Privacy Policy
Sayless is an AI search app for Shopify stores, operated by Foam on Latte (contact: [email protected]). This policy explains what data Sayless collects, why we collect it, who processes it, how long we keep it, and what choices merchants and shoppers have. Plain English, no dark patterns, no data resale.
1. Who we collect data from
Two groups:
- Merchants — Shopify store owners who install Sayless from the Shopify App Store.
- Shoppers — visitors searching on a merchant's storefront while the Sayless search widget is active.
2. Data we collect from merchants
- Store identity: your shop domain (e.g.
your-store.myshopify.com) and the Shopify-issued access tokens used to call the Admin API on your behalf. - Product catalog: Shopify product ID, product URL, title, description, handle, featured image URL, variant count, price, compare-at price, vendor, product type, tags, availability, variant attributes (size, color, material, SKU), and product creation / update timestamps — pulled via Shopify's Admin API and indexed so shoppers can search them.
- Billing status: your current Sayless plan (Free or Pro) and Shopify billing subscription state, used to enforce plan limits. Billing itself is processed by Shopify Managed Pricing — we never see card or bank details.
- App configuration: synonyms, pinned queries (Pro), and other settings you add in the Sayless dashboard.
- Aggregate usage: total searches per month, sync timestamps, widget phone-home pings — used to operate the app and enforce plan limits.
3. Data we collect from shoppers
When a shopper uses the Sayless search widget on a merchant's storefront, we record:
- The search query they typed.
- The number of results returned for that query.
- The product ID they clicked, if they click a result.
- A timestamp and the merchant's shop domain.
- An anonymous Sayless visitor identifier — a random UUID we generate in the shopper's browser the first time they search, persisted in cookie +
localStorageon the merchant's storefront. It lets the same shopper see their own “recent searches” on return visits and lets the merchant's analytics distinguish unique shoppers from total search volume. It contains no personal information and is not linked to any account. - Shopify's anonymous visitor identifier (clientId) — when the shopper has consented to analytics under Shopify's Customer Privacy API, Shopify's Web Pixels runtime supplies this stable visitor ID alongside our events. We use it to attribute search activity to a single visitor session for merchant analytics. When the shopper has NOT consented to analytics, this identifier is never read or transmitted (see Section 8).
We do not collect shopper names, email addresses, phone numbers, shipping addresses, IP addresses, browser fingerprints, payment information, or any other personally identifying information through the widget. The identifiers above are anonymous session keys; on their own they cannot identify a real person.
This data is used in aggregate to show the merchant their top searches, dead-end queries (searches with no results), and click-through rate.
4. How we use data
- To power semantic and keyword search on the merchant's storefront.
- To keep the merchant's search index up to date when products change.
- To show the merchant analytics about what shoppers are searching for.
- To enforce Sayless plan limits (product count, monthly search count).
- To debug crashes and errors in the app.
We do not sell data. We do not share merchant or shopper data with advertisers. We do not use merchant or shopper data to train AI models. We do not engage in cross-context behavioural advertising.
5. Legal basis for processing (GDPR)
Where the GDPR applies, we rely on the following lawful bases under Article 6:
- Contract (Art. 6(1)(b)) — for processing merchant data, including indexing the product catalogue and enforcing plan limits, the basis is performance of the merchant's contract with Sayless (the App Store install agreement).
- Legitimate interests (Art. 6(1)(f)) — for aggregate shopper-search analytics, the basis is the merchant's legitimate interest in understanding how shoppers interact with their store search, and our legitimate interest in operating and improving the service. These uses are limited to anonymous identifiers and aggregate counts, not personal data.
- Consent (Art. 6(1)(a)) — Shopify's anonymous visitor identifier (clientId) is read via the Web Pixels runtime only when the shopper has consented to analytics under Shopify's Customer Privacy API.
