CLISHOP Privacy Policy

This Privacy Policy explains how Davoox (“CLISHOP,” “we,” “us,” “our”) collects, uses, shares, and protects personal data when you access or use the CLISHOP command-line interface, hosted website, APIs, and related services (collectively, the “Services”).

By using the Services, you acknowledge and understand the practices described in this Privacy Policy.

1) Controller (Who is responsible for your data)

Controller: Davoox (CLISHOP)
Address: Gaston Crommenlaan 8, 9000 Ghent, Belgium
Email: agent@clishop.ai

2) What the Services do (and who receives your data)

CLISHOP is a shopping tool that routes Orders to third-party Vendors. Vendors are the sellers of record and will receive the information needed to fulfill your Orders (see Section 6).

3) Personal data we collect

A) Data you provide to us

• Account data: email address, username, and authentication data (e.g., hashed password or auth credentials).
• Profile data (optional): any information you choose to add to your account.
• Order data: shipping name, shipping address, contact details, Order contents, and information required to route and manage Orders.
• Support communications: messages you send us and any information you include in support requests.

B) Data we collect automatically when you use the Services

Because CLISHOP is a CLI and a web product, we collect and generate detailed usage records, including:

• Command and query logs: we log every search, every command, and every request you make through the Services (including content provided by an AI Agent using your account).
• Order routing and status logs: timestamps, routing events, Vendor responses, and operational metadata.
• Device and technical data (mainly website/API): IP address, device identifiers, browser type, operating system, language, referring pages, and similar diagnostic/telemetry data.
• Security and fraud signals: login attempts, authentication events, suspicious activity indicators, rate limiting events, and abuse prevention logs.

Important: Commands/queries may contain personal data if you type it (or if your AI Agent includes it). Do not enter sensitive information (e.g., government IDs, health data) into commands unless absolutely necessary.

C) Payment data

• Payment tokens/identifiers: we store Stripe payment method tokens/identifiers linked to your account so we can charge your saved payment method and process refunds.
• Transaction data: amounts, currency, timestamps, refunds, and payment status.

We do not store full card numbers in the Services.

D) Data from Vendors and third parties

We may receive information from Vendors and service providers about:

• Order acceptance/rejection
• fulfillment/shipping updates (if provided)
• refund approvals/initiations (if provided)
• fraud and risk signals (if provided by payment processors)

4) How we use personal data (Purposes)

We use personal data to:

Provide and operate the Services

• create and manage accounts
• authenticate users
• route Orders to Vendors
• display Order status (when available)
• provide core CLI/website/API functionality

Process payments and refunds

• charge payment methods using stored tokens
• handle billing records
• process Vendor-approved refunds

Log activity and maintain auditability

• maintain logs of searches, commands, and Order activity
• troubleshoot issues and investigate incidents
• maintain operational records and integrity

Security, fraud prevention, and abuse prevention

• detect suspicious activity and prevent misuse
• protect accounts and infrastructure
• enforce rate limits and prevent automated abuse

Improve and develop the Services

• monitor performance and reliability
• analyze aggregated usage to improve features and user experience
• debug failures and reduce errors

Communicate with you

• service messages and notices
• support responses
• security alerts and account-related notifications

Legal compliance and enforcement

• comply with applicable laws and lawful requests
• enforce our Terms & Conditions
• resolve disputes and protect rights, safety, and property

5) Legal bases for processing (GDPR)

When the GDPR applies, we rely on one or more of these legal bases:

• Contract necessity: to provide the Services you request (account, routing, Order handling, support).
• Legal obligation: to meet accounting, tax, and other legal requirements.
• Legitimate interests: to secure the Services, prevent fraud/abuse, maintain logs, and improve reliability and performance.
• Consent (where required): for certain cookies/trackers and any processing that legally requires consent. You may withdraw consent at any time for future processing.

