
Contact our team