Privacy Policy & Data Protection
Last updated: April 7, 2026
1. Introduction
SupportPilot AI ("we", "our", "us") is committed to protecting the privacy of businesses and their customers. This Privacy Policy explains how we collect, use, store, and protect personal data in compliance with GDPR.
Data Controller: SupportPilot AI
Contact: privacy@support-pilot-ai.com
2. Data Collected
2.1 Business Data
- Store Information: Business name, domain, email address
- Authentication: OAuth tokens (encrypted at rest)
- Configuration: App settings, playbook rules, AI preferences
2.2 Customer Data (Protected)
- Email Address: To match support emails with customer accounts
- Name: To personalize AI-generated responses
- Order History: To provide order-specific support (Shopify only)
2.3 Communication Data
- Support Emails: Emails synced from connected Gmail/Outlook accounts
- Direct Messages: Instagram DMs and WhatsApp messages
- Chat Messages: Conversations from the storefront chat widget
- AI Responses: Generated replies and suggested actions
3. How We Use Your Data
- Support Automation: Classifying tickets, generating AI responses, executing playbook actions
- Customer Identification: Matching messages to customer accounts and order history
- Personalization: Addressing customers by name, referencing their specific orders
- Service Improvement: Analyzing anonymized usage patterns to improve AI accuracy
We DO NOT: Sell personal data, use it for marketing, share it with advertisers, or use it for AI model training.
4. Data Sharing
| Provider | Purpose | Data Shared |
|---|
| Anthropic (Claude AI) | AI response generation | Ticket content (processed, not stored by Anthropic) |
| Supabase | Database hosting | All app data (SOC 2 compliant) |
| Google (Gmail API) | Email sync | Email content when Gmail is connected |
| Microsoft (Outlook) | Email sync | Email content when Outlook is connected |
| Meta (Instagram/WhatsApp) | Messaging | DM content when channels are connected |
5. Data Security
- Encryption in Transit: TLS 1.3 for all communications
- Encryption at Rest: AES-256 via Supabase
- Multi-Tenant Isolation: Row Level Security per business
- Audit Logging: All AI actions logged
6. Data Retention
- Active Use: Data retained while the business uses the service
- After Uninstallation: All data deleted within 48 hours
- Customer Data Requests: Processed within 30 days per GDPR
7. Your Rights (GDPR)
You have the right to: Access, Rectification, Erasure, Restriction, Portability, and Objection.
To exercise any right, contact: privacy@support-pilot-ai.com
8. Contact