GDPR and Data Protection
Inzwa is built for European merchants and takes data protection seriously. This page explains our roles under GDPR, the legal bases for processing, your rights, and the technical and organizational measures we have in place.
Our Two Roles Under GDPR
Inzwa operates in two distinct roles depending on which data is being processed. We are a Data Controller for personal data collected from visitors to inzwa.co (contact form submissions) and from merchant account holders (email, name, store information). We are a Data Processor for shopper interaction data collected through the Inzwa widget on merchant storefronts. In this second role, the merchant is the Data Controller for their shoppers, and Inzwa processes that data strictly to deliver the Inzwa service on the merchant's behalf and under their instructions.
Legal Bases for Processing
We rely on the following legal bases under GDPR Article 6. Merchant account data is processed on the basis of contract performance (Article 6(1)(b)): we need your account and store access to provide the service. Shopper session and demand intelligence data is processed on the basis of the merchant's legitimate interests (Article 6(1)(f)): merchants have a legitimate interest in understanding demand on their storefront, and Inzwa processes shopper data on their behalf for this purpose. Data submitted via the marketing contact form is processed on the basis of consent (Article 6(1)(a)): you choose to submit it.
Data Minimization and Anonymous Sessions
We apply strict data minimization to shopper data. Every shopper session is identified only by an anonymous UUID that is never linked to a Shopify customer ID, name, email, or any real-world identity. Before any transcript is processed by AI, our system automatically redacts email addresses and phone numbers. AI models receive only the anonymized and sanitized text. Contact details voluntarily shared by a shopper are stored in a separate database partition and are never passed to AI models for analysis.
Voice Data and Deepgram
When a shopper uses the voice feature, their audio stream travels directly from the shopper's browser to Deepgram's infrastructure, which converts it to text. Inzwa's servers never receive or store the raw audio. Deepgram processes this audio under a Data Processing Agreement that includes Standard Contractual Clauses for international data transfers. The resulting transcript is then handled identically to text conversations: PII is scrubbed before any AI analysis.
Data Residency and International Transfers
All merchant and session data managed by Inzwa is stored in Google Cloud Firestore in the europe-west1 region (Belgium), within the European Union. Voice processing involves Deepgram, a US-based company; this is governed by Standard Contractual Clauses. Brevo, our email provider, is a French company operating under GDPR. Cloudflare processes bot-protection tokens globally but does not receive or store your conversation data. All international transfers are covered by appropriate GDPR safeguards.
Sub-Processors
We use the following sub-processors: Google Firebase and Firestore for data storage and authentication (EU, europe-west1); Google Vertex AI and Gemini Flash for AI intent analysis using only PII-stripped transcripts (Google LLC, US, Standard Contractual Clauses); Deepgram for voice-to-text transcription (Deepgram Inc, US, Standard Contractual Clauses); Brevo for transactional email and merchant notifications (Sendinblue SAS, France, GDPR); Cloudflare Turnstile for bot protection (Cloudflare Inc, US, Standard Contractual Clauses). Each sub-processor is bound by a data processing agreement and may only process data to the extent necessary to provide their service.
Shopify GDPR Compliance Webhooks
As a Shopify app, Inzwa implements all three mandatory GDPR compliance webhooks. For customers/data_request, we confirm that no customer-identifiable personal data is stored in Inzwa, as sessions use anonymous UUIDs not linked to Shopify customer IDs. For customers/redact, no action is required for the same reason. For shop/redact, which fires 48 hours after app uninstallation, we permanently delete all data associated with the merchant, including sessions, intents, leads, catalog, collections, and configuration.
Data Processing Agreements
Merchants who require a formal Data Processing Agreement (DPA) as required by GDPR Article 28 can request one by contacting hi@inzwa.co. The DPA specifies the subject matter, duration, nature, and purpose of processing; the categories of personal data and data subjects involved; and the obligations and rights of the merchant as controller and Inzwa as processor. We maintain DPAs with all sub-processors listed above.
Security Measures
We implement the following technical and organizational measures: all data in transit is encrypted using TLS 1.2 or higher; all data at rest in Google Cloud Firestore is encrypted by default; access to production systems is restricted to authorized personnel; rate limiting and Cloudflare Turnstile are applied to all public API endpoints; CORS origin allowlisting ensures the widget can only send data from the merchant's authorized domain; HMAC signature verification is applied to all Shopify webhooks; and shopper PII is stored in a compartmentalized partition, separate from analytics data.
Your Rights and How to Exercise Them
Merchant account holders have the right to access, correct, delete, or export their personal data; to object to or restrict processing; and to withdraw consent. Contact hi@inzwa.co to exercise these rights. For shoppers: because sessions use anonymous UUIDs, Inzwa cannot identify a specific shopper from session data alone. Rights requests from shoppers should be directed to the merchant, who is the Data Controller. Inzwa will cooperate with merchants to fulfill their obligations to their shoppers. You also have the right to lodge a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutettu) at tietosuoja.fi, or with the supervisory authority in your EU country of residence.
Last updated: May 2026. For questions, contact hi@inzwa.co