norle
privacy

privacy.

how norle collects, stores and processes data, for the app inside a shopify store and for this marketing site. this is the same policy served at app.norle.ai/privacy.

effective 2026-06-06

Norle ("we", "our") is a Shopify app that adds an AI chat widget to a merchant's storefront and helps the merchant answer customer questions. This policy explains what information we collect, how we use it, where we store it, and the rights you have over it.

Who this policy applies to

This policy applies to two groups: (1) the Shopify merchant who installs Norle ("merchant") and (2) the end customer who chats with the widget on the merchant's storefront ("customer").

What we collect

From the merchant's Shopify store(via the Shopify Admin API, with the merchant's consent at install time):

  • Product catalog (title, handle, status, vendor, tags, price range) — used as context so the AI can answer customer questions about what the store sells.
  • The shop's domain, plan name, and currency — used to scope data per merchant and to detect Shopify Plus stores.
  • A Shopify session token — used to authenticate the merchant in the embedded admin UI.

From the merchant directly, via the in-app onboarding chat:

  • A system prompt for the storefront bot, generated together with the merchant during onboarding and editable later.
  • Configuration choices (support email, tone, fallback behaviour).

From the merchant's customers, via the chat widget on the storefront:

  • The messages the customer types into the chat. We do not require the customer to log in or share their name, email, address, phone number, payment details, or any other personal identifier in order to use the widget.
  • A conversation identifier so the bot can keep context within a single conversation. This identifier is not linked to any other customer record.

We do not collect IP addresses, browser fingerprints, cookies, or analytics on the storefront-facing widget. We do not load any third-party tracking scripts in the widget.

How we use the data

  • To answer the customer's questions through the AI assistant, using the merchant's configured prompt and the merchant's product catalog as context.
  • To show the merchant the conversations that have happened on their storefront, so they can improve their store's answers.
  • To run the Shopify Billing API for the subscription (we do not see or store credit card data — Shopify handles all payment processing).
  • To send the merchant an optional daily email digest of their store's chat activity. The merchant can turn this off at any time via the unsubscribe link in the email.

We do not sell data, share it with advertisers, or use it to train AI models.

Where data is stored

All merchant configuration, product catalog snapshots and chat conversations are stored in a PostgreSQL database hosted by Neon in the EU. The application is hosted on Vercel. Chat messages are sent to Anthropic for AI processing. Anthropic does not train its models on data submitted through their API.

Sub-processors

We use the following sub-processors:

  • Shopify — app hosting platform and APIs (global).
  • Vercel — application hosting (global edge).
  • Neon — PostgreSQL database (EU).
  • Anthropic — AI model, Claude (US).
  • Resend — transactional email, daily digest (US).

Retention

Merchant data and storefront chat conversations are kept as long as the merchant has Norle installed. When the merchant uninstalls the app, Shopify sends us an app/uninstalled webhook and we delete the merchant's session, configuration, cached product catalog and all conversations within 30 days.

GDPR and customer rights

Norle handles the three mandatory Shopify GDPR webhooks:

  • customers/data_request — when a customer asks the merchant for the data we hold about them, we respond to the merchant with what conversations are linked to that customer (in our case: none, because we do not collect customer identifiers).
  • customers/redact — when a customer asks the merchant to delete their data, we delete any conversation we can link to that customer.
  • shop/redact — when a merchant uninstalls and their 48-hour grace period ends, Shopify asks us to delete the shop's data. We do.

EU customers have additional rights under GDPR (access, rectification, erasure, restriction, portability, objection). To exercise any of these, contact us at hi@norle.ai.

Security

Data in transit is encrypted with TLS. Data at rest in Neon is encrypted. Access to production credentials is limited to the founder and stored in Vercel's encrypted environment variables. All Shopify session tokens are stored encrypted and rotate according to Shopify's policy.

This marketing site

norle.ai shows a consent banner. Analytics only run after you accept. If you decline, nothing analytics-related runs, and the site works exactly the same.

If you accept, two cookieless or EU-based tools measure page views and clicks. The /install link also sets one first-party cookie that records where an install came from. It holds no personal data.

Changes to this policy

We may update this policy as the product evolves. The effective date at the top will change when it does. Material changes will be communicated to merchants via the Norle admin UI before they take effect.

Contact

Questions, requests, or concerns about this policy or your data: hi@norle.ai.

Norle is operated by Anderssons virksomhet AS, Norway.