Privacy Policy

Effective January 19, 2026

1. Introduction

Lumen ("we," "our," or "us") is a WISMO (Where Is My Order) chatbot application for Shopify stores. This Privacy Policy explains how we collect, use, store, and protect information when you use our app.

We are committed to protecting your privacy and maintaining the security of any personal information we receive.

2. Information We Collect

2.1 Merchant Information

When you install Lumen, we collect:

  • Store URL and domain
  • Merchant email address
  • App configuration settings (chatbot tone, branding preferences)
  • Billing plan selection

2.2 Order Data

When customers use the chatbot to look up their orders, we temporarily access:

  • Order number
  • Order status (financial and fulfillment status)
  • Order total and currency
  • Product titles and quantities
  • Shipping city, province, and country (NOT full street address)

IMPORTANT: Customer emails are verified during the API call only and are NOT stored in our database. This is part of our privacy-by-design approach.

2.3 Conversation Analytics

We collect anonymized conversation data for analytics purposes:

  • Conversation sentiment (positive, neutral, negative)
  • Ticket status (resolved, pending, escalated)
  • Message count and session duration
  • Order number (if provided by customer)
  • Feedback (thumbs up/down)

This data does NOT include customer names, email addresses, phone numbers, or full shipping addresses.

3. How We Use Your Information

We use the collected information to:

  • Provide the WISMO service: Answer customer inquiries about their order status and tracking information
  • Sentiment analysis: Detect frustrated customers and offer escalation to human support
  • Analytics: Provide merchants with insights on customer support performance
  • Improve the service: Enhance chatbot responses and accuracy
  • Billing: Track usage limits for different subscription tiers

4. Third-Party Services

We share limited data with the following third-party services:

4.1 OpenAI

Conversation messages are sent to OpenAI's GPT-4o-mini API to generate chatbot responses. We do NOT send customer email addresses to OpenAI. Only order numbers and tracking numbers are included in the AI context.

OpenAI Privacy Policy

4.2 Resend (Email Service)

When customers escalate to human support, we send escalation notifications via Resend. These emails may include customer email addresses (from order data) and conversation transcripts. Emails are anonymized before sending (email addresses replaced with placeholders).

Resend Privacy Policy

4.3 Vercel (Hosting)

Our application is hosted on Vercel's infrastructure. Vercel may have access to application logs and system metrics.

Vercel Privacy Policy

4.5 Railway (Database)

Our PostgreSQL database is hosted on Railway.

Railway Privacy Policy

5. Data Retention

We automatically delete chat session data after 90 days. This automated purge runs daily to minimize data retention and comply with GDPR data minimization principles.

Customer emails are never stored in our database - they are only verified in-memory during API calls.

Merchant account settings are retained until the app is uninstalled.

6. Data Security

We implement industry-standard security measures:

  • All data transmission is encrypted via HTTPS/TLS
  • Database connections use SSL encryption
  • Shopify OAuth tokens are stored securely
  • API endpoints require authentication
  • Regular security updates and monitoring

7. Your Rights (GDPR Compliance)

If you are a customer whose data is processed through Lumen, you have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Request correction of inaccurate data
  • Erasure: Request deletion of your data ("Right to be Forgotten")
  • Data Portability: Request your data in a machine-readable format
  • Object: Object to processing of your data

To exercise these rights, please contact the Shopify merchant where you made your purchase. Merchants can request data deletion through Shopify's GDPR tools, which will trigger automatic deletion in Lumen.

8. GDPR Webhook Handlers

We comply with Shopify's GDPR webhooks:

  • customers/data_request: We export all data associated with a customer
  • customers/redact: We delete all data associated with a customer
  • shop/redact: We delete all merchant and customer data when the app is uninstalled

9. Cookies and Tracking

Lumen does not use cookies or tracking technologies. Session identifiers are generated client-side and used only for conversation continuity within a single browsing session.

10. Children's Privacy

Lumen is not intended for use by children under the age of 13. We do not knowingly collect personal information from children under 13.

11. Changes to This Policy

We may update this Privacy Policy from time to time. The "Effective" date at the top of this policy indicates when it was last revised. We encourage you to review this policy periodically.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

Email: support@ironmint.studio

Support: Via your Shopify app dashboard

© 2026 Lumen. All rights reserved.

This privacy policy is effective as of January 19, 2026.