Reply Pilot Privacy Policy

Last updated: May 8, 2026

Reply Pilot is an embedded Shopify app that helps merchants import product reviews, draft replies with AI, approve those replies, and send them through a connected review provider. This policy explains what data Reply Pilot processes, why it is used, how long it is kept, and how merchants and shoppers can request access or deletion.

For shopper personal data, the Shopify merchant remains responsible for the storefront customer relationship. Reply Pilot acts as a service provider for the merchant and processes data only to operate the app, support the merchant, and meet Shopify platform obligations.

Summary

Reply Pilot reads only the Shopify scopes approved during installation. The current production scope is product read access.
Review provider data is processed only when a merchant connects a provider such as Judge.me and supplies the required shop identifier and private API token.
AI generation uses review, product, and brand voice context so the merchant can approve or edit replies before they are sent.
Reply Pilot does not sell personal data and does not use shopper data for advertising or cross-merchant profiling.
Merchants can request a data summary or delete stored app data from the in-app Help page, and Shopify privacy webhooks are implemented for platform requests.

Data Reply Pilot Processes

Shopify account and session data

Reply Pilot stores Shopify shop domains, installation/session records, access tokens, approved scopes, and limited admin user metadata needed for Shopify authentication. Depending on the authenticated Shopify API request, session metadata can include admin user name, email, locale, collaborator status, account owner status, and token expiration.

Shopify product data

When product context is enabled, Reply Pilot may read product titles, product types, tags, and cleaned product description context. This is used to help draft more accurate public replies to product reviews.

Connected review provider data

If a merchant connects Judge.me or another supported review source, Reply Pilot stores the review provider shop identifier, connection status, encrypted private API token, masked token display, account metadata, settings metadata, review counts, and recent review samples needed to verify and operate the connection.

Review and reply workflow data

Reply Pilot stores imported review records and reply workflow state, including review text, rating, source review ID, source payload, customer or reviewer name/initials when supplied by the review provider, product title/type/tags, draft reply text, AI model metadata, generation timestamps, edit status, sent/skipped status, and last error details.

Merchant-entered app data

Merchants may enter brand voice guidance, greetings, sign-offs, preferred phrases, phrases to avoid, preview review text, selected AI model tier, app settings, support requests, customization requests, feedback, and reply email addresses for support follow-up.

Credits and billing records

Reply Pilot stores credit balances, credit ledger entries, package selections, purchase status, Shopify billing purchase identifiers, billing names, confirmation URLs, timestamps, and billing error metadata. Payment card details are handled by Shopify and are not stored by Reply Pilot.

How Data Is Used

Authenticate merchants and keep the embedded Shopify app working securely.
Connect to the merchant's selected review provider and import review data.
Generate, edit, preview, queue, approve, send, skip, and audit review replies.
Apply merchant brand voice and product context to AI-generated replies.
Track credit balances, credit spending, and Shopify billing status.
Provide support, customization help, troubleshooting, and privacy request handling.
Protect the service from errors, unauthorized access, and abuse.
Comply with Shopify App Store and privacy webhook requirements.

AI Providers

When a merchant uses AI features, Reply Pilot may send the minimum necessary review text, product context, merchant brand voice settings, and draft instructions to configured AI providers such as OpenAI or Google Gemini. AI output is returned to Reply Pilot as a draft for merchant review. Merchants should avoid entering unnecessary sensitive information in brand voice fields, support messages, preview text, or review reply instructions.

Sharing and Service Providers

Reply Pilot shares data only as needed to operate the app. Service providers may include Shopify, the merchant's connected review provider such as Judge.me, configured AI providers, database and hosting infrastructure, SMTP/email providers used for support and privacy notices, and Shopify billing services. Reply Pilot does not sell shopper or merchant personal data.

Retention and Deletion

Data is retained while the app is installed and while needed to provide the app, support the merchant, maintain security, keep billing records, or comply with legal obligations. Sent and skipped review history is retained according to the merchant's in-app retention settings.

Disconnecting a review provider removes the saved provider connection and encrypted API token, but it does not automatically delete all review history, reply drafts, app settings, credit records, support requests, or Shopify session records. Merchants can request deletion of all stored app data from the Help page inside the app.

When Shopify sends a shop redaction request after uninstall, Reply Pilot deletes persisted app data for the affected shop, including review records, AI drafts, brand voice settings, review provider connection records, app settings, credit records, support/contact requests, and Shopify sessions, unless retention is legally required.

Security

Reply Pilot uses Shopify authentication, Shopify webhook verification, HTTPS in production, database access controls, environment-based secrets, and per-app database credentials. Review provider private API tokens are encrypted at rest using AES-256-GCM with a server-side key. No system can guarantee absolute security, but Reply Pilot is designed to limit access to the data needed for app operation.

Shopify Privacy Webhooks

Shopify requires public apps to implement mandatory privacy webhooks. Reply Pilot implements customers/data_request, customers/redact, and shop/redact endpoints and verifies Shopify webhook authenticity before processing them.

customers/data_request notifies the app operator so the relevant customer data request can be reviewed and answered.
customers/redact removes matching customer-related records when Shopify provides customer identifiers such as email, phone, or customer ID.
shop/redact deletes persisted app data for the affected shop after uninstall or a Shopify shop deletion request.

Merchant and Shopper Rights

Merchants can request access, correction, export, or deletion of data associated with their shop. Inside the app, the Help page includes data summary and full app-data deletion controls.

Shoppers should usually contact the merchant first because the merchant controls the storefront customer relationship. Shopper requests sent to Reply Pilot should include the shop domain, review provider context, and enough identifying information to locate the relevant records.

International Processing

Reply Pilot and its service providers may process data in the United States or other countries where the app operator, hosting providers, Shopify, connected review providers, AI providers, or email providers operate. Those locations may have data protection rules different from the merchant's or shopper's location.

Changes to This Policy

This policy may be updated as Reply Pilot changes features, providers, data handling, or legal requirements. The "Last updated" date above reflects the latest version of this document.

Contact

For privacy, support, access, or deletion requests, contact the Reply Pilot operator using the support email listed in the Shopify App Store listing and shown on the in-app Help page.