WooshStore

Privacy Policy

Last updated: 2026-06-07

What WooshStore is

WooshStore (operated by WooshPayment / Giuseppe Caraviello) is an AI service that helps you build Shopify stores via chat. Main domain: https://wooshstoreai.com.

Data we collect

When you create an account we store:

  • Email (required) for authentication and communications.
  • Password (optional, hashed with bcrypt cost 12; never plaintext).
  • Session cookie wooshstore_session (HS256-signed JWT, 30-day lifetime).
  • Browser locale (it/en) to localise transactional emails.

When you use the AI chat we collect:

  • Messages in your conversation (text, tool calls, tool results).
  • Project state (niche, brand, chosen domain, theme, etc.).
  • AI tokens consumed per project (analytics + cost limits).
  • Events (e.g. shopify_connected, published) for audit + analytics.

When you connect Shopify we collect:

  • Shop domain and access token, AES-256-GCM encrypted at rest.
  • Public shop info (name, currency, timezone, primary domain) via the Shopify Admin GraphQL API.

When you connect Facebook / Instagram (Repost Engine use case):

  • Long-lived Page Access Token for your Facebook Page, AES-256-GCM encrypted at rest (lib/crypto).
  • Long-lived User Access Token for your Instagram Business / Creator account (60-day rolling, auto-refreshed via ig_refresh_token), encrypted.
  • fbPageId, igUserId, username of the connected entities, in plaintext (public identifiers).
  • List of OAuth scopes granted (e.g. pages_manage_posts, instagram_content_publish), stored for diagnostics and to revoke tokens correctly on disconnect.
  • Last successful publish timestamp (lastPostAt) for per-Page rate-limit guard.

When you use Arbitrage Detector / Discovery (TikTok Shop product radar use case):

  • EchoTik public results (GMV, sales, video counts) — all aggregated public data, no TikTok user PII.
  • Favorites: products you starred, stored in a DB table with a snapshot of the data at click time.

We don't collect end-customer PII (your Shopify buyers) nor external Facebook/Instagram users' PII (comments, followers, DMs). We only operate on the merchant owner's data + business assets they own.

Cookies

WooshStore uses strictly necessary cookies only:

  • wooshstore_session — auth, HttpOnly + Secure in prod, SameSite=Lax.
  • wooshstore_oauth_state / shop / project — short-lived (10 min) during the Shopify OAuth flow.
  • ws_cookie_consent — stores your banner choice (13-month lifetime).

No Google Analytics, no Meta Pixel, no third-party tracking scripts at time of writing.

Sub-processors

To run the service we share data with:

  • Supabase (Postgres database) — Frankfurt EU.
  • Vercel (Next.js hosting) — global.
  • Resend (transactional email) — verify, magic link, confirmations.
  • Anthropic (Claude AI model) — your messages are sent to generate replies. Anthropic does not train on API data (see policy).
  • Groq (Llama 3.3-70B AI model) — used for hashtag/caption generation and product analysis in the Repost Engine.
  • Shopify (when you connect your store) — Admin GraphQL API calls.
  • Meta Platforms (Facebook + Instagram, when you connect your accounts) — Graph API calls to publish on FB Pages and IG Business profiles. Our Facebook App ID is 1050841084264254 ("wooshstoreai page posting"). Tokens are used solely for the publications you authorize, never to read private content.
  • EchoTik (open.echotik.live) — third-party provider of public TikTok Shop data (GMV, product rankings, aggregated videos). Receives no WooshStoreAI account data; only anonymous queries about public products.
  • Sentry (error tracking, when SENTRY_DSN is set) — receives stack traces with no user PII.

All sub-processors are GDPR-compliant. US transfers under SCCs.

Your GDPR rights

  • Access and portability: download a full JSON export of any project at /api/projects/<id>/export or from the sidebar menu.
  • Erasure: use "Delete permanently" in the project menu, or email hello@wooshstoreai.com. Detailed procedure also at Data Deletion.
  • Meta erasure: you can also disconnect the app from Facebook Settings → Apps and Websites → "wooshstoreai page posting" → Remove. Meta will send us a programmatic request which we process within 30 days.
  • Rectification: change email under Account → Change email (requires current password).
  • Logout everywhere: invalidate all sessions from the Account panel.

Retention

  • Active projects: as long as you exist as a user.
  • Archived projects: automatic deletion after 90 days (founder-configurable).
  • Magic-link / password-reset tokens: max 15-30 min, single-use.
  • Email-change tokens: max 24 hours.
  • Email verification: max 7 days.
  • Meta tokens (FB Page + IG): retained while you maintain an active connection. Deleted within 30 days of disconnecting the app or requesting account deletion.
  • Inactive accounts: no automated policy; request manual deletion if desired.

Security

  • bcrypt cost 12 password hashing.
  • AES-256-GCM at-rest encryption for Shopify access tokens.
  • Forced HTTPS, HSTS preload-ready.
  • Magic-link/reset tokens stored as SHA-256 hashes (raw token never in DB).
  • HMAC SHA-256 verification on Shopify webhooks (timing-safe compare).
  • Rate limiting on sensitive flows (magic link, password reset, email verify).

Contact

  • Privacy / DPO: hello@wooshstoreai.com
  • Controller: Giuseppe Caraviello (Italy)

Last updated: 2026-06-07.