Privacy Policy

Last updated: June 1, 2026

Kwiro is operated by Inteliweave, a trade-licensed business in Bangladesh (Trade Licence No. 05/B-1854, issued by Rajshahi City Corporation). Referred to below as the “Company”, “we”, or “us”. This policy explains what data we collect when you use Kwiro’s plugin, dashboard, or website, how we use it, who we share it with, and the legal rights you have over it. If anything here is unclear, email [email protected].

1. Who is this policy for?

  • Shop ownerswho install the Kwiro plugin or use the Kwiro dashboard — “Customers” below.
  • End shopperswho chat with the Kwiro widget on a store using our service — “Visitors” below. We process their data on behalf of the shop owner (we are a Data Processor; the shop owner is the Data Controller).
  • Marketing-site visitors reading kwiro.ai. We collect almost nothing about you here — see §6.

2. What data we collect from Customers (shop owners)

  • Account data — email, store URL, store name, plan/billing tier.
  • Authentication data — magic-link tokens, session cookies, hashed API key.
  • Product catalog data — product name, description, price, stock status, attributes, image URLs, taxonomy.
  • Usage data — sync events, dashboard interactions, feature usage. Used for product improvement and billing.
  • Billing data — handled by Paddle (our merchant of record). We never see or store credit card numbers; Paddle returns a customer/subscription ID we use for plan management.

3. What data we collect from Visitors (end shoppers)

  • Conversation messages — what the visitor types into the chat widget and what the AI replies.
  • Session metadata — synthetic visitor ID, session ID, conversation ID, timestamps. Used for conversation continuity and analytics.
  • IP address (truncated) — for rate-limiting and abuse prevention. Not associated with any identity. Truncated at collection time (last octet zeroed).
  • Browser type + page URL — to render the widget correctly and pass relevant page context to the AI (e.g., which product page the shopper is viewing).
  • Order linkage (if Customer enables sales attribution) — we receive the WooCommerce order ID and total to attribute sales to AI conversations. We do not receive payment details.

We do notuse cross-site tracking cookies, fingerprinting, ad-network pixels, or any third-party analytics on the Customer’s storefront.

4. Why we process this data (legal bases under GDPR)

  • Contractual necessity — to provide the Service to the Customer (Art. 6(1)(b) GDPR).
  • Legitimate interests — to prevent abuse, secure the Service, and improve the AI on aggregated data (Art. 6(1)(f)). Visitor data is aggregated/anonymised before being used for improvement.
  • Legal obligation — billing records, tax records, sanctions screening (Art. 6(1)(c)).
  • Consent — for any marketing email beyond transactional. You can withdraw consent at any time without affecting the lawfulness of past processing.

5. Who we share data with

  • Sub-processors — third-party services we use to deliver Kwiro. Current list:
    • OpenRouter, Inc. — AI inference gateway. Data sent: the customer’s message and retrieved product context (no payment data, no account credentials). Operated under a Zero Data Retention (ZDR) agreement: OpenRouter does not log, store, or retain prompts or responses, and forwards them to the underlying large language model providers under the same ZDR contract.
    • Supabase — managed PostgreSQL hosting (data at rest).
    • Resend — transactional email delivery.
    • Paddle — billing + tax compliance (merchant of record).
    • Cloudflare — CDN + DDoS protection (no application data stored at the edge).
    • Contabo — VPS infrastructure provider.

    The full sub-processor list with contractual safeguards is at [email protected] — request the current DPA addendum.

  • Legal requirements — only when compelled by valid legal process. We push back on overbroad requests and notify you when legally permitted.
  • Corporate transactions— if Kwiro is acquired or merged, your data may transfer to the successor under the same privacy commitments. We’ll notify you with at least 30 days’ notice if your privacy rights would change.

6. Marketing-site cookies & analytics

The kwiro.ai marketing site uses two layers of analytics. The first layer is cookieless and runs without consent; the second sets cookies and is only loaded if you opt in via the banner.