- Legal obligation (Art. 6(1)(c)) — for responding to compliance requests routed through Shopify's mandatory
customers/data_request,customers/redact, andshop/redactwebhooks.
Our role: data processor for merchants
Under the GDPR and CCPA / CPRA, Sayless acts as a data processor (CCPA: “service provider”) on behalf of the merchant. The merchant is the data controller for the shopper activity that flows through the Sayless widget on their storefront — they decide what gets indexed, what synonyms apply, and which shoppers are subject to data-subject requests they receive. Sayless processes that data only on the merchant's documented instructions (the App Store install + this policy). For our own operational data (your shop record, our error logs, billing status), Sayless is the controller.
This Privacy Policy, together with the Shopify Partner Program Agreement (which incorporates the Shopify Data Processing Addendum) and the Shopify App Listing Agreement that the merchant accepts on install, constitutes the data-protection agreement between Sayless and the merchant. Merchants requiring a separate signed Data Processing Agreement (e.g. for enterprise compliance review) may request one at [email protected].
6. Sub-processors
Sayless stores and processes data with these service providers:
- Shopify Inc. — Sayless acts on the merchant's authorization to read products and billing status via Shopify's Admin API. Billing is processed entirely by Shopify Managed Pricing. Shopify privacy policy.
- Managed database provider (hosted in the United States) — stores shop records, search events, synonyms, sync job state, and pinned queries.
- Managed search provider (hosted in the United States) — stores the search index (your product catalogue) and processes shopper queries.
- Cloud compute provider (hosted in the United States) — runs the Sayless application servers.
- Error-monitoring provider (hosted in the United States) — receives error and crash reports. Reports include the shop domain and a stack trace; we do not transmit product content or raw shopper queries to it, and IP addresses and standard PII headers are stripped before send.
Each sub-processor has its own privacy and security practices. We work with providers that offer standard data-processing terms and, where applicable, GDPR-compliant Data Processing Agreements.
7. International data transfers
All Sayless sub-processors listed above are based in the United States. Data originating in the European Economic Area, the United Kingdom, or Switzerland may therefore be transferred to and processed in the United States. We rely on the following safeguards for these transfers:
- Standard Contractual Clauses (SCCs) approved by the European Commission with each sub-processor that offers them.
- Data minimisation — for shoppers, we never transfer personal data because we never collect it. For merchants, the only data crossing borders is the operational data needed to run the app (shop domain, product catalogue, app settings).
- Encryption in transit (TLS 1.2+) and at rest (AES-256) on every sub-processor.
Data Protection Officer and EU representative
Sayless is a small operation that does not process personal data on a scale or of a type that triggers the GDPR's mandatory Data Protection Officer requirement (Art. 37). We have not appointed a DPO. Privacy questions are routed to [email protected] and answered directly by the founder. For the same reason — we do not process personal data of EU residents on a regular or large scale, only anonymous identifiers and aggregate counts — we have not appointed an EU representative under Article 27. We will appoint one if our processing activities ever cross that threshold.
8. Shopper consent and Customer Privacy API
Sayless respects shopper consent decisions captured by Shopify's Customer Privacy API at two layers:
- Widget-side gate — before recording a search event or persisting the visitor identifier, the widget calls
Shopify.customerPrivacy.analyticsProcessingAllowed(). When it returns false, no analytics data leaves the browser. - Web Pixel runtime gate — our Web Pixel app extension is registered with
customer_privacy.analytics = true. Shopify's pixel runtime will not invoke our subscription callback at all when the shopper has declined analytics consent.
The widget includes a “Clear all” control that implements the right to erasure (GDPR Art. 17 / CCPA right to delete) inline: clicking it wipes the visitor's recent-searches list, recently-viewed cache, and the Sayless visitor identifier from the local browser, then sends a forgetMe beacon that tells our server to delete every search event associated with that visitor identifier server-side.
9. How long we keep data
We retain different categories of data for different periods, with the shortest possible window for each. Where deletion happens automatically on a rolling window, we state the window explicitly so that you can confirm the cadence yourself.