6) How we share personal data

We share personal data only as needed to operate the Services:

A) Vendors (sellers of record)

We share Order and fulfillment data with Vendors so they can accept and fulfill Orders, including:

• items ordered
• shipping name/address and contact details
• Order metadata needed to process and fulfill the Order

Vendors process your data under their own privacy policies as sellers of record.

B) Payment processors (Stripe)

We share transaction data with our payment processor(s) to process charges and refunds. Stripe provides payment tokens/identifiers that we store for future charges/refunds.

C) Service providers (processors)

We may share data with providers that help us run the Services (e.g., hosting, databases, monitoring/logging, email delivery, analytics). These providers act as processors under contract and may only process data on our instructions.

D) Legal, compliance, safety

We may disclose data if we believe it is reasonably necessary to:

• comply with law, regulation, legal process, or lawful requests
• protect the rights, property, or safety of CLISHOP, users, Vendors, or the public
• prevent fraud, abuse, or security incidents

E) Business transfers

If Davoox is involved in a merger, acquisition, financing, reorganization, or sale of assets, personal data may be transferred as part of that transaction (subject to applicable law).

We do not sell personal data.

7) International transfers

Your data may be processed in countries outside the EEA, for example where Vendors or service providers operate globally. Where required by law, we use appropriate safeguards for international transfers (such as contractual protections and other legally recognized mechanisms).

8) Data retention

We retain personal data only as long as necessary for the purposes described:

• Account data: retained while your account is active. If you delete your account, we will delete or anonymize account data within a reasonable period, except where retention is required for legal compliance, security, or dispute resolution.
• Order and payment records: typically retained up to 7 years to meet accounting, tax, and legal obligations.
• Command/search/request logs: typically retained up to 24 months for security, debugging, fraud prevention, and auditability (and longer if needed to investigate abuse, resolve disputes, or comply with law).
• Support communications: typically retained up to 24 months after resolution (and longer if needed for disputes/legal compliance).

Retention periods may be extended if required by law or where necessary to establish, exercise, or defend legal claims.

9) Security (and your responsibilities)

We use reasonable technical and organizational measures designed to protect personal data, including access controls and secure handling of payment data via tokenization.

However, no system is perfectly secure. You are responsible for:

• using strong passwords and securing your account credentials
• securing any AI Agent, automation, or environment you connect to CLISHOP
• avoiding placing unnecessary sensitive personal data into CLI commands, prompts, or queries

10) Experimental/Beta Service Disclaimer and Limitation of Liability (Privacy)

The Services are an early launch / experimental (beta) product. You understand that bugs, outages, incorrect behavior, and unexpected processing/logging behaviors may occur.

To the maximum extent permitted by applicable law:

• you use the Services at your own risk, and
• CLISHOP disclaims liability for damages arising from the use of an experimental service, including security incidents, data loss, or unauthorized access, except where such liability cannot legally be excluded or limited (including rights you may have under the GDPR or other mandatory laws).

Nothing in this Privacy Policy limits your non-waivable rights under applicable data protection law.

11) Your rights (GDPR and similar laws)

Depending on your location and applicable law, you may have rights to:

• Access your personal data
• Rectify inaccurate data
• Delete data (subject to legal retention and other lawful grounds)
• Restrict or object to certain processing
• Data portability (for certain data)
• Withdraw consent where processing is based on consent

To exercise rights, contact agent@clishop.ai. We may need to verify your identity before fulfilling requests.

12) Cookies and similar technologies (Website)

Our hosted website may use cookies/local storage and similar technologies for:

• essential functionality (login/session/security)
• preferences
• performance and reliability
• analytics (where enabled)

Where required, we will request consent before using non-essential cookies. You can also control cookies through browser settings (note: blocking essential cookies may break functionality).

13) Children

The Services are not specifically directed at children. We do not knowingly collect personal data from children under 13 without appropriate authorization. If you believe a child under 13 has provided us personal data, contact agent@clishop.ai and we will take appropriate steps, including deletion where required.

14) Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We will update the “Last updated” date above. Continued use of the Services after an update means you acknowledge the updated policy.