Privacy Policy

Last updated: May 2026

1. Introduction

Concie (“we”, “us”, “our”) provides an AI customer service and shopping assistant that merchants embed on their stores and websites. This Privacy Policy explains what personal data we collect when you interact with the assistant, how we use it, who we share it with, and the choices and rights you have.

It applies to our marketing site (concie.co), our merchant dashboard, and the assistant experience that runs on participating merchant sites. Merchants may also have their own privacy notices that apply to their store; we encourage you to read those alongside this policy.

2. Our Role: Controller and Processor

When you visit concie.co or sign up for a Concie account, we act as the data controller of your personal data. When you chat with the assistant on a merchant’s store, the merchant is generally the data controller of the conversation data and we act as a data processor on their behalf, under a Data Processing Agreement. The merchant decides what the assistant can do, what knowledge it draws on, and how long conversation data is retained, within the limits of this policy.

3. Information We Collect

Depending on how you interact with us, we may collect:

  • Conversation data: The messages, questions, attachments and voice inputs you send to the assistant, the assistant’s replies, the tools it called (e.g. product search, order lookup), and timestamps. Conversations may include personal data you choose to share, such as your name, email, order number, or shipping address.
  • Account data: If you create a Concie account (e.g. as a merchant or admin), we store your name, email, organization, role, hashed authentication credentials, and account preferences.
  • Merchant catalog and content: Product, FAQ, policy and help-center content provided by the merchant so the assistant can answer accurately. This is not your personal data, but it is part of how the assistant generates answers.
  • Usage and event data: Pages viewed, features used, clicks, scroll behaviour, search queries, suggestions shown, ratings and feedback you give on assistant replies, and error or crash reports.
  • Device and technical data: Device type, operating system, browser, language, time zone, IP address, approximate location derived from IP, and pseudonymous identifiers we generate to keep a session coherent.
  • Cookies and similar technologies: Cookies, local storage and similar identifiers, as described in our Cookie Policy.
  • Communications: If you contact us by email or through a form, we keep a record of the message and our reply.

Please do not share sensitive personal data with the assistant (for example payment card numbers, government IDs, health data, precise geolocation, or credentials). The assistant does not need this information to help you, and merchants’ checkout and account systems are the right place for it.

4. How We Use Your Information

We use the information described above to:

  • Run the assistant in real time: understand your question, search the merchant’s catalog and knowledge base, generate a relevant reply, and execute the action you asked for (e.g. find a product, summarize a return policy, look up an order).
  • Maintain session context so the assistant can follow a multi-turn conversation without you repeating yourself.
  • Operate, secure, and improve our services, including debugging, monitoring abuse, preventing fraud, and protecting against malicious or automated traffic.
  • Measure quality and performance in aggregate (e.g. resolution rate, response latency, helpfulness ratings) so we and the merchant can improve the assistant.
  • Communicate with you about your account, service updates, and security notices.
  • Comply with legal obligations, enforce our terms, and defend our rights.

5. Legal Bases for Processing (EEA / UK)

If you are in the EEA or UK, we rely on the following legal bases under the GDPR / UK GDPR:

  • Performance of a contract: to deliver the assistant when you (or your merchant) have signed up for our service.
  • Legitimate interests: to secure and improve the service, prevent abuse, and run aggregated quality analytics, balanced against your interests and rights.
  • Consent: for non-essential cookies and any optional features that require it; you can withdraw consent at any time.
  • Legal obligation: to meet our legal and regulatory duties (e.g. tax, fraud, lawful requests).

6. AI Processing, Models, and Sub-processors

To generate answers, the assistant sends your messages and relevant merchant context to large language model (LLM) providers we have selected as sub-processors (for example OpenAI, Anthropic, and Google). These providers process the data on our behalf, under contracts that prohibit them from using it to train their general-purpose foundation models.

We do not sell your personal data, and we do not use the content of your conversations to train third-party foundation models. We may use de-identified or aggregated conversation data to evaluate, debug, and improve our own assistant (for example, to fix where it gives wrong answers). Where we use a sample of conversations for human review or model evaluation, we apply access controls and minimization. You can ask us to exclude your data from these improvement uses by contacting us; merchants can configure this for their store.

