← Back to site

Privacy Policy

Last updated: May 24, 2026

1Who we are

Olvio is an AI shopping agent for Shopify product pages. It is published and operated by:

Topicimes

3 Avenue René Laennec, 72000 Le Mans, France

SIRET: 90496525800018

President: Louis Jodon de Villeroché

Contact: [email protected]

In this policy, "Olvio", "we" and "our" refer to Topicimes acting as the publisher of the Olvio Shopify application.

2Data Protection Officer

Topicimes has voluntarily designated a Data Protection Officer (DPO) responsible for ensuring compliance with this policy and with applicable data protection regulations:

Louis Jodon de Villeroché

Data Protection Officer, Topicimes

Email: [email protected]

You may contact the Data Protection Officer at any time with any question relating to this policy, to exercise your rights or to report a data protection concern.

3Scope of this policy

This policy describes the data processed when the Olvio Shopify application is installed on a Merchant's Shopify store, when Shoppers interact with the Olvio widget on the Merchant's storefront, and when visitors browse Olvio's public pages on olvio.ai.

Three categories of users are covered:

Merchants — owners or staff of a Shopify store who install and configure Olvio.
Shoppers — visitors to a Merchant's storefront who may interact with the Olvio widget on a product page.
Site visitors — visitors to olvio.ai (marketing pages, help center).

Olvio does not require Shoppers to create an account, sign in or share personal information. The widget never asks for a name, email, phone number or address, and the underlying AI is instructed never to solicit or retain such information.

4Our role (Data Controller and Data Processor)

Topicimes acts in two distinct capacities under the GDPR, depending on the data category:

Data Controller — for the Merchant's account data (Shopify identifiers, plan, configuration, encrypted credentials) and for the operational logs strictly necessary for the service to function.
Data Processor (article 28 of the GDPR) — for Shopper interaction data processed on behalf of the Merchant (conversations, widget events, question logs, order attribution). The Merchant remains the Data Controller for this category and is responsible for informing Shoppers and collecting any necessary consent on their storefront.

The processing agreement governing the data-processing activities is incorporated into our Terms of Service and contains every clause required by article 28(3) of the GDPR. A standalone Data Processing Agreement (DPA) is available on request at [email protected].

5Information we collect and store

Olvio retains only the data strictly necessary to provide the service. The sections below enumerate every category of data we store in our own infrastructure.

5.1Merchant data

When a Merchant installs and configures Olvio, we store:

Store identifiers — the Shopify .myshopify.com domain, the primary storefront domain and the access token issued by Shopify.
AI provider credentials — the API key the Merchant supplies for the AI provider they have selected. Keys are encrypted with AES-GCM (256-bit) and cryptographically bound to the store domain as additional authenticated data before being written to our database. They are never displayed in plaintext again.
Widget configuration — colors, typography, corner radii, custom CSS, label, title, avatar image and translation overrides defined by the Merchant.
AI context — the business description, product categories and answer guidelines entered by the Merchant on the AI Setup page.
Billing state — current plan, Shopify AppSubscription identifier, billing cadence (monthly / yearly) and trial period status.
Session data — Shopify authentication sessions issued during OAuth, used to call the Admin API on the Merchant's behalf. Automatically deleted when the application is uninstalled.

5.2Shopper interaction data

Shopper data is always stored under an anonymous session identifier generated client-side. We do not collect names, emails, phone numbers or addresses.

Anonymous session identifier — a random identifier generated locally by the widget and stored in the Shopper's browser under the key "olvio_sid". Used to correlate widget events and conversations within a single shopping session.
Widget events — impressions, opens, message sends, add-to-cart signals, by product and timestamp. Pre-engagement events are logged without a session identifier.
Conversations — the sequence of messages exchanged between the Shopper and Olvio on a product page, including optional feedback. No field that would identify the Shopper is retained.
Question logs — the text of each question sent by a Shopper, paired with the product page and a timestamp. Used to power the Merchant's analytics dashboard (recurring topics).
Order attribution — when a Shopify order is placed following a chat session, we record the order identifier, the product identifiers of the line items, the order total (in cents), the currency and the anonymous session identifier used to link the order to the conversation (with no link to an individual person). We do not receive or store the shopper's name, email, phone number or shipping address. This data comes from the Shopify orders/create webhook and is filtered at ingestion.

5.3Catalog data

In order to answer Shoppers' questions accurately, Olvio ingests the content of the Merchant's Shopify catalog:

Products — title, description (HTML and plain text), vendor, product type, tags, status, price range, currency, images, SEO fields, variants, metafields and collections.
Online Store content — public pages and blog articles from the Merchant's storefront.
File-type metafield content — text extracted from documents attached via the Shopify metafield "custom.olvio_knowledge_file" (PDF, DOCX, XLSX).

Catalog data is ingested at first installation, kept up to date in real time via Shopify webhooks (products/create, products/update, products/delete) and reconciled nightly.

