PickyPal | Your AI Shopping Advisor for Ecommerce Brands

Privacy Policy

Effective Date: April 8th, 2026

Article 1 - Introduction

PickyPal SAS, a simplified joint-stock company (société par actions simplifiée) incorporated in France, registered with the Paris Trade and Companies Register under number 931 089 346, with its registered office in Paris, France.

This Privacy Policy explains how PickyPal collects, uses, shares, and protects personal data when providing its AI-powered chatbot service (“the Service”) to business clients (“Clients”) who integrate the Service into their own platforms.

PickyPal is committed to protecting personal data in accordance with the EU General Data Protection Regulation (GDPR) and relevant French data protection laws.

For the purposes of GDPR, PickyPal acts as a Data Controller for Client account and billing data, and as a Data Processor for End User chat data processed on behalf of Clients.

Article 2 - Who this Policy applies to

This Privacy Policy applies to:

- Clients: Businesses using PickyPal via the subscription (including admin users);

- End Users: Individuals interacting with the chatbot on our Clients' websites/apps;

- Visitors: People visiting our website (www.pickypal.co).

For End User data, the Client acts as Data Controller, and PickyPal acts as Data Processor.

Article 3 - Data we collect

3.1 From Clients:

- Contact info: Name, business email, company name;

- Usage data: Dashboard activity, subscription history, support tickets;

- Payment data: Processed via a third-party processor.

3.2 From End Users:

- Chat data: Questions, search queries, product preferences, and language used during interactions with the chatbot;

- Metadata: Device type, IP address, browser locale, and technical identifiers, which may be truncated, pseudonymized, or otherwise processed to reduce identifiability where possible;

- Cookies and similar technologies: Used only when the Service is embedded in a web browser, for functionality and performance purposes (see Cookies Policy).

3.3 Conversation history & user identification

PickyPal stores conversation history generated through interactions with the chatbot.

Depending on the Client’s configuration, conversations may be associated with identifiable user accounts when End Users are authenticated on the Client’s platform.

Where End Users are not authenticated, or where identification is disabled by the Client, conversations are stored without direct user identification under a “guest user” or “anonymous user” label.

Article 4 - Why we use the Data

We use the data to:

- Deliver the chatbot service for the performance of a contract (Article 6(1)(b) GDPR);

- Personalize or improve chatbot responses for legitimate interests (Article 6(1)(f) GDPR);

- Contact Clients for service-related matters (performance of a contract and legitimate interests);

- Analyze and improve product performance for legitimate interest with anonymization;

- Fulfill legal or regulatory obligations (Article 6(1)(c) GDPR);

- Provide Clients with access to conversation history and insights for analytics, customer support, and service optimization.

Where processing is based on legitimate interests, PickyPal ensures that such interests are not overridden by the rights and freedoms of individuals, who may object to such processing at any time.

Article 5 - Cookies & tracking

When the Service is embedded in a web browser, cookies may be used to:

- Authenticate sessions;

- Analyze user interaction (e.g., chat engagement metrics);

- Save preferences.

We do not use marketing cookies or third-party advertising trackers. See our Cookies Policy for details and opt-out options.

Where applicable, technical identifiers may be stored in the user’s browser or session to maintain continuity of interactions and associate conversations with returning users. These identifiers are used solely for service functionality and do not include advertising trackers.

Article 6 - Data sharing

PickyPal does not sell or rent personal data.

PickyPal treats all Client data and End User data as confidential and processes it in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR).

PickyPal may share personal data with trusted third-party service providers (subprocessors) strictly to operate, maintain, and improve the Service, including hosting infrastructure, analytics, and payment processing. These providers are contractually bound by confidentiality obligations and required to process personal data in compliance with applicable data protection laws, and only on behalf of PickyPal.

In its role as Data Processor, PickyPal processes End User data solely to provide and improve the Service for the Client. This includes accessing and analyzing conversation data for performance monitoring, quality assurance, analytics, and product improvement purposes.

Access to personal data within PickyPal is strictly limited to authorized personnel for support, monitoring, and service improvement purposes.

