> ## Documentation Index
> Fetch the complete documentation index at: https://docs.merchantai.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Privacy Controls and GDPR Compliance for Your Agent

> Understand how MerchantAI handles visitor data, configure cookie consent, manage opt-outs, and access GDPR compliance documentation for your agent.

MerchantAI is built for businesses that take visitor trust seriously. The platform includes controls for cookie consent, visitor opt-out, right-to-delete requests, and formal GDPR compliance documentation — so you can deploy your agent in a way that respects privacy obligations from day one. This page explains how data flows through the platform and what controls you have as a workspace owner.

## Data processing

Visitor conversations and any contact data captured during the chat are processed within the MerchantAI platform. A few principles govern how that data is handled:

* **Workspace scope** — all content is scoped to the authorised workspace and the configured agent. Data from one workspace is never accessible to another workspace or shared with other MerchantAI customers.
* **Encryption in transit** — all data sent between the visitor's browser, the MerchantAI widget, and the platform is encrypted using TLS.
* **Encryption at rest** — conversation transcripts, contact details, and knowledge base content are encrypted at rest in MerchantAI's infrastructure.
* **No training on your data** — your conversation data is not used to train shared or general-purpose AI models.

For authoritative details on data retention periods, subprocessors, and international transfer mechanisms, refer to the [Privacy Policy](https://merchantai.io/legal/privacy) and [Security page](https://merchantai.io/legal/security).

## Visitor opt-out

Visitors have several ways to opt out of data collection or end a session:

* **Cookie banner** — if your site uses a consent management platform (CMP), the MerchantAI widget can be configured to load only after the visitor has granted consent. Until consent is given, the widget does not initialise and no data is collected.
* **End chat** — visitors can type `end chat` at any point in the conversation, or close the widget, to terminate the session. The conversation is no longer active after this point.
* **Right-to-delete** — visitors who want their data removed can request deletion. As a workspace owner or team member, you fulfil this request in one click from the Contacts inbox (see below).

## Right-to-delete

If a visitor requests deletion of their data, you can action that request directly from the **Contacts** inbox:

1. Find the visitor's record in the **Contacts** inbox.
2. Open their contact profile.
3. Select **Delete contact** — this permanently removes their contact details and full conversation history from your workspace.

Deletion is immediate and irreversible. The record cannot be recovered after this action.

## GDPR

MerchantAI provides a **Data Processing Agreement (DPA)** for organisations that require formal documentation of their GDPR obligations. The DPA covers the roles of data controller and data processor, the categories of personal data processed, technical and organisational security measures, and provisions for international data transfers.

To request a DPA, contact the MerchantAI team using the details on the [enterprise page](https://merchantai.io/enterprise) or email directly. The team will provide the current DPA for your review and countersignature.

## Cookie banner and consent management

If your website uses a consent management platform (such as OneTrust, Cookiebot, or a custom CMP), you can configure the MerchantAI widget to respect the visitor's consent signal before loading:

* Set the widget script to initialise only after a positive consent event is fired by your CMP.
* Until consent is granted, the widget remains dormant — no cookies are set and no data is sent to MerchantAI's servers.
* If a visitor later withdraws consent, the widget can be programmatically unloaded.

Contact [support](https://merchantai.io/contact) if you need implementation guidance for your specific CMP setup.

## Compliance materials

<CardGroup cols={3}>
  <Card title="Privacy Policy" icon="file-lines" href="https://merchantai.io/legal/privacy">
    Full details on data collection, retention, subprocessors, and your rights as a data subject.
  </Card>

  <Card title="Security page" icon="shield-halved" href="https://merchantai.io/legal/security">
    Infrastructure security, encryption standards, access controls, and incident response.
  </Card>

  <Card title="DPA" icon="file-contract">
    Available on request. Contact the MerchantAI team to receive the current Data Processing Agreement.
  </Card>
</CardGroup>

<Note>
  Enterprise customers can arrange a custom security and compliance review with the MerchantAI team — including infrastructure questionnaires, security documentation packs, and tailored DPA terms. Reach out via the [enterprise page](https://merchantai.io/enterprise) to start that conversation.
</Note>

## Frequently asked questions

<Accordion title="What data does MerchantAI store?">
  MerchantAI stores the following categories of data within your workspace:

  * **Conversation transcripts** — the full text of every chat session between visitors and your agent.
  * **Visitor contact details** — name, email address, and any other information the visitor provides during the conversation (for example, an order number).
  * **Source page references** — the knowledge sources cited by the agent in its answers, used for analytics and conversation review.
  * **Agent configuration and knowledge base content** — your system prompt, topic rules, uploaded files, Q\&A pairs, and indexed website content.

  All of this data is scoped to your workspace and is not shared with other customers or used to train shared models.
</Accordion>

<Accordion title="Where is my data processed?">
  For authoritative and up-to-date information on data residency, processing locations, and international transfer mechanisms, refer to the [Privacy Policy](https://merchantai.io/legal/privacy) and [Security page](https://merchantai.io/legal/security). These documents are kept current as the platform's infrastructure evolves.

  If you are an enterprise customer with specific data residency requirements, contact the MerchantAI team to discuss a custom arrangement and security review.
</Accordion>

<Accordion title="How do I request a DPA?">
  To receive the current Data Processing Agreement, either:

  * **Email the team** using the contact address listed on the [Contact page](https://merchantai.io/contact), or
  * **Use the contact form** on the [enterprise page](https://merchantai.io/enterprise) and note that you are requesting a DPA.

  The team will send you the current DPA document, which you can review and return countersigned. The DPA is available to all customers on paid plans.
</Accordion>
