Aura AI PrivacyPolicy

Aura AI Privacy Policy

Last updated: 24 April, 2026

1. Introduction

This Privacy Policy describes how NexaSoftech ("we", "our", "us") collects, uses, discloses, and protects information when you ("Merchant") install or use the Aura AI — GEO & AI Search Shopify app ("App"), and when shoppers ("End Users") visit a storefront where the App is active.

By installing or using the App, you agree to this Policy. This Policy is incorporated into our Terms and Conditions.

2. Who We Are

NexaSoftech is the data controller for Merchant account data and a data processor for Shopify store data processed on your behalf. Our registered contact for privacy is support@nexasoftech.com.

3. Information We Collect

3.1 Merchant Account Information

  • Shopify store domain, shop ID, store owner name, email, billing country

  • Plan selection and subscription status

  • Support communications and in-app settings

3.2 Shopify Store Data (processed on your behalf)

  • Products, variants, collections, pages, blog posts, and related metadata

  • Theme files and metafields (within scopes you authorize)

  • Storefront URLs, navigation, and SEO fields

  • Aggregated order and traffic metadata (only where needed for analytics features)

3.3 End-User / Storefront Data

  • Requests to the llms.txt endpoint and other App-served endpoints (user agent, IP, timestamp) for analytics on AI bot visits

  • Referrer and crawler identification data

  • We do not collect shopper personal data (name, email, payment info) through the App's storefront components

3.4 Technical and Usage Data

  • IP address, device and browser info, pages visited in the App admin

  • Logs, error reports, and performance metrics

  • Cookies and similar technologies (admin-side only)

3.5 AI Interaction Data

  • Prompts submitted to AI providers on your behalf and the generated outputs

  • Metadata about AI calls (model, token usage) for billing and performance

4. How We Collect Information

  • Directly from you when you install the App, configure settings, or contact support

  • From Shopify via authorized API scopes (OAuth)

  • Automatically via logs, cookies, and analytics when you use the App admin

  • From AI and infrastructure providers acting as subprocessors

5. How We Use Information

  • Provide, operate, and maintain the App features

  • Generate and serve llms.txt and related outputs

  • Produce AI content suggestions via third-party models (e.g., OpenAI)

  • Bill subscriptions via Shopify and manage account status

  • Provide support, troubleshoot issues, and prevent abuse

  • Improve the App (aggregated, de-identified analytics)

  • Comply with legal obligations and Shopify Partner requirements

  • Communicate product updates, security notices, and transactional emails

We do not sell or rent personal data. We do not use your store data to train third-party AI models. Prompts sent to OpenAI are processed under OpenAI's API data-usage terms, which by default exclude API inputs and outputs from training.

6. Legal Bases for Processing (GDPR)

Where GDPR applies, we rely on:

  • Contract — to provide the App you subscribed to

  • Legitimate interests — security, fraud prevention, product improvement

  • Consent — where required (e.g., certain cookies)

  • Legal obligation — tax, accounting, lawful requests

7. Data Sharing and Subprocessors

We share data only with:

  • Shopify — platform, authentication, billing

  • OpenAI — AI content generation (U.S.)

  • DigitalOcean — application hosting (region: as configured)

  • Upstash — Redis queues and caching

  • Email/Analytics/Error-tracking providers — transactional email, product analytics, error monitoring

  • Professional advisors, auditors, and legal authorities where required by law

  • A successor entity in a merger, acquisition, or asset sale (with notice)

All subprocessors are bound by contractual confidentiality and data-protection obligations.

8. International Data Transfers

Data may be processed in India, the United States, and the European Union, depending on the subprocessor. Where transfers cross jurisdictions, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) and equivalent mechanisms.

9. Data Retention

  • Active merchants: data retained for as long as the App is installed and needed to provide the Service.

  • Uninstalls: we retain store data for up to 48 hours (Shopify's required deletion window) before triggering automated deletion.

  • GDPR deletion requests: processed via Shopify's customers/redact and shop/redact webhooks within the required window.

  • Billing and legal records: retained for the period required by tax and accounting law (typically up to 7 years).

10. Shopify Mandatory Compliance Webhooks

Aura AI implements the required Shopify GDPR webhooks:

  • customers/data_request — respond to End-User data access requests

  • customers/redact — delete End-User personal data upon request

  • shop/redact — delete shop data 48 hours after App uninstall

11. Your Rights

Subject to your jurisdiction (GDPR, UK GDPR, CCPA/CPRA, India DPDP Act, and similar), you may have the right to:

  • Access the personal data we hold about you

  • Correct inaccurate data

  • Request deletion ("right to be forgotten")

  • Restrict or object to processing

  • Data portability

  • Withdraw consent

  • Lodge a complaint with a supervisory authority

To exercise these rights, contact support@nexasoftech.com. We respond within the timeframe required by applicable law (typically 30 days).

California residents (CCPA/CPRA): we do not sell or "share" personal information as defined under CCPA. You have the right to know, delete, correct, and non-discrimination.

12. Data Security

We implement reasonable technical and organizational measures:

  • Encryption in transit (TLS) and at rest where provided by infrastructure

  • Access control, least-privilege, and audit logging

  • Secrets management and key rotation

  • Regular dependency and security updates

  • Incident response procedures

No system is 100% secure. We will notify affected parties and authorities of material data breaches as required by law.

13. Cookies and Tracking

The App admin uses cookies and similar technologies for authentication, session management, and analytics. You can manage cookies via your browser. The App does not place tracking cookies on your storefront for End Users.

14. Children's Privacy

The App is intended for business use and is not directed at individuals under 18. We do not knowingly collect data from minors. Contact us if you believe we have inadvertently done so.

15. Third-Party Links

The App or our website may link to third-party sites. We are not responsible for their privacy practices. Review their policies separately.

16. Changes to This Policy

We may update this Policy. Material changes will be notified via in-app notice or email at least 15 days before taking effect. The "Last Updated" date above reflects the most recent revision.

17. Contact Us

NexaSoftech — Aura AI

Email: support@nexasoftech.com

Website: https://aura-ai.nexasoftech.com

Location: India

For data protection inquiries, prefix subject line with [Privacy].