Privacy policy · elnudge.com/privacy

What we collect, what we don't, and who sees it.

elNudge runs on first-party signals. No third-party ad trackers, no data sold, no cross-site profiling. Ever.

Last updated · 02 May 2026

1. Who we are

elsapiens Technologies Pvt Ltd ("elsapiens", "elNudge", "we", "us") operates the elNudge service — an AI-powered intent-scoring and nudge engine that helps online merchants reduce cart abandonment. Our registered office is in Bengaluru, India.

This Privacy Policy applies to:

  • Merchants who install the elNudge Shopify app or script tag on their store.
  • Visitors (end-customers) who browse a merchant storefront where elNudge is active.

Where elNudge processes visitor data on behalf of a merchant, the merchant is the data controller and elNudge is the data processor. Merchants using the Shopify App are additionally subject to Shopify's own privacy terms.

2. How data is collected — Shopify merchants

When a merchant installs elNudge from the Shopify App Store, the app automatically injects a lightweight JavaScript SDK onto the merchant's storefront via Shopify's ScriptTag API. No manual theme editing is required.

The SDK collects visitor behavioural signals directly in the visitor's browser and transmits them to elNudge servers over an encrypted connection. The SDK does not use third-party cookies, cross-site identifiers, or browser fingerprinting.

During OAuth installation, elNudge requests the following Shopify API access scopes and uses them as described:

  • read_script_tags / write_script_tags — to inject and remove the elNudge SDK without requiring theme edits.
  • read_products — to fetch product title, description, price, and images so the AI can reference accurate product details in nudge copy.
  • read_orders — to retrieve recent order history for returning visitors so the AI can tailor nudge tone to repeat versus new buyers.
  • read_customers — to fetch customer name, order count, and tags so the AI can personalise conversations for recognised shoppers.

Product, order, and customer data fetched via the Shopify Admin API is used only for generating personalised nudges on that merchant's own store. It is never sold, shared with third parties, used for advertising, or used to train AI models.

3. What visitor data we collect

  • Behavioural signals — scroll depth, hover dwell time, time on page, navigation events, tab switches, idle periods, exit-intent gestures.
  • Cart events — add-to-cart, remove-from-cart, and purchase completion events emitted by the merchant's storefront.
  • Page context — the current URL, page title, and structured product data on the viewed page.
  • Conversation transcripts — when a visitor engages in chat or voice with the AI agent, the conversation is stored and used to continue the session and attribute conversions.
  • Device and browser metadata — coarse device type (mobile/desktop/tablet), browser name and version, operating system, and preferred language. No precise GPS, no IP-derived city or street-level location, no hardware fingerprint.
  • Session identifier — a random UUID generated per browser session, stored in sessionStorage (not a persistent cookie). It expires when the browser tab closes.

4. What we do not collect

  • No third-party advertising cookies or tracking pixels.
  • No precise GPS or IP-derived street-level location.
  • No cross-merchant or cross-site tracking. Each merchant's visitor data is siloed.
  • No biometric data. Voice audio is processed in real time for speech recognition and is not retained beyond the session.
  • No payment card numbers, bank account details, or PAN/Aadhaar numbers.
  • No data from visitors on merchant sites is used to train AI models (including Anthropic's models).
  • No data is sold or rented to data brokers, advertisers, or any third party.

5. Third-party sub-processors

elNudge relies on a small number of sub-processors to deliver the service. When visitor data is shared with a sub-processor, it is subject to a Data Processing Agreement and used only for the stated purpose.

Sub-processor Purpose Data shared Region
Anthropic, PBC (Claude API) Generates personalised nudge copy and AI chat responses. Conversation context (page URL, product data, chat transcript) is sent to Anthropic's API for each AI turn. Conversation transcript, page URL, product name/price. No visitor name or contact details unless the visitor provides them in chat. US
Deepgram, Inc. Real-time speech-to-text for voice conversations. Visitor voice audio (in-session only; not retained after transcription). US
Cloud infrastructure provider Hosting, databases, and object storage for elNudge services. All elNudge service data. Data is stored in encrypted PostgreSQL databases. Merchant data region: India (default) or EU (on request). India / EU
Razorpay Software Pvt Ltd Payment processing for merchant subscriptions. Merchant billing email and payment details. Visitor data is never shared with Razorpay. India

Anthropic's API is used solely to generate chat responses and nudge copy. Anthropic does not use data submitted via API calls to train its models, per Anthropic's API usage policy.

