Security at Convi
Your store data and customer conversations are our top priority. Here is how we protect them.
Our Security Practices
Encryption in Transit & at Rest
All data is encrypted using TLS 1.2+ in transit and AES-256 at rest. API communications between your Shopify store and Convi are always encrypted end-to-end.
Data Isolation
Each merchant's data is logically isolated. Your store data, conversation history, and customer interactions are never shared with or accessible by other merchants.
Access Control
We follow the principle of least privilege. Team access to production systems requires multi-factor authentication and is logged for audit purposes.
Infrastructure Security
Convi runs on enterprise-grade cloud infrastructure with automated backups, redundancy across availability zones, and 24/7 monitoring.
Privacy by Design
We only collect data necessary to provide our service. Customer conversation data is used solely to power your AI assistant — never for training models on other merchants' data.
Shopify App Store Compliance
Convi is a Built for Shopify app, meeting Shopify's highest standards for performance, security, and data handling. We undergo regular reviews by the Shopify team.
Data Handling
What data does Convi access?
Convi accesses product catalog, order information, and customer conversation data through Shopify's official API scopes. We only request the minimum scopes needed to provide our service.
How long is data retained?
Conversation data is retained for the duration of your subscription plus 30 days. Upon uninstallation, all merchant data is permanently deleted within 30 days.
Is customer PII stored?
Convi processes customer messages in real-time to generate responses. We store conversation history for your inbox and analytics features. Customer PII is never used for purposes outside your store's AI assistant.
Can I export or delete my data?
Yes. You can export your conversation history and analytics data at any time. You can also request complete data deletion by contacting our support team.
Sub-processors
We use the following third-party services to provide Convi. Each sub-processor is vetted for security and compliance. For details on how your data is handled, see our Privacy Policy.
| Provider | Purpose | Location |
|---|---|---|
| Shopify | E-commerce platform integration, OAuth authentication | Canada (Global CDN) |
| OpenAI | AI language model for generating customer responses | United States |
| Amazon Web Services (AWS) | Cloud infrastructure, file storage (S3) | United States (us-east-1) |
| Google Cloud Platform | Database infrastructure (TiDB / MySQL-compatible) | United States (us-central1) |
| Cloudflare | CDN, DDoS protection, DNS, edge caching | Global (250+ data centers) |
| Manus | Application hosting, OAuth identity provider, built-in APIs | United States |
Responsible Disclosure
If you discover a security vulnerability, we appreciate your help in disclosing it responsibly. Please report any findings to our security team.
[email protected]