Data Privacy & Security

What data Kwiro collects, where it's stored, and how it's protected. Plain-language privacy answers for store owners.

Plain-Language Privacy#

Kwiro is built so your data stays your data. Here's what's captured, what isn't, and where it lives.

TLS 1.2+ in flight, AES-256 at rest, hosted on AWS us-west-2 (Oregon). Your data is never sold and never used to train third-party AI models.

Your product catalog: name, description, price, sale price, stock status, categories, tags, images, reviews, average rating.
Your order data when an attribution match happens: order ID, total, currency, products in the order, timestamp.
WooCommerce hook events when products change.

Their messages and the AI's replies.
Anonymous session ID + visitor ID (a browser-generated UUID — not tied to identity).
Their feedback (thumbs up/down + optional comment) when they rate a response.
Coarse signals: language detected, sentiment detected, did they convert.

Names, emails, addresses, phone numbers, payment info. None of this enters our system from chats.
IP addresses for analytics. IPs are used only for daily-cap rate limiting, then dropped.
Cross-store shopper tracking. Each store's shoppers are isolated. We don't know if the same person visits two Kwiro-powered stores.

Product data + conversations + memory — stored in Supabase (PostgreSQL on AWS us-west-2, Oregon). Encrypted at rest with AES-256, TLS 1.2+ in transit.
Billing data + invoices — stored at Paddle, our merchant of record. PCI-DSS Level 1 compliant. We never see card numbers.
Email delivery — handled by Resend. They process the email contents in transit but don't store conversation history.
AI inference — routed through OpenRouter, a privacy-preserving AI gateway. Inference inputs (your product context + shopper message) are sent to OpenRouter, which forwards them to the underlying large language model and returns the response. Our OpenRouter account is configured for Zero Data Retention (ZDR): neither OpenRouter nor the upstream model provider logs, stores, or retains the prompts or responses. They are also not used to train any model.

Conversations: retained indefinitely while your account is active. Deleted on account deletion within 30 days.
Memory + Knowledge Gaps: retained indefinitely while active. The longer they exist, the better your AI sells.
Anonymous visitor IDs: 90 days, then rotated.
Logs / debug info: 30 days.
Billing records: retained at Paddle per their policy (typically 7 years for tax compliance).

When a shopper exercises their rights:

Right to access — they can email you their conversation log; you can pull it from your dashboard. Email [email protected] if you need help.
Right to deletion — email [email protected] with the visitor ID (we'll guide you through getting it from the conversation transcript). We delete that visitor's conversation rows within 7 days.
Right to data portability — we provide a CSV export on request.

Export everything — email [email protected], we provide a full export within 7 days.
Delete your account — email [email protected]. We retain billing records as required by law, delete everything else within 30 days.

TLS 1.2+ everywhere. HSTS enabled.
Database access scoped per-store (Row-Level Security policies in Supabase).
API keys are bcrypt-hashed at rest with indexed prefix lookup. Compromised keys can be rotated from your dashboard with one click (Growth+).
Internal admin access is 2FA + audit logged.
Annual third-party security review (planned for Q3 2026).

Email [email protected]. Real human, real response, no template.