- Product catalogue (search index): deleted from our search engine immediately when Sayless is uninstalled.
- Shopify session tokens: deleted immediately when Sayless is uninstalled. While Sayless is installed, tokens are rotated on every re-authentication and expired tokens are deleted 30 days after their expiry date.
- Search events (the typed query, your shop ID, a timestamp, the resulting product count, the clicked product ID if any, and the anonymous visitor identifier — no personal shopper data): retained for 90 days on a rolling window from the date each event was recorded, then automatically deleted. Individual visitor-level deletions before that window expires are processed on receipt of a
customers/redactwebhook from Shopify, of aforgetMebeacon from the “Clear all” widget control, or of a direct request to [email protected]. - Order linkage records (the Shopify order GID, the customer GID for attribution, the order total, currency, and timestamp — never the customer's name, email, phone, or shipping address): retained for 90 days on a rolling window from the date each order was recorded, then automatically deleted. The customer GID is severed immediately on receipt of a
customers/redactwebhook so the order itself remains as shop-owned commercial data while the customer linkage is permanently removed. - Shop record, synonyms, sync history, and onboarding state: retained in our database while Sayless is installed. On uninstall, we mark the shop as uninstalled (so a reinstall keeps your prior settings) and fully redact the shop on receipt of Shopify's
shop/redactwebhook (fired by Shopify approximately 48 hours after uninstall) or sooner on direct merchant request. - Operational logs and webhook bookkeeping (Shopify webhook deduplication records, expired Shopify session rows): retained for 30 days past their creation or expiry date, then automatically deleted. These contain no shopper or merchant-personal data — they exist purely to make webhook delivery exactly-once and to keep our session table compact.
10. Your rights (GDPR, UK GDPR, CCPA / CPRA)
Sayless does not collect personally identifying shopper data through the search widget, so most shopper-level data-subject requests are satisfied automatically: we simply have nothing tied to an individual real-world person.
You have the following rights with respect to any data we do hold:
- Right of access — request a copy of the data we hold about you or your store.
- Right to rectification — ask us to correct inaccurate data.
- Right to erasure (deletion) — uninstalling Sayless from your Shopify admin immediately removes your product search index and Shopify session tokens; the rest is fully redacted via Shopify's
shop/redactwebhook approximately 48 hours after uninstall, or sooner on email request. Shoppers can use the “Clear all” control in the widget at any time (Section 8). - Right to data portability — request an export of your shop's synonyms, settings, and search analytics in JSON or CSV.
- Right to restrict or object to processing — including the right to opt out of analytics by declining consent under Shopify's Customer Privacy API.
- Right to withdraw consent — where processing is based on consent (for example, the Shopify Web Pixels analytics flow), you can withdraw consent at any time without affecting the lawfulness of prior processing. Shoppers can do this instantly via the “Clear all” control in the widget (Section 8) or via the storefront's Customer Privacy banner. Merchants can do this by uninstalling Sayless.
- Right to lodge a complaint with a supervisory authority — under Article 77 GDPR, you may complain to the data protection authority in your country of residence or place of work.
- California rights (CCPA / CPRA) — California residents have rights of access, deletion, correction, portability, and to know what categories of personal information are collected. Sayless does not sell personal information and does not share personal information for cross-context behavioural advertising. There is therefore no “Do Not Sell” opt-out to exercise; the right is honoured by default.
How to exercise these rights: email [email protected] from the shop owner's address (for merchant requests) or any address (for shopper requests). We will respond within 30 days. There is no charge for the first request in any 12- month period.
Shopify-routed compliance webhooks: Sayless subscribes to all three mandatory App Store compliance webhook topics — customers/data_request, customers/redact, and shop/redact. Requests routed to Shopify by a merchant or shopper that arrive via these webhooks are processed automatically within 30 days.
