Legal
Privacy Policy
Kovotic Labs LLC · RetainAIO · Effective January 9, 2026
Company: Kovotic Labs LLC ("RetainAIO," "we," "us," "our")
Support: support@retainaio.comWebsite: retainaio.com
Effective Date: January 9, 2026
1. Information We Collect
When you install and use the App, we collect and process the following categories of information:
- Merchant / store information: Store domain, Shopify store identifiers, app configuration settings (onboarding flow settings, access instructions, brand voice)
- Customer and order information: Customer email address (only as provided by Shopify and necessary to send emails), order IDs, product names, payment status required to personalize emails
- Email delivery data: Send status (queued/sent/failed), delivery metadata from our email provider (message IDs, bounce/suppression events)
- AI decision data: Risk scores, confidence ratings, reasoning strings, and behavioral signals (stored as hashed email fingerprints — never raw PII) generated by our agentic risk assessment system
- Privacy compliance requests: Shopify privacy webhook payloads (data access requests, redaction requests) for audit and compliance
2. How We Use Information
We use collected information to:
- Provide the App's functionality — send onboarding and recovery emails to customers on behalf of merchants
- Run our agentic risk assessment system — score orders for refund risk using Claude Sonnet AI via the IntentSense Factory
- Store and process CustomerBehaviorSignals (hashed) to improve agent decision quality over time
- Generate email content based on merchant-provided instructions and settings
- Deliver and troubleshoot email sending, including retries and bounce/suppression handling
- Maintain an audit trail for privacy compliance requests
- Improve the App, prevent abuse, and maintain security
3. Legal Basis (GDPR / Similar Laws)
Where applicable, we process personal data on the following bases:
- Performance of a contract — to provide the App to the merchant
- Legitimate interests — security, preventing abuse, maintaining reliability, improving AI decision quality
- Compliance with legal obligations — responding to privacy requests
Merchants are responsible for ensuring they have appropriate lawful basis and notices to their customers for sending emails where required.
4. Sharing of Information
We share data only as needed to operate the App. This may include sharing with:
- Hosting and infrastructure providers
- Database providers
- Email delivery provider (Postmark) for sending transactional emails
- AI inference provider (Anthropic / Claude Sonnet) strictly for generating risk assessments and email copy — only hashed identifiers and order context are transmitted, never raw customer PII
- Shopify as needed for app functionality, authentication, and compliance webhooks
- Authorities if required by law
We do not sell personal information.
5. Agentic AI System — IntentSense Factory
RetainAIO uses an agentic AI system (the IntentSense Factory) to assess refund risk and generate recovery email content. This system:
- Processes order signals and customer engagement data to produce risk scores and recommended actions
- Stores CustomerBehaviorSignals as hashed email fingerprints — the raw email address is never stored in the signal system
- Logs every decision with a plain-English reasoning string for merchant transparency
- Uses confidence thresholds — decisions below 70% confidence are escalated to merchant review (HITL) before any action is taken
We instruct the AI not to invent access instructions. Generation is limited to merchant-provided configuration. Token usage and generation counts are recorded for cost controls and audit.
6. Data Retention
We retain data only as long as necessary to provide the App and meet legal and compliance requirements. Typical retention includes:
- Message records and send logs — retained for troubleshooting and auditing
- AgentDecision records — retained for merchant transparency and audit
- CustomerBehaviorSignals (hashed) — retained to improve agent decision quality; purged on shop redaction
- Privacy request audit records — retained as required by applicable law
7. Data Deletion and Privacy Requests
The App supports Shopify's required privacy compliance mechanisms. Upon receiving relevant Shopify privacy webhooks (customer redaction, shop redaction), we will delete or anonymize data as required — including all associated CustomerBehaviorSignals, AgentDecision records, and MessageSent records.
Merchants can also request deletion by contacting: support@retainaio.com
8. Security
We implement reasonable administrative, technical, and physical safeguards designed to protect information. Customer identifiers in our AI system are stored as cryptographic hashes (HMAC-SHA256) and cannot be reverse-engineered to recover the original email address. No method of transmission or storage is 100% secure, but we work to protect your data.
9. International Transfers
Your data may be processed in countries other than your own depending on where our service providers operate. Where required by applicable law, we rely on appropriate transfer mechanisms such as Standard Contractual Clauses.
10. Children's Privacy
The App is intended for use by merchants and is not directed at children under the age of 13.
11. Changes to This Policy
We may update this policy from time to time. We will post updates on this page and update the effective date. Continued use of the App after changes constitutes acceptance of the updated policy.
12. Contact Us
For questions, requests, or complaints regarding this policy, contact us at: support@retainaio.com
Kovotic Labs LLC · Kovotic.io