Privacy Policy

Stickiness ("we", "our", "the Company") operates the Stickiness.AI platform — a SaaS service providing AI chat agents for e-commerce stores. This Privacy Policy describes how we collect, use, store, and protect personal information when you use our services, visit our website, or interact with our chat widget.

We are committed to protecting your privacy and complying with applicable data protection regulations, including the GDPR (European Union), CCPA/CPRA (California), the Israeli Privacy Protection Law, 5741-1981, and other applicable international privacy laws.

Data Controller: Stickiness Ltd., Israel.
Data Protection Officer (DPO): hello@stickiness.ai

2.1 Information You Provide Directly:
• Account details — name, email address, store name upon registration.
• Store settings — product information, shipping and return policies, business hours, and branch locations you enter into the system.
• Conversation content — messages you send through the Dashboard.
• Payment information — processed directly by secure payment providers. We do not store credit card numbers.

2.2 Information Collected Automatically:
• Usage data — pages viewed, actions taken, access times.
• Device information — browser type, operating system, IP address, screen resolution.
• Cookies — essential cookies for service functionality (authentication, language preferences).

2.3 Information from End Customers (Store Visitors):
• Chat conversations with the bot — stored anonymously without personal identification by default.
• Session ID — a temporary technical identifier for conversation continuity.
• If the customer chooses to provide identifying information (name, email, phone) during the conversation — this information is stored in accordance with this policy.

We use collected information for the following purposes only, specifying the legal basis for each under GDPR Article 6(1):

• Service delivery — operating the AI agent, product synchronization, responding to customer queries. Basis: performance of contract (6(1)(b)).
• Service improvement — analyzing usage patterns to enhance user experience and response accuracy. Basis: legitimate interest (6(1)(f)).
• Technical support — diagnosing and resolving technical issues. Basis: performance of contract (6(1)(b)).
• Service communication — sending service updates, policy changes, and system notifications. Basis: performance of contract (6(1)(b)).
• Security — detecting and preventing misuse, fraud, and unauthorized access. Basis: legitimate interest (6(1)(f)).
• Legal compliance — fulfilling legal obligations and responding to official requests. Basis: legal obligation (6(1)(c)).

We do not sell, rent, or trade personal information to third parties for marketing purposes.

Our service uses artificial intelligence models from leading providers to process questions and generate responses.

• Content sent to AI — end customer questions, product information, and store policies. We do not send personally identifiable information of end customers to AI providers.
• Use by AI providers — in accordance with our AI providers' policies, content sent through their API is not used for model training.
• Embeddings — we create vector representations (embeddings) of products and content for semantic search. These embeddings do not contain personal information.
• Model training — we do not use our customers' data or their end customers' data to train or fine-tune AI models. All processing is performed in real-time only.

In accordance with GDPR Article 22, we disclose that our service involves automated processing of information:

• Automated chat responses — the AI agent processes questions and produces responses in a fully automated manner. Responses are based on store information (products, policies, content) and do not include decisions with legal or similarly significant effects on end customers.
• Human escalation — store owners can configure escalation rules to route conversations to a human agent at any time.
• Right to human intervention — end customers may request human assistance instead of automated responses. They can contact the store owner directly.
• No profiling — we do not build personal profiles of end customers and do not perform scoring, credit rating, or automated filtering.

• Storage — data is stored on secure cloud servers with encryption at rest and in transit.
• Encryption — all communication is encrypted using industry-standard protocols. Sensitive tokens and keys are encrypted with strong encryption before storage.
• Access control — data access is restricted to authorized personnel only through role-based access control.
• Backups — automatic daily backups with encrypted storage.
• Monitoring — monitoring systems to detect anomalous access.

We share information only with the following categories of sub-processors, and only to the extent necessary to provide the service:

• Cloud hosting providers — encrypted data storage, user authentication, and backups.
• AI providers — natural language processing and response generation. Conversation content is sent without personally identifiable information of end customers.
• E-commerce platforms — product synchronization, orders, and store data (e.g. Shopify).
• Hosting providers — operating the management dashboard and website.
• Payment providers — secure payment processing. Payment details are processed directly by the provider and do not pass through us.
• Authentication providers — secure sign-in services (e.g. Google Sign-In).

