Kaarobot

Privacy Policy for kaarobot.pk

Effective date: October 6, 2025

Important: This Privacy Policy describes how KAAROBOT (SMC-PRIVATE) LIMITED ("Kaarobot", "we", "us", or "our") processes personal data in connection with the Kaarobot application and services for Shopify merchants, including WhatsApp order confirmation and conversational support.

1) Who we are

  • KAAROBOT (SMC-PRIVATE) LIMITED, incorporated in Pakistan. Registered address on file; not publicly disclosed in this policy.
  • Contact: support@kaarobot.pk

2) Scope and roles

  • Our direct customers are Shopify merchants who install and use Kaarobot.
  • For merchant account data and merchant's end-customer data processed via our app, we generally act as a data processor/service provider to the merchant (the controller), unless applicable law treats us differently.
  • For our own website/app user accounts (e.g., our admin dashboard users via Google OAuth), we act as a data controller.

3) What we collect

Based on our service's operation:

  • Merchant user data (controller role): name, email, profile picture (from Google OAuth); account and settings; session tokens via HttpOnly cookies (idToken, refreshToken).
  • Shopify order data (processor role): order totals, order title/name, line items, product metadata needed for messaging; order status mapping; hashed phone number and encrypted phone number for conversation linking.
  • WhatsApp messaging data (processor role): outbound message metadata (Twilio message ID, status); inbound message body and selected webhook metadata. We deliberately avoid storing raw `WaId`, `From`, `ChannelMetadata`, and `ProfileName` fields, and we store phone references only in hashed/encrypted form.
  • Conversations (processor role): customer messages, agent responses, and event metadata necessary to render conversation history and update order statuses.
  • AI operations (processor role): subsets of order details, FAQs, conversation history snippets may be shared with our AI provider strictly to generate relevant responses. We do not instruct models to store personal data beyond request processing.
  • System data: device, IP, or logs may be processed by hosting and infrastructure providers as part of security and delivery. We currently do not use analytics or marketing cookies.

4) Sources

  • Directly from merchant users (OAuth sign-in).
  • Via Shopify APIs and webhooks (orders).
  • Via WhatsApp/Twilio webhook (inbound messages) and Twilio messaging API (outbound).
  • From our application logic (conversation and order updates).
  • From our AI provider for real-time inference (inputs and outputs).

5) Purposes of processing

  • Provide WhatsApp order confirmation and conversational support.
  • Update order status according to end-customer responses.
  • Authenticate merchant users; manage accounts and settings.
  • Operate and secure the service; prevent abuse.
  • Improve message quality and product understanding through FAQs and AI responses.

6) Legal bases (where applicable)

  • Performance of a contract with merchants (providing the service).
  • Legitimate interests (security, service integrity).
  • Consent where required by law (e.g., WhatsApp messaging templates as applicable to merchants' programs).

7) Data sharing and international transfers

  • Shopify: to ingest orders and update related status.
  • Twilio WhatsApp: to send/receive WhatsApp messages; message body and template variables are transmitted to Twilio.
  • OpenAI: to generate conversation replies and product FAQs; relevant, minimized inputs are sent.
  • Google OAuth: for merchant user sign-in and token handling.
  • Hosting (e.g., AWS, likely us-east-1): application and database hosting.

Transfers may occur internationally. Where required, we rely on appropriate safeguards (e.g., standard contractual clauses) provided by our vendors.

8) Retention

  • Conversations, orders, and related logs are retained indefinitely by default to preserve order auditability and conversation context.
  • Merchant or end-user deletion requests will be honored; we will delete or anonymize records as technically feasible, subject to legal obligations and backups.

9) Security

  • Phone numbers are stored as hashed identifiers plus encrypted phone fields for message delivery.
  • OAuth tokens are stored in HttpOnly cookies.
  • We use industry-standard safeguards appropriate to our systems and the data we process. No method is 100% secure.

10) Your choices and rights

  • Merchants: access, rectify, export, or delete your account data by contacting us.
  • End-users (customers of merchants): request access or deletion through the merchant; we will support merchant instructions as their processor.
  • Where applicable law grants additional rights, we will facilitate them on request.

11) Children

  • The service is for users 18+ and is not intended for children.

12) Prohibited uses/content

  • We do not support use on platforms or stores that promote pornography, gambling, or other illegal products/services under Pakistani law.

13) Changes

  • We may update this policy and will post the latest version with an updated effective date.

14) Contact

  • Email: support@kaarobot.pk

- If you are in a jurisdiction that requires specific notices (e.g., EU/UK), contact us for a Data Processing Addendum and regional modules, including SCCs.

← Back to Home