5.4Site visitor data (olvio.ai)

Visitors to olvio.ai may be subject to analytics cookies and similar technologies, disclosed via a cookie consent banner shown on the first visit. Only cookies strictly necessary for the site to function are set before consent is collected. All other cookies (analytics, marketing) are loaded only after the visitor's express acceptance.

5.5Data sources

We collect data from the following sources, in accordance with article 14 of the GDPR:

Directly from the Merchant — when installing Olvio, entering API keys and configuring the widget.
From Shopify — via OAuth, the Admin API and webhooks, under the authorization granted by the Merchant at installation.
Directly from Shoppers — via the widget on the Merchant's storefront, under an anonymous session identifier.

6Special category data

Olvio does not collect, store or process special categories of personal data within the meaning of article 9 of the GDPR (health, biometric, genetic, political opinions, religious beliefs, racial or ethnic origin, sexual orientation, trade union membership).

The AI system prompt explicitly forbids Shoppers from sharing such information and instructs the AI not to repeat it if inadvertently disclosed. Conversations are retained as-is; we recommend that Merchants inform their Shoppers not to share sensitive personal information in the widget.

7How we use this data

Deliver the core features of the application — render the chat widget on product pages, answer Shopper questions and recommend products.
Operate the merchant admin — display catalog sync status, conversation history, analytics and billing state.
Sync with Shopify — react in real time to product create/update/delete events, app subscription updates and order creation.
Improve the service — aggregate anonymous usage signals to surface recurring topics and catalog blind spots to the Merchant.
Comply with legal obligations — apply Shopify's GDPR compliance webhooks and our contractual obligations as a Data Processor.

We do not sell personal data. We do not use Shopper data or conversation content to train AI models.

8AI provider (Anthropic, Merchant-supplied key)

Olvio operates on a bring-your-own-key model. Each Merchant supplies their own Anthropic API key (Claude models) and connects it to power the Service.

When a Shopper sends a message via the widget, the Merchant's prompt and conversation context are routed from our Worker to the AI provider chosen by the Merchant using their own API key. We do not relay this content, do not reuse it, do not aggregate it and do not use it for training purposes. We have no commercial or contractual relationship with the AI provider on behalf of the Merchant — the Merchant has their own agreement directly with the provider they selected.

Processing, retention and international transfer of the prompt and the response by the AI provider are governed by that provider's own terms and privacy policy. Before entering an API key, Merchants are required to review the data practices of the selected provider.

Olvio retains the conversation history (messages and timestamps) in its own database as described in section 5.2, in accordance with the retention rules in section 11. Olvio does not retain raw API request or response payloads beyond this conversation history.

9EU AI Act (Regulation 2024/1689)

Olvio is an AI system within the meaning of article 3 of the EU AI Act. Topicimes and the Merchant exercise complementary responsibilities under this regulation:

Topicimes (provider) — responsible for the technical compliance of the AI system, its documentation, and its availability as a safe and compliant tool. This includes maintaining technical documentation, applying risk management, implementing human-oversight mechanisms and cooperating with supervisory authorities, as required.
Merchant (deployer) — responsible for the use of the system on their storefront, for defining the purposes of use, and for the compliance of the deployment with applicable regulations and their own terms of service.

Olvio qualifies as a limited-risk AI system under the AI Act. In accordance with the transparency obligations of article 50, each Shopper interaction with the widget displays the disclaimer "Olvio is an AI and can make mistakes" so that Shoppers are always aware they are communicating with an AI and not a human being. This disclaimer is locked and cannot be removed by Merchants through widget customization.

10Automated decision-making and profiling

Olvio uses AI to generate product recommendations and contextual answers. These responses are informational and do not constitute an automated decision producing legal or similarly significant effects on Shoppers within the meaning of article 22 of the GDPR. Shoppers remain free at all times to add to cart, continue browsing, leave or ignore any recommendation.

Olvio does not build individual profiles of Shoppers across sessions or across stores. Conversations are retained on a per-session basis only for the duration applicable to the Merchant's plan (section 11).

11Data retention

Retention applies to conversation-related data (conversations, question logs, widget events, order attributions) and depends on the Merchant's plan. Retention periods are enforced by automatic deletion and reflect the data-minimization principle of article 5(1)(e) of the GDPR:

Plan

Conversation data retention period

Starter

30 days from the event timestamp.

Growth

90 days from the event timestamp.

Scale

365 days from the event timestamp.

Custom

Negotiated by contract (by default, no automatic purge).

A daily scheduled job enforces these durations by deleting records older than the applicable threshold. Catalog data (products, sync state) is retained for the full duration the application is installed.

When a Merchant uninstalls Olvio, Shopify delivers a "shop/redact" webhook approximately 48 hours later. Upon receipt, we permanently delete all data associated with that store in our database and vector index: conversations, question logs, widget events, order attributions, knowledge files, products, embeddings and the store record itself.

12Subprocessors

Topicimes uses the following Subprocessors to deliver the Olvio service. All of them are bound by data processing agreements offering protections equivalent to those of the GDPR, including, where required, the European Commission's Standard Contractual Clauses of June 4, 2021.

Provider

Purpose

Primary data storage location

Cloudflare, Inc.