A current list of the main sub-processors we use (LLM providers, cloud hosting, analytics, error monitoring, email delivery) is available on request at contact@concie.co.

7. Automated Decisions and Profiling

The assistant uses automated processing to understand questions, retrieve relevant content, and generate replies. These interactions do not produce legal or similarly significant effects about you. The assistant is a help tool, not a substitute for human judgement: if a topic is sensitive or requires escalation (for example a refund decision, an account closure, or a complaint), a human at the merchant or at Concie can review it on request.

8. Sharing of Information

We share personal data only as needed to run the service:

  • With the merchant: when you chat on a merchant’s store, that merchant can see the conversations that took place on their site so they can support you and improve their store.
  • With sub-processors: cloud hosting, LLM providers, analytics, error monitoring, customer support, and email delivery providers, under written data-processing terms.
  • For legal reasons: if required by law, court order, or regulator, or to protect rights, safety, or the integrity of our service.
  • Business transfers: in the context of a merger, acquisition, financing or sale of assets, with appropriate safeguards and notice where required.

We do not sell your personal data and we do not share it for cross-context behavioral advertising.

9. International Data Transfers

We are based in the EU and host data primarily in the EU. Some of our sub-processors (for example LLM providers) may process data in the United States or other countries. When personal data is transferred outside the EEA or UK, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses and the UK Addendum, supplemented by additional measures where needed.

10. Data Retention

We keep personal data only as long as we need it for the purposes described above, then delete or anonymize it. Typical retention periods:

  • Conversation transcripts: by default up to 12 months, or the period configured by the merchant, then deleted or anonymized.
  • Aggregated analytics and quality metrics: kept in non-identifying form for as long as useful to operate the service.
  • Account data: kept while the account is active and for a limited period after closure for backup, audit, and legal reasons.
  • Logs and security records: typically up to 90 days, longer where needed to investigate an incident.

11. Security

We use a layered set of technical and organizational measures to protect personal data, including encryption in transit (TLS) and at rest, role-based access controls, audit logging, network isolation, secret management, vulnerability scanning and patching, and least-privilege access for staff. No method of transmission or storage is perfectly secure, but we work continuously to reduce risk and respond to incidents quickly.

12. Your Rights (EEA, UK, and Similar)

Depending on where you live, you may have the right to:

  • Access and receive a copy of the personal data we hold about you.
  • Correct data that is inaccurate or incomplete.
  • Request deletion of your data ("right to be forgotten").
  • Restrict or object to certain processing, including processing based on legitimate interests.
  • Withdraw consent at any time, where processing is based on consent.
  • Receive your data in a portable, machine-readable format and ask us to transmit it to another provider.
  • Lodge a complaint with your local data protection authority. We would appreciate the chance to address your concern first.

To exercise these rights, contact us at contact@concie.co. If your conversation took place on a merchant’s store, you may also need to contact that merchant; we will help route your request when needed.

13. Your Rights (California and Other U.S. States)

If you are a California resident, the California Consumer Privacy Act, as amended (CCPA/CPRA), gives you the right to know what personal information we collect, to access and delete it, to correct inaccurate information, to limit the use of sensitive personal information, and to opt out of the sale or sharing of personal information. We do not sell or share personal information for cross-context behavioral advertising. Similar rights apply in other U.S. states with comprehensive privacy laws (for example Virginia, Colorado, Connecticut, Utah, and Texas).

You can exercise these rights by emailing contact@concie.co. We will not discriminate against you for exercising them.

14. Children

Our services are not directed at children under 16, and we do not knowingly collect personal data from them. If you believe a child has provided us with personal data, please contact us and we will delete it.

15. Cookies

For details on cookies, local storage and similar technologies, see our Cookie Policy.

16. Changes to This Policy

We may update this Privacy Policy as our service, the law, or our practices evolve. We will revise the “Last updated” date at the top and, for material changes, take reasonable steps to notify you (for example via the assistant, the dashboard, or email). Continued use of the service after a change becomes effective means you accept the updated policy.

17. Contact Us

For any privacy question, request, or to reach our privacy team and (where applicable) our Data Protection Officer, contact contact@concie.co.