Privacy Policy
This policy explains what personal data Inzwa collects, why we collect it, and how we protect it. We operate from Finland and comply with the General Data Protection Regulation (GDPR). If you have any questions, contact us at hi@inzwa.co.
Who We Are
Inzwa is a demand intelligence platform for e-commerce merchants, operated under the trading name Inzwa from Finland. We provide an AI-powered sales assistant widget and a merchant analytics dashboard. References to "we", "us", or "Inzwa" in this policy mean the Inzwa service operated from Finland. Our contact email is hi@inzwa.co.
Data We Collect from Website Visitors
When you visit inzwa.co, we collect your IP address for security and rate-limiting purposes. If you submit our contact form, we collect your name, email address, Shopify store URL, and any message you include. We use Cloudflare Turnstile, a privacy-respecting bot protection service, on this form. Contact data is stored in Brevo, a French email platform, and used to respond to your inquiry and, if you consent, to send updates about Inzwa. We do not currently use analytics cookies on inzwa.co. If this changes, we will update this policy and implement a cookie consent mechanism before doing so.
Data We Collect from Merchant Accounts
When you create an Inzwa merchant account, we collect your email address and display name via Google Firebase Authentication. We also sync data from your Shopify store to power the service, including your product catalog, collections, store policies, blog articles, and order data. If you connect Google Drive for the catalog upload feature, we access only the folders you authorize. This data is stored in Google Cloud Firestore in the EU (europe-west1 region, Belgium) and is used solely to provide the Inzwa service to you.
Shopper Data on Merchant Storefronts
When a shopper interacts with the Inzwa widget on a merchant's Shopify store, we collect the conversation transcript (voice or text), a randomly generated anonymous session identifier (UUID) that is not linked to the shopper's real identity, the current page URL and product context, the shopper's browser user agent and referrer, and a cart token used for sales attribution. If a shopper voluntarily submits their name, email, or phone number via the widget's contact form, that information is stored and forwarded to the merchant. Inzwa processes all shopper data on behalf of the merchant, who is the Data Controller for their shoppers.
How We Handle Conversation Data
Before any transcript is analyzed by our AI systems, we automatically redact email addresses and phone numbers from the text using pattern matching. Our AI models (Google Vertex AI, Gemini) receive only this sanitized text and never process original contact details. For voice sessions, the shopper's audio stream goes directly from their browser to Deepgram's voice AI infrastructure to produce a transcript; Inzwa never stores the raw audio. The resulting transcript is then subject to the same PII scrubbing before AI analysis. Contact details voluntarily shared by a shopper are stored separately from conversation analytics and never passed to AI models.
Our Roles Under GDPR
Inzwa acts as a Data Controller for data collected from visitors to inzwa.co and from merchant account holders. Inzwa acts as a Data Processor when handling shopper interaction data on behalf of merchants who embed the Inzwa widget. Merchants are the Data Controllers for their shoppers' data and are responsible for disclosing the use of Inzwa in their own storefront privacy policies. Merchants who require a formal Data Processing Agreement (DPA) under GDPR Article 28 may request one by contacting hi@inzwa.co.
Sub-Processors and Third-Party Services
We use the following sub-processors to deliver the Inzwa service: Google Firebase and Firestore for data storage in the EU (europe-west1); Google Vertex AI and Gemini for AI intent analysis using only anonymized transcripts; Deepgram for voice-to-text processing, a US-based service covered by Standard Contractual Clauses; Brevo for transactional email notifications and marketing contact management, a French service subject to GDPR; and Cloudflare Turnstile for bot protection, covered by Standard Contractual Clauses. All sub-processors are contractually bound to process data only as instructed.
Data Retention
Contact form data submitted via inzwa.co is retained in Brevo until you request deletion at hi@inzwa.co. Merchant account data is retained while your account is active. Shopper session and conversation data is retained while the Inzwa app is installed on your Shopify store. When the app is uninstalled, all merchant data including sessions, intents, and leads is permanently deleted in line with Shopify's shop/redact GDPR compliance webhook. Merchants who need session data deleted before uninstallation may request this at hi@inzwa.co.
International Data Transfers
Your data is stored primarily in the EU through Google Cloud Firestore (europe-west1, Belgium). Voice processing involves Deepgram, a US-based company, covered by Standard Contractual Clauses approved by the European Commission. Brevo is a French company operating under GDPR. Cloudflare processes bot-protection tokens globally; no conversation or personal data is shared with Cloudflare beyond the verification request.
Your Rights and How to Contact Us
Under GDPR, you have the right to access, correct, delete, or export your personal data; to restrict or object to processing; and to withdraw consent where processing is based on consent. If you are a website visitor or merchant account holder, contact hi@inzwa.co to exercise these rights. If you are a shopper who interacted with an Inzwa widget on a merchant's store, contact that merchant directly, as they are the Data Controller for your data. You also have the right to lodge a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutettu) at tietosuoja.fi.
Last updated: May 2026. For questions, contact hi@inzwa.co