NutrecoAI
Privacy Policy
Last updated: 17 June 2026
NutrecoAI ("we", "us") operates the NutrecoAI Shopify app and the website at nutrecoai.com. This policy explains what data we collect, why, and how long we keep it.
1. Who we are (controller)
NutrecoAI is operated by Elisabetta Corapi. For data-related questions contact us at [email protected].
2. Data we collect
2a. Merchant data
When a Shopify merchant installs NutrecoAI we store:
- Shop domain (e.g. your-store.myshopify.com)
- Merchant email address (provided by Shopify during OAuth)
- OAuth access and refresh tokens (encrypted at rest)
- Widget configuration choices (headings, colours, card counts)
- Billing status
Legal basis: performance of a contract (providing the app service).
2b. End-customer data (your shoppers)
NutrecoAI processes the following data about a merchant's customers to power recommendations:
- Shopify customer ID — a numeric identifier supplied by Shopify in order webhooks. We never receive names, email addresses, or payment details.
- Order line items — which products were purchased together, used to compute co-purchase affinity scores.
- Anonymous session ID — a random string stored in the shopper's browser localStorage (key:
reco_sid). It is not linked to any identity and expires when the browser storage is cleared.
- Product page views and widget interactions — which products were viewed or clicked, used to rank recommendations.
Legal basis: legitimate interests of the merchant (improving conversion and product discovery). No special-category data is processed.
3. Data retention
| Data | Retention |
| Order line items & customer IDs | 90 days, then automatically deleted |
| Product view / click counts | Kept while the app is installed; deleted on uninstall |
| Session co-click data (Redis) | 90 days |
| Merchant account data | Deleted on app uninstall or on request |
4. Sub-processors
| Sub-processor | Purpose | Location |
| Hetzner Online GmbH | Cloud hosting (servers & database) | Germany (EU) |
| Sentry (Functional Software Inc.) | Error monitoring — DPA signed, PII collection disabled | USA (SCCs) |
| Cerebras Systems | AI product classification (product titles & tags only — no customer data) | USA (SCCs) |
5. Shopify GDPR webhooks
We support all three mandatory Shopify GDPR webhooks:
- Customer data request — acknowledged within 24 hours.
- Customer data erasure — all order records linked to the customer ID are deleted immediately.
- Shop data erasure — all merchant and customer data is deleted immediately on request.
6. Your rights (GDPR)
If you are an EU/EEA resident you have the right to access, rectify, erase, restrict, or port your data, and to object to processing. To exercise these rights email [email protected]. You also have the right to lodge a complaint with your local supervisory authority.
7. Cookies & localStorage
NutrecoAI does not set any cookies. The anonymous session ID (reco_sid) is stored in localStorage — not a cookie — and is scoped to the merchant's storefront domain. Merchants are responsible for their own cookie consent banners.
8. Data processing agreement (DPA)
Merchants subject to GDPR who require a Data Processing Agreement may request one by emailing [email protected]. We will provide a signed DPA within 5 business days.
9. Merchant responsibilities
Merchants who install NutrecoAI are independent data controllers with respect to their customers. By using the app, merchants agree to the following:
- Privacy disclosure. Merchants must inform their own customers that the store uses a third-party recommendation service that collects anonymous browsing behaviour (page views, product clicks, add-to-cart events) and, for logged-in customers, links purchase history to a Shopify customer ID. This disclosure must appear in the merchant's own privacy policy and, where required by applicable law, in their cookie or tracking consent notice.
- Storefront content. NutrecoAI injects recommendation widgets and, where configured, displays section headings on the merchant's storefront. The merchant is solely responsible for reviewing and customising all text that appears on their storefront — including widget headings and goal-based section labels — and for ensuring that such text complies with all applicable laws and regulations in their jurisdiction, including advertising standards, consumer protection rules, and health claim regulations (including but not limited to EU Regulation (EC) No 1924/2006 on nutrition and health claims and FTC guidelines in the United States).
- No medical endorsement. The AI-generated product goal classifications (e.g. "muscle", "recovery", "fat loss") are provided as a product-discovery convenience tool only. They do not constitute a health claim, medical advice, or endorsement by NutrecoAI of any product's fitness for a particular purpose. Merchants must ensure that any claims made on their storefront comply with the regulatory requirements applicable to their products and territory.
- Legal basis. Merchants are responsible for establishing and documenting a valid legal basis under applicable data protection law (e.g. GDPR Article 6) for the processing of their customers' data facilitated by this app.
10. Changes to this policy
We will update the "Last updated" date when material changes are made. Continued use of the app after changes constitutes acceptance.