Conversation data may be made available to the Client through the dashboard for analysis, customer support, and operational use. The Client remains responsible for how such data is accessed and used within their organization.

Where possible, data used for internal analysis and improvement is anonymized or pseudonymized.

PickyPal does not use identifiable personal data from Client environments to train generalized AI models.

No personal data is disclosed to third parties for their own independent use.

Where personal data is transferred outside the European Economic Area (EEA), PickyPal ensures appropriate safeguards are in place, such as the European Commission’s Standard Contractual Clauses (SCCs), or transfers only to countries recognized as providing an adequate level of protection.

PickyPal processes personal data on behalf of the Client and in accordance with the Client’s configuration and use of the Service, except where required by applicable law.

Article 7 - Data retention

The retention period varies according to the data type as follows:

- For Client data, the retention period is as long as the subscription is active, plus 10 years for invoicing and legal records;

- For chat data, the retention period is 12 months by default. The Client may request a longer or shorter storage period in writing, subject to technical feasibility;

- For logs and metadata, the retention period is 12 months, after which data may be anonymized or deleted;

- For website cookies, the retention period is up to 12 months, per cookie type, with user consent renewed in accordance with applicable regulations and CNIL guidelines.

- When the Service is installed via certain third-party platforms (such as Shopify), the uninstallation of the Service may trigger data deletion obligations. In such cases, PickyPal may delete personal data associated with the Service within a short period (typically within 48 hours), in accordance with applicable platform requirements and data protection laws.

Retention periods may be adjusted where necessary to comply with legal obligations or upon documented request from the Client.

Article 8 – Clients and end users’ rights

Under GDPR, End Users (and, where applicable, Client representatives) have the right to:

- Access personal data;

- Correct inaccurate or incomplete data;

- Request deletion (“right to be forgotten”);

- Object to or restrict processing;

- Request data portability (where applicable);

- Withdraw consent (where processing is based on consent);

- Lodge a complaint with a data protection authority.

To exercise these rights, email: dev@pickypal.co.

For End Users, PickyPal acts on behalf of the Client and will redirect or assist in handling requests as instructed by the Client.

PickyPal may request verification of identity before processing any request.

Article 9 - Data security

PickyPal implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

- Encryption of data in transit (HTTPS) and at rest where applicable;

- Access control based on the principle of least privilege;

- Authentication and role-based access management;

- Logging and monitoring of system access;

- Internal security policies and staff training;

- Incident detection and data breach response procedures.

Article 10 - Changes to this Policy

We may update this Privacy Policy to reflect changes in the law, our services, or our data processing practices.

The “Effective Date” above will be updated accordingly.

Where appropriate, we may inform Clients that this Privacy Policy has been updated and invite them to review the latest version.

Continued use of the Service after the Effective Date constitutes acknowledgement of the updated Privacy Policy.

Article 11 – Contact

If you have any questions about this Privacy Policy or how we handle personal data, contact: dev@pickypal.co.

Article 12 - Subprocessors

PickyPal may engage subprocessors to support the delivery of the Service, including hosting providers, infrastructure services, analytics tools, payment processors, and technical service providers.

Where subprocessors process personal data on behalf of PickyPal, PickyPal takes reasonable steps to ensure that they are subject to appropriate contractual, confidentiality, and data protection obligations.

A list of subprocessors is available upon request and may be updated from time to time.

Article 13 – Client responsibilities

Clients are responsible for:

- Informing End Users of the use of the chatbot and the collection of conversation data;

- Ensuring that any required notices or consent mechanisms are in place on their platforms;

- Determining whether conversation data is linked to identifiable user accounts.

PickyPal processes End User data solely on behalf of the Client.

Article 14 – Automated processing / AI transparency

The Service uses automated processing to generate responses and recommendations based on user inputs and available data.

PickyPal does not make decisions producing legal or similarly significant effects on individuals within the meaning of Article 22 GDPR.

Article 15 – Data breach handling

In the event of a personal data breach affecting Client data, PickyPal will notify the relevant Client without undue delay and provide reasonable assistance in meeting any regulatory obligations.