Skip to main content

FAQ: Is my data secure?

Written by Shawn

Convi runs on your shopper's questions, your store's content, and a small set of shopper-supplied details (like email for order verification). This article explains where that data lives, who can see it, and what controls you have.

In this article

  • What data Convi processes

  • Where data is stored

  • What is NOT used to train shared models

  • Order actions and verification

  • Untrusted content boundaries

  • Encryption and access

  • The shopper-side privacy posture

  • Deletion and data export

  • What you can control today

What data Convi processes

Three categories:

  1. Your store content (knowledge). Products, pages, blogs, policies, shop info — everything Convi imports to answer questions. This comes from Shopify's APIs you authorized at install.

  2. Conversation messages. Every shopper message + every AI response, plus metadata (topic, sentiment, satisfaction, abilities used).

  3. Shopper-supplied details. Email (collected on demand when needed), name (if a pre-chat survey is enabled), and order number (when the shopper asks about an order). Plus the technical info every browser sends (locale, page URL the chat was opened from).

That's the full scope. Convi does not collect shopper credit-card info, addresses (except when the shopper explicitly asks to update one), or anything Shopify itself doesn't already have.

Where data is stored

  • Your store content is indexed in Convi's vector database (for semantic search) and stored in Convi's PostgreSQL database. It's scoped to your shop — other shops can't search your knowledge.

  • Conversations are stored in Convi's PostgreSQL database, scoped to your shop.

  • LLM calls (to generate AI responses) go to OpenAI. We use OpenAI through their API, not their consumer ChatGPT product.

What is NOT used to train shared models

  • Your conversations are not used to train shared AI models. OpenAI's API terms explicitly exclude API content from model training.

  • Your store content is not shared across shops. Each shop's index is isolated.

  • Cross-shop learning is structural, not data-leaking. Convi's product improvements come from aggregate, anonymized patterns — not from copying one merchant's content into another's responses.

Order actions and verification

Mutating actions — order cancellation and shipping-address update — require email-OTP verification. The shopper provides their order number and email, Convi sends a one-time code to that email, the shopper enters the code, and only then does the action go through. The verification is enforced in code, not just in the prompt — the AI can't "decide" to skip it.

This is why those abilities have "Higher risk" badges and require a few extra prerequisites to enable.

Untrusted content boundaries

When the AI reads content sourced from a shopper (a product review, a customer-uploaded note, a free-text feedback comment), it's wrapped in an <untrusted_content>…</untrusted_content> boundary before being handed to the language model. That means:

  • Anything in the wrapped content is treated as data, not as instructions.

  • An attempt by a shopper to hide a prompt injection inside a review can't override your store's policies.

You don't have to configure this — it's enforced for every untrusted source.

Encryption and access

  • Data in transit uses TLS (HTTPS / WSS).

  • Data at rest is encrypted at the database layer.

  • Access is limited to Convi staff who need it for support — the same posture you'd expect from any Shopify-installed app.

  • The widget itself never breaks the host page. If Convi's backend is unavailable, the widget fails silently rather than throwing a JS error on your storefront.

The shopper-side privacy posture

A few things worth knowing about how the widget behaves for shoppers:

  • The widget doesn't track shoppers across sessions unless the shopper explicitly identifies themselves (e.g. by sharing an email).

  • The proactive speech bubble's dismissed state is stored in the shopper's own browser (localStorage) — not on a server tied to them.

  • Shopper messages are visible to you in the Conversations inbox. That's the only place humans on your team see them.

Deletion and data export

For deletion or export requests covered by GDPR / CCPA, contact Convi support (see Contacting Convi Support). We can:

  • Delete a specific shopper's conversation history.

  • Delete a shop's entire data set when the app is uninstalled (this happens automatically on uninstall after a retention window).

  • Provide an export of a shop's conversations and configuration on request.

What you can control today

  • Toggle abilities — turn off any ability you don't want the AI to use (e.g. cancellation, address edit).

  • Pre-chat survey — choose whether to ask for name/email up front.

  • Email capture sensitivity — Conservative / Balanced / Aggressive.

  • Web search domain controls — allowlist or blocklist.

  • Custom instructions and rules — write specific guardrails into every conversation.

Related Articles
What is Convi? An Overview
Installing Convi on Your Shopify Store
Customizing Your Chat Widget's Appearance
Understanding the Convi Dashboard
Lead Capture: Collecting Customer Contact Info
Did this answer your question?