6. Data retention

  • Behavioural signals — 90 days from session end.
  • Conversation transcripts — 12 months from session end.
  • Aggregate analytics (no personal data) — indefinitely.
  • Shopify API data (products, orders, customers) — cached for up to 24 hours per session and then discarded. Not stored long-term.
  • Merchants on Enterprise plans may configure custom retention windows via the dashboard.
  • On merchant uninstall, all visitor data linked to that merchant is scheduled for deletion within 30 days.

7. Legal basis for processing (GDPR)

For visitors in the European Economic Area (EEA) or the United Kingdom, our processing is based on:

  • Legitimate interest (Article 6(1)(f) GDPR) — the merchant's legitimate interest in reducing cart abandonment, balanced against visitor expectations on commercial storefronts.
  • Consent — where the merchant's consent management platform (CMP) has obtained explicit visitor consent, the SDK respects the visitor's consent state and does not fire before consent is given.

Merchants are responsible for configuring their CMP correctly and for providing visitors with appropriate notice in their own privacy policy.

8. California Consumer Privacy Act (CCPA / CPRA)

For visitors who are California residents, elNudge acts as a "service provider" under the CCPA/CPRA. We do not sell or share personal information for cross-context behavioural advertising. We do not use visitor personal information for any purpose other than providing the elNudge service to the merchant.

California residents have the right to:

  • Know what personal information is collected about them.
  • Delete their personal information (subject to certain exceptions).
  • Correct inaccurate personal information.
  • Opt out of the sale or sharing of personal information (not applicable — we do not sell data).
  • Non-discrimination for exercising their rights.

To exercise your rights, email [email protected] or contact the merchant whose store you were visiting (they are the data controller).

9. India Digital Personal Data Protection Act (DPDP 2023)

elsapiens is an Indian company and complies with the Digital Personal Data Protection Act, 2023. Visitors who are data principals under the DPDP Act have the right to access, correct, and erase their personal data. Requests may be submitted to [email protected].

10. Shopify GDPR webhooks

elNudge implements all mandatory Shopify privacy webhooks. When Shopify sends a data request or deletion webhook on behalf of a merchant or visitor, elNudge responds as follows:

  • customers/data_request — We compile all stored session and conversation data linked to the customer's email or Shopify customer ID and make it available to the merchant within 30 days.
  • customers/redact — We permanently delete all session events, conversation transcripts, and derived data linked to the customer within 30 days of receiving the webhook.
  • shop/redact — We permanently delete all data linked to the merchant's shop within 30 days of receiving the webhook (triggered after app uninstall).

All three endpoints respond with HTTP 200 within 5 seconds of receipt. Processing is asynchronous. Merchants can also trigger manual data deletions from Dashboard → Settings → Data & Privacy.

11. Security

  • Data in transit is encrypted with TLS 1.3.
  • Data at rest is encrypted with AES-256 at the database and disk level.
  • Access to production data is restricted to authorised personnel via role-based access controls and MFA.
  • We follow SOC 2 Type II security controls and undergo annual third-party penetration testing.
  • The elNudge SDK is hosted on a CDN with integrity checking. Merchants can validate the script hash via the dashboard.

12. International data transfers

Data may be processed in India (default) and the EU (on request). Transfers to the US occur when data is processed by Anthropic (Claude API) and Deepgram. These transfers are governed by standard contractual clauses and the sub-processors' data processing agreements.

EU-based merchants may request EU-only data residency. Contact [email protected] to activate this.

13. Children

elNudge is not intended for deployment on websites directed at children under 13 (or under 16 in the EU). Merchants must not install elNudge on stores primarily directed at children. We do not knowingly collect data from children. If we become aware that we have done so, we will delete the data immediately.

14. Changes to this policy

We will notify merchants of material changes by email at least 30 days before they take effect. Minor clarifications (e.g., grammar, broken links) take effect on publication. The current version is always available at elnudge.com/privacy.

15. Contact & data requests

Privacy enquiries: [email protected]
Data Protection Officer: [email protected]
Data deletion requests: [email protected] — include your email address and the merchant store URL. We respond within 30 days, free of charge.
Postal: elsapiens Technologies Pvt Ltd · Bengaluru, Karnataka, India