Privacy Policy
Factfu — Last updated: February 25, 2026
This Privacy Policy explains how Factfu ("we", "us", or "our") collects, uses, stores, and protects information when you use the Factfu application and related services ("Service"). It applies to all users, whether you access Factfu through Shopify, our dashboard, or any other integration.
1. Information We Collect
We collect information you provide directly, information generated through your use of the Service, and limited information from third parties.
a) Account & Store Data
- Your name, email address, and account credentials.
- Your store URL, store name, and platform access tokens required to integrate with your e-commerce platform (e.g. Shopify).
- Billing information processed through your platform's billing system (we do not directly store payment card details).
b) Content Data
- Product listings, page content, discounts, and other store data you authorise us to read in order to power the AI assistant.
- Knowledge-base documents, URLs, and text you upload or provide for indexing.
c) Customer Interaction Data
- Chat transcripts and conversation metadata generated when visitors interact with the Factfu widget on your site.
- Form submissions collected through Factfu lead-capture forms.
- Session identifiers and visitor fingerprints used to maintain conversation continuity.
d) Usage & Technical Data
- IP addresses, browser type, device type, and referring URL.
- Request logs, error reports, and aggregate usage metrics.
- API usage statistics (token counts, request volumes).
2. How We Use Your Information
| Purpose | Legal Basis (GDPR) |
|---|
| Provide and operate the Service (AI chat, knowledge base, live chat) | Contract performance |
| Sync and index your store content for accurate AI responses | Contract performance |
| Send transactional notifications and respond to support requests | Contract performance |
| Detect and prevent fraud, abuse, or security incidents | Legitimate interest |
| Improve service quality and fix bugs | Legitimate interest |
| Comply with legal obligations | Legal obligation |
3. Data Sharing
We do not sell your personal information. We may share data with:
- Infrastructure providers: Cloudflare (hosting, CDN, database, AI inference). Data processed under their privacy policy and DPA.
- AI inference providers: Third-party LLM providers used to generate chat responses. Only the minimum necessary context (relevant content chunks and the user's question) is sent. No personal data is sent unless it appears in the user's question.
- Platform partners: Your e-commerce platform (e.g. Shopify) as required by their API and partner agreements.
- Legal requirements: When required by law, court order, subpoena, or governmental authority.
4. Data Retention
- Active accounts: Data is retained for as long as your account is active and as needed to provide the Service.
- Chat transcripts: Retained until you delete them from the dashboard or close your account.
- After uninstallation: We delete your platform access token immediately and stop syncing data. Indexed content and chat logs are deleted within 30 days.
- Full deletion: You may request complete deletion at any time by contacting us. We will process the request within 30 days.
5. Cookies & Tracking
The Factfu dashboard uses a session cookie for authentication. The embeddable chat widget uses localStorage to maintain session continuity — it does not set cookies on your visitors' browsers. We do not use third-party analytics or advertising trackers.
6. International Data Transfers
Your data may be processed in data centres outside your country of residence. We use Cloudflare's global network, which operates under Standard Contractual Clauses (SCCs) and other approved transfer mechanisms to ensure adequate protection of data transferred outside the EEA, UK, or Switzerland.
7. Platform Compliance Webhooks
For Shopify installations, we respond to the following mandatory privacy webhooks:
- customers/data_request: We provide a copy of any customer data we hold upon request.
- customers/redact: We delete customer personal data within 30 days.
- shop/redact: We delete all shop data within 90 days of app uninstallation.
8. Security
We implement industry-standard security measures including:
- TLS 1.3 encryption for all data in transit.
- Encrypted storage at rest for sensitive credentials.
- Rate limiting and abuse detection on all API endpoints.
- Role-based access controls and audit logging.
- Regular security reviews of our codebase and infrastructure.
No system is 100% secure. We take commercially reasonable steps to protect your information and promptly address any incidents.
9. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access the personal data we hold about you.
- Rectify inaccurate or incomplete data.
- Delete your personal data ("right to be forgotten").
- Restrict or object to certain processing activities.
- Data portability: Receive your data in a structured, machine-readable format.
- Withdraw consent where processing is based on consent.
To exercise any of these rights, contact us at the address below. We will respond within 30 days (or sooner if required by applicable law).
10. Children's Privacy
The Service is not directed at individuals under 16. We do not knowingly collect personal data from children. If we learn that we have collected data from a child, we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by updating the "Last updated" date above and, for material changes, by email or in-app notification. Continued use of the Service after changes constitutes acceptance of the revised policy.
12. Contact Us
If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact us at .