Back to Home

Privacy Policy

Last updated: February 22, 2026

1. Controller

The controller responsible for data processing on this platform is:

DXSoft
Email: privacy@dxsoft.io
Website: https://dxsoft.io

2. Data We Collect

We collect the following categories of personal data:

2.1 Account Data

  • Name, email address, password (hashed with bcrypt)
  • Organization name, timezone, locale preferences
  • Role and permissions within the organization

2.2 Usage Data

  • Feature usage metrics (tickets created, articles viewed, etc.)
  • Session data (login times, IP addresses for security)
  • Chat conversations between your end-customers and the AI agent

2.3 Shop & App Data

  • Shopify shop domains and metadata (synced via Shopify Partner API)
  • App information, installation events, and analytics

2.4 Payment Data

  • Billing information is processed by Stripe. We store only Stripe Customer IDs, Subscription IDs, and invoice references — never credit card numbers.

3. Legal Basis for Processing (GDPR Art. 6)

  • Contract Performance (Art. 6(1)(b)): Processing account data, subscriptions, and support features to fulfill our service agreement.
  • Legitimate Interest (Art. 6(1)(f)): Security measures, analytics, and service improvement.
  • Consent (Art. 6(1)(a)): Marketing communications, optional analytics, and cookie usage.
  • Legal Obligation (Art. 6(1)(c)): Tax records, invoice retention, and regulatory compliance.

4. Data Processing & Third Parties

We use the following third-party processors:

ServicePurposeLocation
VercelHosting & CDNUSA (EU data region available)
Neon (PostgreSQL)DatabaseEU (Frankfurt)
UpstashRedis Cache, Vector DB, QueueEU (Frankfurt)
StripePayment ProcessingUSA (EU-US DPF)
OpenAIAI Agent (chat responses)USA (DPA available)
PusherReal-time messagingEU (Ireland)
ResendTransactional emailsUSA (EU-US DPF)

Data Processing Agreements (DPAs) are in place with all processors that handle personal data. Where data is transferred outside the EU, appropriate safeguards (Standard Contractual Clauses or EU-US Data Privacy Framework) are ensured.

5. Your Rights (GDPR)

Under the GDPR, you have the following rights:

  • Right of Access (Art. 15): Request a copy of your personal data.
  • Right to Rectification (Art. 16): Correct inaccurate data.
  • Right to Erasure (Art. 17): Request deletion of your data ("Right to be Forgotten").
  • Right to Restriction (Art. 18): Restrict processing of your data.
  • Right to Portability (Art. 20): Receive your data in a structured, machine-readable format.
  • Right to Object (Art. 21): Object to processing based on legitimate interest.
  • Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time.

To exercise these rights, contact us at privacy@dxsoft.io or use the data export and account deletion features in your Dashboard under Settings > Privacy.

6. Data Retention

  • Active accounts: Data is retained as long as the account is active.
  • Deleted accounts: Data is retained for 30 days after account deletion (soft-delete period), then permanently removed.
  • Invoices & billing records: Retained for 10 years as required by German tax law (§ 147 AO).
  • Chat conversations: Retention depends on the plan (Free: 30 days, Starter: 90 days, Pro: 365 days, Enterprise: unlimited).
  • Security logs: Retained for 90 days.

7. Cookies

We use the following cookies:

  • dxsoft_session: Authentication session cookie (essential, 1 hour).
  • dxsoft_refresh: Refresh token cookie (essential, 7 days).
  • dxsoft_locale: Language preference (functional, 1 year).

We do not use tracking cookies or third-party advertising cookies.

8. AI Data Processing

The AI chat agent processes conversation data to provide support responses. Conversations may be:

  • Sent to OpenAI for response generation (subject to OpenAI's data processing terms).
  • Stored as conversation summaries for improved service quality.
  • Used for knowledge gap analysis (anonymized) to improve the knowledge base.

PII (Personally Identifiable Information) is automatically redacted from AI processing through our guardrails system.

9. Data Export & Account Deletion

You can request a full export of your data or request account deletion through:

  • Dashboard: Settings > Privacy > Export Data / Delete Account
  • API: POST /api/v1/gdpr/export and POST /api/v1/gdpr/delete-account
  • Email: privacy@dxsoft.io

10. Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority. The competent authority is:

Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstr. 219, 10969 Berlin
Website: datenschutz-berlin.de

11. Changes

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or a notice within the Service. The latest version is always available at this page.