Privacy Policy

Vaarden provides AI-assisted customer-support tooling to merchants. When a merchant connects their store and support inbox, we process personal data on the merchant's behalf (as a data processor) to help them answer their customers.

• Merchant users: name, email, and authentication identifiers.
• The merchant's customers: name, email, phone, shipping address, order and fulfillment history, and the contents of support messages — only as needed to draft and send support replies and to process returns/refunds the merchant approves.

We request the minimum Shopify scopes required for this (orders, customers, returns, discounts) and nothing more.

Solely to provide the service: triaging incoming messages, drafting on-brand replies grounded in the customer's order, and running merchant-approved returns/refunds. Every reply is reviewed by a human before it is sent — we do not make automated decisions that have legal or similarly significant effects. We do not sell personal data or use it for advertising.

To draft replies and triage messages we send the relevant message and order context to our AI provider (Anthropic) at request time. Anthropic processes it to return a draft and does not use it to train models. We do not use your customers' content to train our own or any third-party models.

We use anonymized, aggregate statistics — counts and rates that contain no personal data and can't identify any individual, merchant, or their content (e.g. how often a suggested FAQ is accepted) — to improve suggestion quality across the platform. A merchant's actual content (messages, FAQs, customer data) is never shared with another merchant.

We rely on a small set of providers — Supabase, Vercel, Anthropic, Resend, Shopify, Stripe and EasyPost — each processing data only to deliver their part of the service. The full, current list with purpose and region is at vaarden.com/subprocessors. Our processor terms are in our Data Processing Agreement.

Data is encrypted in transit (TLS) and at rest (AES-256), including backups. Access is restricted to authorized personnel under least-privilege controls and row-level security, with required multi-factor authentication on our infrastructure. We separate test and production data.

We keep personal data only as long as needed to provide the service. When a merchant uninstalls, we revoke access and delete the store's stored data following Shopify's redaction timelines. We honor Shopify's customers/redact, customers/data_request, and shop/redact requests — a customer-deletion request erases that shopper's stored messages, conversations, returns, and profile.

Shoppers should contact the merchant they bought from to access or delete their data; the merchant's request flows to us automatically. Merchants can delete their account and all associated data at any time from Settings → Danger zone, or by emailing us — this permanently erases the account's conversations, customers, drafts, returns, FAQs and connections.

Questions or requests: denis@vaarden.com.