Privacy, security, and compliance: how we handle your customer data
GDPR, CCPA, DPDPA, sub-processors, what happens when you uninstall, and why we never train models on your data.
Privacy is one of those topics that vendors tend to bury behind a "trust centre" page, three logos, and zero substance. This post is the substance. If you're evaluating llea.ai for a Shopify store, yours or a client's, these are the facts your DPO or compliance officer is going to want, written in plain language.
For the full legal text, see our Privacy Policy and Data Processing Agreement.
Who owns what (the controller / processor split)
Under GDPR, the merchant is the controller of shopper data and llea.ai is the processor. In plain English: you decide what to do with your customer data, we just do it for you. We never use shopper data for our own purposes, and we never share it with another merchant.
- Merchant data (your store, your staff, your billing): we're a controller for billing/account admin and a processor for app-feature data.
- Shopper data (your customers): you're the controller, we're the processor. We act only on your documented instructions, governed by our DPA.
Where your data lives
llea.ai runs on a small, deliberately chosen set of sub-processors. Every one of them has a signed DPA in place and a recognised certification. The full list is canonical in the Privacy Policy and updated there before any change rolls out.
- We do not pool data across customers. Your shoppers' intent profiles never leave your store's tenant boundary.
- We do not sell, rent, or share shopper data with any third party, including ad networks.
- EU/UK shoppers: data transfers rely on EU SCCs (Module 2 + Module 3), the UK IDTA, and the Swiss addendum where applicable.
- US-based sub-processors that are DPF-certified rely on the EU–US Data Privacy Framework as the primary mechanism, SCCs as fallback.
GDPR, CCPA, and India's DPDPA
We're built for compliance across the three regimes that matter most to Shopify merchants:
| Regime | How we comply |
|---|---|
| GDPR (EU/EEA) | Controller/processor DPA, SCCs for international transfers, 72-hour breach notification, Art. 28 sub-processor authorisation, data subject rights routed via Shopify GDPR webhooks. |
| UK GDPR | UK IDTA addendum to SCCs; UK supervisory authority recognised. |
| CCPA / CPRA (California) | Notice-at-collection, no sale or sharing of personal information, no use for cross-context behavioural advertising, opt-out and limit-use mechanisms honoured. |
| DPDPA (India) | Aligned with the Digital Personal Data Protection Act, 2023. Consent-based processing and data principal rights are honoured via the same Shopify webhook path. |
| Swiss FADP | Swiss addendum to SCCs for transfers out of Switzerland. |
Shopify's data policies
llea.ai is built around Shopify's mandatory GDPR webhooks. We HMAC-verify every webhook with your per-shop client secret and act on all three:
customers/data_request: within 30 days the merchant receives the shopper data we hold for the requested customer.customers/redact: on receipt, the shopper's records are deleted from our database and any downstream caches.shop/redact: 48 hours after uninstall, the merchant's full data is deleted from our database. Activity is logged in thecompliance_requestsaudit table.
Cookies and anonymous visitors
llea.ai's web pixel sets pseudonymous visitor IDs in cookies / local storage to track behaviour across sessions for anonymous shoppers. The rules:
- Cookies are strictly first-party. We don't set tracking cookies under any third-party domain.
- We respect Do Not Track headers and Global Privacy Control (GPC) signals.
- No browser fingerprinting. Cookies are the only persistent identifier.
- On the marketing site we set strictly-necessary, analytics, functional, and support cookies, gated through a consent banner with Google Consent Mode v2 in EU/UK.
- On the storefront pixel inside Shopify admin, only strictly-necessary cookies are set.
How shoppers opt out
Shoppers exercise rights through the merchant because they're the controller. The flow:
- First contact: the merchant whose store they shopped on. The merchant submits a Shopify GDPR webhook that reaches us automatically.
- If they can't reach the merchant, they email admin@llea.ai and we route the request to the merchant and process the relevant webhook.
- Browser-level: GPC signals are honoured automatically.
AI and the training question
The single biggest privacy question for AI-enabled SaaS is: "do you train models on my data?" Our answer is no, with specifics:
- Per-store models, never pooled. Each merchant's intent model is trained only on their own data. We do not train a shared "llea.ai model" across customers.
- Foundation models are off-limits. Our LLM provider is contractually barred from training foundation models on customer prompts or responses.
- EU AI Act transparency. Where required, our Privacy Policy serves as the transparency disclosure for limited-risk AI use.
What happens when you uninstall
- Hour 0: you click "Remove app" in Shopify admin. The
app/uninstalledwebhook fires immediately. - Hour 0–48: we begin store-level data deletion. A re-install in this window restores your data (handy if uninstall was accidental).
- Hour 48: the
shop/redactwebhook from Shopify confirms final purge. Your store-level data is gone from the live database. - Day 30: the last encrypted backup containing any trace of your data rotates out. We hold backups for security/disaster recovery, and they expire automatically.
compliance_requests table for 2 years, with no shopper PII, just the proof of deletion. This is what your DPO will ask for if there's ever a question.Security in practice
The headline items, lifted directly from our DPA Annex II:
- TLS 1.2+ in transit on every endpoint; AES-256 at rest on the Supabase database
- Row-Level Security on every multi-tenant table; per-shop credentials are never shared
- HMAC SHA-256 verification on every Shopify webhook against the per-shop client secret
- Per-shop Shopify OAuth credentials, never re-used across stores
- Least-privilege staff access, MFA enforced on all staff accounts, audit logging
- Encrypted, automatically expiring backups (30 days)
- Content sanitisation via DOMPurify for any HTML rendered in the app
- 72-hour breach notification to controllers per GDPR Art. 33
The summary your DPO wants
- GDPR + UK GDPR + CCPA + DPDPA + Swiss FADP compliant
- Signed DPA, SCCs (Modules 2 & 3), UK IDTA, Swiss addendum in place
- No model training on customer data, contractually enforced with our LLM provider
- No sale, no sharing, no cross-context behavioural advertising
- Sub-processor list canonical in the Privacy Policy with 30-day change notice
- 48-hour deletion on uninstall, driven by Shopify's own GDPR webhooks
If you need a signed counterpart of the DPA for your records, email admin@llea.ai. If you have specific compliance questions before installing, book a 30-minute call and we'll walk through them.