A detailed list of current sub-processors is available upon request at hello@stickiness.ai.

We will not disclose information to other third parties unless:
• Required by law, court order, or legal process
• Necessary to protect our rights, property, or the safety of our users
• You have given explicit prior consent

• Account data — retained as long as the account is active. After account closure, data is deleted within 30 days.
• Chat conversations — retained for 12 months for analysis and service improvement, then automatically deleted.
• Technical logs — retained for 90 days.
• Shopify data — upon app uninstallation, store data is deleted within 48 hours per Shopify requirements.
• Right to deletion — you may request deletion of all your data at any time (see "Your Rights" section).

Under applicable privacy laws, you have the following rights:

• Right of access — request a copy of the personal information we hold about you.
• Right to rectification — correct inaccurate or incomplete information.
• Right to erasure — request deletion of your personal information ("right to be forgotten").
• Right to restrict processing — limit how we process your information.
• Right to data portability — receive your information in a structured, machine-readable format.
• Right to object — object to processing based on legitimate interest. Upon objection, we will cease processing unless we have compelling legitimate grounds.
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing performed prior to withdrawal.

To exercise these rights, contact us at: hello@stickiness.ai
We will endeavor to respond to your request within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the Israeli Privacy Protection Authority or your local supervisory authority.

We use the following types of cookies:

Necessary Cookies:
• Authentication cookies — to maintain your login state.
• Session cookies — for proper system functionality.

Preference Cookies:
• Language and theme — to save your display settings.

We do not use tracking (Analytics) cookies, advertising (Marketing) cookies, or third-party cookies for marketing or profiling purposes.

The chat widget on stores uses localStorage for session ID storage only — no cookies.

We may send you emails related to our service, such as product updates, usage tips, or information about new features.

• Opt-out — every marketing email includes an unsubscribe link. You may also contact us at hello@stickiness.ai to opt out.
• Service notifications — essential communications related to your account operation (security, policy changes, billing updates) cannot be opted out of while your account is active.
• We do not share your email address with third parties for marketing purposes.

Our service is not intended for children under the age of 16 (or 13 in jurisdictions where COPPA applies). We do not knowingly collect personal information from minors. If we become aware that we have collected information from a minor, we will delete it immediately. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at hello@stickiness.ai.

Your information may be stored and processed on servers located outside your country of residence, including the United States and European Union.

We ensure that all international data transfers include appropriate safeguards:
• Standard Contractual Clauses (SCCs) — as required by the European Commission for transfers outside the EEA.
• Transfer Impact Assessments (TIAs) — we conduct ongoing assessments regarding the risks involved in international transfers.
• Adequacy decision — Israel is recognized as a country with an adequate level of data protection by the European Commission.

If you are a California resident, you have additional rights under the CCPA and CPRA:

• Right to know — request information about the categories and specific items of personal information we collected about you, the sources, purposes of collection, and third parties with whom we shared it.
• Right to delete — request deletion of your personal information, subject to certain legal exceptions.
• Right to correct — correct inaccurate personal information we hold.
• Right to opt-out of sale/sharing — we do not sell or share personal information as those terms are defined under CCPA/CPRA.
• Non-discrimination — we will not discriminate against users who exercise their rights.

Identity verification: upon receiving a request, we will verify your identity by matching the email address registered on your account. You may also designate an authorized agent to act on your behalf with written power of attorney.

To exercise these rights: hello@stickiness.ai

Our service may contain links to third-party websites or services. We are not responsible for the privacy policies or content of these sites. We recommend reviewing the privacy policy of any external site you visit. The presence of a link on our site does not constitute endorsement or recommendation.

We may update this policy from time to time. Material changes will be published on our website and registered users will be notified by email at least 14 days before they take effect. Continued use of the service after the change constitutes consent to the updated policy.

For questions, requests, or complaints regarding privacy, please contact us:

• Data Protection Officer (DPO): hello@stickiness.ai
• General email: hello@stickiness.ai
• Website: https://stickiness.ai

We commit to addressing every inquiry within 30 days. If you are not satisfied with our response, you may file a complaint with the Israeli Privacy Protection Authority or your local supervisory authority.