Application hosting (Workers), database (D1), vector index (Vectorize), edge cache (KV), rate limiting and embeddings (Workers AI).

European Union (WEUR region, Western Europe). Edge compute may execute on the Cloudflare data center closest to the requester.

Intercom R&D Unlimited Company

Support messaging integrated into the Olvio merchant admin.

Ireland (European Union).

Shopify Inc. is the application distribution platform on which Olvio runs. The Merchant has a direct agreement with Shopify for their store and grants Olvio authorized access via OAuth. Shopify is not a Subprocessor of Topicimes within the meaning of article 28 of the GDPR.

Anthropic, the AI provider connected by the Merchant, is not a Subprocessor of Topicimes. It is the Merchant's own Subprocessor under the Merchant's direct agreement with Anthropic. See section 8 for details.

13Data security

Encryption in transit — all traffic to and from the Olvio Worker uses HTTPS/TLS.
Encryption at rest (secrets) — AI provider API keys are encrypted with AES-GCM 256-bit before being written to the database, with the store domain bound as additional authenticated data so that ciphertexts cannot be replayed across stores.
Multi-tenant isolation — every database query that touches store-scoped data is constrained by the store identifier. Isolation is enforced at the query level, on every read, update and delete operation.
Rate limiting and origin controls — widget requests from the storefront are validated against the store's declared domain. Per-store rate limits protect against abuse.
Webhook authentication — every Shopify webhook is HMAC-verified before any data is written.
Principle of least privilege — Olvio only requests the OAuth scopes read_products, read_orders, read_themes and read_locales from Shopify.

14Security incidents and breach notification

In the event of a personal data breach, Topicimes will notify affected Merchants without undue delay and, where feasible, no later than 72 hours after becoming aware of it, in accordance with article 33 of the GDPR. The notification will describe the nature of the breach, the categories and approximate number of records concerned, the likely consequences and the measures taken or proposed to address the incident.

Where a breach is likely to result in a high risk to Shoppers, Topicimes will assist Merchants in notifying the affected Data Subjects as required by article 34 of the GDPR.

To report a suspected breach, contact the Data Protection Officer at [email protected].

15Cookies and browser storage

Olvio uses browser storage in a targeted and transparent way:

Merchant admin and Shopper widget — no HTTP cookies are set. The widget uses localStorage to keep a random anonymous session identifier (key: olvio_sid) and sessionStorage to cache transient chat state and product suggestions for the current session. Neither is used for cross-site tracking, and no third-party analytics or advertising scripts are injected into Merchants' storefronts.
Public olvio.ai pages — a cookie consent banner is displayed to visitors on first arrival. Only cookies strictly necessary for the site to function are set before consent. Analytics and marketing cookies are loaded only after the visitor expressly accepts via the banner. Consent can be withdrawn at any time.

16International data transfers

Primary data storage (Cloudflare D1, Vectorize, KV) is configured to reside in the Western Europe region. Support interactions via Intercom are stored in the European Union.

Cloudflare's edge compute may process requests from the data center closest to the requester; such transit processing does not result in persistent storage outside the primary region.

Transfers of personal data outside the European Economic Area, when they occur, rely on the Standard Contractual Clauses approved by the European Commission on June 4, 2021, supplemented by technical measures (encryption in transit and at rest for secrets) and the contractual commitments of each Subprocessor.

Transfers to AI providers selected by the Merchant are not governed by this policy and fall under the responsibility of the Merchant and the provider they have chosen (see section 8).

If you are located in the European Economic Area, the United Kingdom or Switzerland, you have the following rights regarding your personal data:

Right of access to the data we hold about you.
Right to rectification of inaccurate or incomplete data.
Right to erasure ("right to be forgotten") in the cases provided for by law.
Right to restriction of processing.
Right to data portability.
Right to object to processing based on legitimate interest.
Right not to be subject to a decision based solely on automated processing (see section 10).
Right to lodge a complaint with a supervisory authority. In France, the competent authority is the Commission Nationale de l'Informatique et des Libertés (the CNIL, cnil.fr).

Shoppers: insofar as we do not retain identifying information about Shoppers, access, deletion or correction requests generally cannot be fulfilled on an individual basis. Shoppers can erase all widget data on their device by clearing their browser's localStorage and sessionStorage for the Merchant's domain.

Merchants: you can exercise your rights by uninstalling Olvio (which triggers automatic deletion via Shopify's shop/redact webhook approximately 48 hours later) or by contacting the Data Protection Officer at [email protected]. We respond to requests within one month of receipt, extendable once by an additional two months for complex requests, with notification.

18Children's privacy

Olvio is a B2B product intended for Shopify Merchants and their Shoppers. It is not directed at children under 16, and we do not knowingly collect personal data from children. If a Merchant operates a storefront targeting children, it is their responsibility to comply with applicable law.

19Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top of this document reflects the most recent revision. For any material change affecting Merchant data, we will notify active Merchants via the Olvio admin interface before the change takes effect.

20Contact

For any question relating to this policy or to your personal data: