Privacy Policy — Sonoma System

Introduction

Sonoma System ("we", "us", "our") operates an AI-powered customer engagement platform for Shopify stores. This Privacy Policy explains how we collect, use, store, and protect data when store owners ("Clients") use our platform and when their customers ("End Users") interact with our AI agents. By engaging Sonoma System, Clients confirm they have read and accepted this Privacy Policy.

1. Who We Are

Sonoma System is a SaaS platform providing AI agents — Aria, Nova, and Max — that handle customer support, cart recovery, and post-purchase engagement on behalf of Shopify store owners. We act as the data processor. Our Clients are the data controllers for their customers' data.

Contact: marko@sonoma-system.com

2. Data We Collect

From Clients (store owners)

Business name, contact email, and WhatsApp number
Shopify store URL and API credentials (stored encrypted)
Store policies, FAQs, and product information provided at onboarding
Billing information (processed by our payment provider — we do not store card details)

From End Users (store customers), via the Client's Shopify store

Phone number (collected by the Client at checkout)
Name and email address (from Shopify order records)
Order history and purchase data (fetched from Shopify via API)
WhatsApp and SMS message content
Behavioural signals derived from conversations (e.g. sentiment, intent)

We do not collect End User data directly. All End User data reaches us through our Client's Shopify store and communication channels the Client has configured.

3. How We Use Data

We use collected data solely to:

Operate the AI agents on behalf of the Client
Generate accurate responses to End User messages
Log conversation history to maintain context
Produce performance reports and analytics for Clients
Improve the platform's reliability and agent quality

We do not sell data. We do not use one Client's customer data to benefit another Client. We do not use End User data for advertising.

4. Data Storage and Security

All data is stored in Supabase (PostgreSQL) on secure cloud infrastructure. Data is logically separated by store — no cross-contamination between Clients is possible by design. We implement access controls, encrypted credentials, and industry-standard security practices. Conversation history is retained for up to 24 months from the last interaction, then deleted automatically.

5. Client Responsibilities

Clients are responsible for:

Ensuring lawful basis to share End User contact data with Sonoma System
Disclosing to their customers that AI agents handle communications (this belongs in the Client's own privacy policy)
Keeping policy inputs accurate and up to date
Notifying us promptly of any End User data deletion requests

Sonoma System is not responsible for a Client's failure to meet their own legal obligations.

6. Data Subject Rights

End Users wishing to exercise data rights should contact the Shopify store they purchased from. Upon receiving a verified deletion request from a Client, Sonoma System will delete all associated records within 30 days. Clients wishing to delete their account may contact marko@sonoma-system.com — all data deleted within 30 days.

7. Third-Party Services

Sonoma System uses the following third-party services, each with their own privacy policy:

Twilio — WhatsApp and SMS delivery
Anthropic Claude API — AI response generation
Shopify — Store and order data
Supabase — Database infrastructure
Railway — Backend hosting

8. International Data Transfers

Our infrastructure is cloud-based. Data may be processed in countries outside your own. By using Sonoma System, Clients acknowledge this and confirm appropriate authorisation to transfer End User data to us.

9. Changes to This Policy

We may update this policy from time to time. Clients will be notified of material changes via email. Continued use of Sonoma System constitutes acceptance of the updated policy.

10. Contact

For any questions about this Privacy Policy, contact us at marko@sonoma-system.com.