What we read, and what we don't.

SupportLift operates an AI customer support app for Shopify merchants at supportlift.app. When this document says "we" or "our", it means SupportLift.

When you install, we read your store domain and the access permissions you approved inside Shopify, plus your published products, pages, articles, collections and policies. Order and customer records are not copied into our systems at rest. If a shopper asks about their own order, we fetch that order from Shopify, answer the shopper, and move on.

An anonymous session for their device, the page they are on, the messages they type, and their country and browser type. If a shopper identifies themselves with an email, we connect their session to a contact record scoped to your store. We never sell shopper data and we never send it to anyone outside the providers needed to run the service.

Only to answer your shoppers. When we send a message to the AI, customer names, emails and addresses are replaced with placeholders. The AI gets the question, not the identity. Our AI providers are contractually barred from training on anything we send them.

The services we use to run SupportLift each see the parts of the data relevant to their job. We host the database with Supabase, host our admin on Vercel, run our AI service and chat queue on Fly.io, send email through Resend, and send AI requests to OpenAI and Anthropic (routed directly or through OpenRouter for reliability). Every one of these services has an independent security audit on file.

Conversations clear automatically 90 days after resolution. You can make that window shorter in settings. When you uninstall, we delete everything related to your store within 48 hours.

If a shopper asks for a copy of their data or asks for their data to be deleted, we handle it. Merchants in the EU, UK, California or other regions with data rights laws can tell their shoppers to email us and we will respond within the legal window.

Everything on the wire is encrypted. Our secrets are stored in a managed vault and rotate when you uninstall. Every message from Shopify is verified against Shopify's signature before we act on it. Only named engineers with two-factor authentication can touch production.

Questions, data requests, complaints. privacy@supportlift.app. We respond within the legal window for your jurisdiction and within three business days otherwise.