11. Automated decision-making
Sayless does not engage in automated decision-making that produces legal or similarly significant effects on individuals (per GDPR Art. 22). Search ranking is product discovery — it determines which products appear higher in the merchant's search results and is not a decision about credit, employment, housing, insurance, access to services, or any other consequential outcome. The merchant retains full control over their catalogue, synonyms, and pinned queries.
12. Security
Data is transmitted over HTTPS (TLS 1.2 or higher) end to end. At rest, data is encrypted with AES-256 by every sub-processor. Sayless authenticates merchants through Shopify's OAuth flow — we never see or store your Shopify password. App-to-Shopify Admin API requests are signed with Shopify-issued access tokens that we rotate on every re-authentication.
We follow standard production hardening practices: dependencies are audited on every pull request, third-party static analysis runs on every push, errors land in our error-monitoring provider with PII headers stripped before send, and database access is restricted to application credentials with row-level security enabled across every tenant table. Test data is kept in a separate database instance from production. Database backups are encrypted and managed by our database provider.
Security incident response
If we become aware of a security incident that has resulted, or is reasonably likely to result, in the unauthorised disclosure of merchant or shopper personal data, we will:
- Notify affected merchants without undue delay, and in any event within 72 hours of becoming aware where this is feasible — by email to the merchant contact on file and via a banner in the Sayless admin dashboard.
- Notify the relevant supervisory authorities where the incident triggers a notification obligation under applicable law (e.g. GDPR Art. 33 — within 72 hours).
- Provide affected merchants with a summary of what happened, what data was involved, what we've done to contain it, and what the merchant should do next.
13. Cookies and local storage
The Sayless storefront search widget uses the following client-side storage on the merchant's storefront. None of this storage is shared across stores; each merchant's storefront has its own isolated copy.
sayless_vcookie (1-year expiry, Lax SameSite, Secure) — stores the anonymous Sayless visitor identifier (random UUID) so the same shopper sees their own “recent searches” across visits. No PII; not used for advertising or cross-site tracking.sayless_visitor_v1in localStorage — duplicate of the cookie value as a resilience fallback for shoppers in private-browsing mode.sayless_recent_v3in localStorage — the shopper's recently-viewed product list, used to populate the “Recently viewed” row when the search overlay opens. Stays in the browser; never sent to our servers.- A short list of recent search queries in
localStorage— used to render the “Recent searches” column. Stays in the browser; never sent to our servers.
Shoppers can purge all of the above at any time using the “Clear all” button in the widget (which also fires the server-side forgetMe deletion described in Section 8) or by clearing their browser storage for the merchant's storefront.
The Sayless admin dashboard (inside the Shopify admin) uses session cookies managed by Shopify's App Bridge for authentication. We do not set our own admin cookies.
This public website (our marketing pages, changelog, and this policy) uses Google Analytics to understand how visitors find and use the site. Analytics cookies are not set unless you accept them: the tag loads in a consent-denied state and only stores or reads cookies after you choose “Accept” on the cookie banner. We store your choice in a sayless_analytics_consent cookie (180-day expiry, Lax SameSite, Secure) so we don't ask again on every visit. We do not use Google Analytics for advertising, and we never grant ad-personalization consent. To withdraw consent, clear this site's cookies in your browser and decline when the banner reappears.
14. Children's privacy
Sayless is a business-to-business app. It is not directed to children and does not knowingly collect data from children under 13 in the United States (COPPA), under 16 in the European Economic Area, or below the applicable minimum age in any other jurisdiction.
15. Changes to this policy
We may update this policy as the app evolves. Material changes will be reflected in the “last updated” date at the top of the page, and where the change is significant, we will notify merchants by email or through the Sayless admin dashboard. Continued use of Sayless after an update means you accept the revised policy.
16. Contact
Questions, data-subject requests, or privacy complaints: [email protected]. Postal contact and additional company details are available on request.