Privacy Policy — Seekr
Last updated: May 11, 2026
1. Introduction
Seekr is a Shopify application operated by Ikonis Labs ("we", "our"). It replaces a Shopify store's native search bar with an AI-powered conversational engine: shoppers describe what they're looking for in natural language, and Seekr uses vector embeddings and a large language model to surface relevant products from the merchant's catalog.
This policy explains what data we collect, why, where it is stored, and your rights. It applies both to Shopify merchants who install Seekr and to end shoppers who interact with the search widget on a merchant's storefront.
2. Data We Collect
Merchant data
When you install the app through Shopify OAuth, we receive: shop domain (myshopify.com), merchant email, store language, Seekr subscription plan and status. A Shopify access token is issued so Seekr can interact with your shop; it is encrypted at rest using AES-256-GCM.
Catalog data
With the Shopify write_products scope you authorize at install, we read from the Shopify API: product titles, descriptions, tags, prices, variants, availability, and image URLs. This data is required to index your catalog and serve relevant search results.
Search analytics (shopper side)
When a shopper uses the Seekr widget on a merchant's storefront, we record: the search query, clicks on results, add-to-cart events triggered from the widget, the position of the clicked result, and the intent parsed by our model. No personally identifiable information (PII) is collected from shoppers: no name, no email, no stored IP address, no persistent identifier. An ephemeral session ID is stored in memory (Redis, 30-minute TTL) only to enable multi-turn conversational searches, and expires automatically.
3. How We Use the Data
- Catalog indexing: generating vector embeddings via the OpenAI text-embedding-3-small model (1536 dimensions).
- Intent parsing for conversational queries via the OpenAI GPT-4.1-nano model.
- AI-assisted product tag generation (PRO plan only).
- Synonym generation (PRO plan only, run weekly).
- Merchant analytics and insights: catalog gaps, popular queries, zero-result recovery.
- Billing and subscription management via Shopify Managed Pricing.
4. Sub-processors
We rely on a limited number of carefully selected vendors to process certain data on our behalf. Each is bound by a data processing agreement (DPA).
| Sub-processor | Role | Jurisdiction | DPA |
|---|---|---|---|
| Shopify Inc. | Authentication, webhooks, App Proxy, billing | Canada / US | shopify.com/legal/dpa |
| OpenAI, L.L.C. | Embeddings and intent parsing | US | openai.com/policies/data-processing-addendum |
| Amazon Web Services, Inc. | Hosting (ECS, RDS PostgreSQL, ElastiCache, SQS, Lambda, S3) — eu-west-1 region (Ireland) | EU (Ireland) | aws.amazon.com/compliance/gdpr-center |
| Crisp IM SAS | Live chat support (merchant admin dashboard only) | France | crisp.chat/en/privacy |
| Functional Software, Inc. (Sentry) | Error monitoring | US | sentry.io/legal/dpa |
Seekr uses OpenAI's standard API: per OpenAI's API data usage policy, data sent through the API is not used to train OpenAI's models.
5. Data Retention
- Search analytics: 7 days (FREE plan) / 365 days (PRO plan).
- Product embeddings: as long as the product exists in your shop.
- Merchant data (settings, plan, status): as long as the app is installed.
- Sentry logs: 90 days.
- Uninstallation: upon receipt of the Shopify shop/redact webhook, all shop data is cascade-deleted within 48 hours.
6. GDPR & Data Subject Rights
Seekr is compliant with the General Data Protection Regulation (GDPR). We implement the three Shopify mandatory compliance webhooks:
customers/data_request— Seekr stores no shopper PII, so there is no data to return.customers/redact— Same: no shopper data to delete.shop/redact— Complete and permanent deletion of all shop data within 48 hours.
As a data subject, you have the right to access, rectify, erase, port, and object to the processing of your data. To exercise these rights, contact us at support@ikonis-labs.com.
7. Data Security
- All Shopify access tokens are encrypted at rest using AES-256-GCM.
- HTTPS everywhere (TLS 1.2+).
- Authentication via Shopify session tokens, with HMAC validation on every webhook and App Proxy request.
- Hosting in the European Union (AWS eu-west-1, Ireland).
- No browser storage set by Seekr on the shopper side: no persistent cookies, no localStorage, no sessionStorage.
8. International Data Transfers
Your data is primarily processed within the European Union (AWS eu-west-1, Ireland). Transfers to the United States (OpenAI, Sentry, Shopify) are covered by the Standard Contractual Clauses (SCCs) adopted by the European Commission and, where applicable, by the EU-US Data Privacy Framework.
9. Cookies
Seekr does not set any cookies on shoppers' browsers. The admin dashboard, embedded in the Shopify admin, relies only on standard Shopify sessions (Seekr does not add third-party cookies). Crisp, our live support tool, may set its own cookies in the merchant dashboard only — never on the shopper side.
10. Children's Privacy
Seekr is not directed at children under 16 and does not knowingly collect any data from them.
11. Changes to This Policy
Any material change to this policy will be notified to merchants by email and/or in-app at least 30 days before it takes effect. The "Last updated" date at the top of this page will be revised with each update.
12. Contact
For any question regarding this policy or your data, contact Ikonis Labs at:
See also: Ikonis Labs general privacy policy · Terms of Service