Skip to main content
MerchantAI is built for businesses that take visitor trust seriously. The platform includes controls for cookie consent, visitor opt-out, right-to-delete requests, and formal GDPR compliance documentation — so you can deploy your agent in a way that respects privacy obligations from day one. This page explains how data flows through the platform and what controls you have as a workspace owner.

Data processing

Visitor conversations and any contact data captured during the chat are processed within the MerchantAI platform. A few principles govern how that data is handled:
  • Workspace scope — all content is scoped to the authorised workspace and the configured agent. Data from one workspace is never accessible to another workspace or shared with other MerchantAI customers.
  • Encryption in transit — all data sent between the visitor’s browser, the MerchantAI widget, and the platform is encrypted using TLS.
  • Encryption at rest — conversation transcripts, contact details, and knowledge base content are encrypted at rest in MerchantAI’s infrastructure.
  • No training on your data — your conversation data is not used to train shared or general-purpose AI models.
For authoritative details on data retention periods, subprocessors, and international transfer mechanisms, refer to the Privacy Policy and Security page.

Visitor opt-out

Visitors have several ways to opt out of data collection or end a session:
  • Cookie banner — if your site uses a consent management platform (CMP), the MerchantAI widget can be configured to load only after the visitor has granted consent. Until consent is given, the widget does not initialise and no data is collected.
  • End chat — visitors can type end chat at any point in the conversation, or close the widget, to terminate the session. The conversation is no longer active after this point.
  • Right-to-delete — visitors who want their data removed can request deletion. As a workspace owner or team member, you fulfil this request in one click from the Contacts inbox (see below).

Right-to-delete

If a visitor requests deletion of their data, you can action that request directly from the Contacts inbox:
  1. Find the visitor’s record in the Contacts inbox.
  2. Open their contact profile.
  3. Select Delete contact — this permanently removes their contact details and full conversation history from your workspace.
Deletion is immediate and irreversible. The record cannot be recovered after this action.

GDPR

MerchantAI provides a Data Processing Agreement (DPA) for organisations that require formal documentation of their GDPR obligations. The DPA covers the roles of data controller and data processor, the categories of personal data processed, technical and organisational security measures, and provisions for international data transfers. To request a DPA, contact the MerchantAI team using the details on the enterprise page or email directly. The team will provide the current DPA for your review and countersignature. If your website uses a consent management platform (such as OneTrust, Cookiebot, or a custom CMP), you can configure the MerchantAI widget to respect the visitor’s consent signal before loading:
  • Set the widget script to initialise only after a positive consent event is fired by your CMP.
  • Until consent is granted, the widget remains dormant — no cookies are set and no data is sent to MerchantAI’s servers.
  • If a visitor later withdraws consent, the widget can be programmatically unloaded.
Contact support if you need implementation guidance for your specific CMP setup.

Compliance materials

Privacy Policy

Full details on data collection, retention, subprocessors, and your rights as a data subject.

Security page

Infrastructure security, encryption standards, access controls, and incident response.

DPA

Available on request. Contact the MerchantAI team to receive the current Data Processing Agreement.
Enterprise customers can arrange a custom security and compliance review with the MerchantAI team — including infrastructure questionnaires, security documentation packs, and tailored DPA terms. Reach out via the enterprise page to start that conversation.

Frequently asked questions

MerchantAI stores the following categories of data within your workspace:
  • Conversation transcripts — the full text of every chat session between visitors and your agent.
  • Visitor contact details — name, email address, and any other information the visitor provides during the conversation (for example, an order number).
  • Source page references — the knowledge sources cited by the agent in its answers, used for analytics and conversation review.
  • Agent configuration and knowledge base content — your system prompt, topic rules, uploaded files, Q&A pairs, and indexed website content.
All of this data is scoped to your workspace and is not shared with other customers or used to train shared models.
For authoritative and up-to-date information on data residency, processing locations, and international transfer mechanisms, refer to the Privacy Policy and Security page. These documents are kept current as the platform’s infrastructure evolves.If you are an enterprise customer with specific data residency requirements, contact the MerchantAI team to discuss a custom arrangement and security review.
To receive the current Data Processing Agreement, either:
  • Email the team using the contact address listed on the Contact page, or
  • Use the contact form on the enterprise page and note that you are requesting a DPA.
The team will send you the current DPA document, which you can review and return countersigned. The DPA is available to all customers on paid plans.