Always on (cookieless, no personal data leaves your browser):

  • Cloudflare Web Analytics — aggregate page-view counts. Cloudflare receives a salted hash of your IP and User-Agent for bot detection, which they discard within 24 hours. No cookies set. No cross-site tracking.
  • Umami (self-hosted)— page-view and on-page event counts hosted on our own infrastructure at analytics.kwiro.ai. No cookies set. No data leaves Kwiro’s servers.

Off by default, opt-in via the cookie banner:

  • Google Analytics 4— used for campaign measurement (which referrers, channels, and content drive sign-ups). Sets first-party cookies (_ga, _ga_*, _gid) that live up to 24 months. We run GA4 with IP anonymisation, ad-storage denied, and consent-mode default set to “granted” only after you click Accept. If you later revoke consent via the “Cookie preferences” link in the footer, we instruct GA4 to stop collecting and clear the cookies it set.
  • Marketing pixels — reserved category for future ad-platform tags (Meta, Google Ads, LinkedIn Insight). Currently none are loaded.

We do not use cross-site tracking cookies, fingerprinting, or ad-network pixels on the storefronts of Customers using the Kwiro widget. The above applies only to kwiro.ai itself.

7. Data retention

  • Conversation data— retained for the lifetime of the Customer’s account, plus 90 days. Customers can delete individual conversations at any time from the dashboard.
  • Account data — retained while the account is active, plus 365 days for tax/legal compliance.
  • Billing data — retained for 7 years to satisfy tax authorities (GDPR-compatible).
  • Backups — encrypted backups are retained for 30 days and then permanently deleted on a rolling basis.

8. International transfers

Data may be processed outside your country of residence (including the United States, where some of our AI inference and email-delivery providers operate). For transfers from the EEA / UK / Switzerland, we rely on the European Commission’s Standard Contractual Clauses (2021/914) plus supplementary technical measures (encryption in transit and at rest, access logging). The Customer DPA you sign on subscription includes the SCC modules.

9. Your rights

Under GDPR / CCPA / CPRA you have the right to:

  • Access — request a copy of all personal data we hold about you.
  • Rectification — correct inaccurate data.
  • Erasure— request deletion (“right to be forgotten”), subject to legal retention obligations.
  • Restriction / Objection — limit how we process your data, or object to processing based on legitimate interests.
  • Portability — receive your data in a structured, machine-readable format.
  • Opt-out of sale / sharing (CCPA / CPRA)— we do not sell or share personal information for cross-context behavioural advertising. If that ever changes, we’ll provide a clear opt-out before any sale or sharing occurs.
  • Non-discrimination — exercising any right above does not affect the price you pay or the service you receive.
  • Lodge a complaint — with your local data protection authority. EU residents can find theirs via edpb.europa.eu.

To exercise any right, email [email protected]with the right you’re exercising and proof of identity (we ask only what’s needed to verify you). We respond within 30 days (extendable by 60 days for complex requests, with notice).

10. Security

  • TLS 1.2+ for all data in transit.
  • AES-256 encryption for data at rest in Supabase + backups.
  • API keys hashed with bcrypt; session tokens rotated on use.
  • Multi-factor authentication available for all dashboard accounts.
  • Per-store data isolation enforced at the database query layer.
  • Quarterly review of access controls; least-privilege by default. Vulnerability reports to [email protected] — see our disclosure policy.

11. Children

Kwiro is a B2B service. We do not knowingly collect data from anyone under 16. If you believe a Visitor under 16 has used a Kwiro-powered chat, contact [email protected]and we’ll delete the conversation.

12. Changes to this policy

We’ll post material changes to this page and notify Customers by email at least 30 days in advance for any change that materially reduces your rights. Continued use of the Service after the effective date constitutes acceptance.

13. Contact

Privacy questions, data requests, or DPA copies: [email protected]
Operating entity: Inteliweave
Trade Licence No.: 05/B-1854 · Rajshahi City Corporation
TIN: 454764358310
Registered address: 156/13, Upashahar Housing Estate, Cantonment-6202, Boalia, Rajshahi, Bangladesh

See /gdpr for an EU-resident-focused summary.