Cursive Icon
cursive
ai emails, written with a human hand
Install Cursive
Official Legal Document

Privacy Policy

Effective Date: June 22, 2026

Cursive AI, Inc. ("Cursive", "we", "us", or "our") values the privacy of e-commerce merchants ("Merchants") who install our application, as well as the customers of those Merchants ("End Users"). This Privacy Policy describes how we collect, protect, process, and delete information in connection with the Cursive Shopify application (the "Service").

By installing the Service on your Shopify store, you agree to the collection and use of information in accordance with this policy. Under applicable data protection regulations (such as GDPR and CCPA), Cursive acts as a Data Processor on behalf of the Merchant, who is the Data Controller.

1. Data Collected from Shopify API

To deliver autonomous email generation and recovery services, Cursive integrates directly with your Shopify storefront. During installation, we request access keys to collect the following data classes:

  • Merchant Storefront Information: Store name, physical business address, email, primary currency, language settings, and active domains. This information is utilized to configure DMARC/SPF compliance and establish visual brand signatures.
  • Customer Event Signals (Webhooks): Immediate telemetry signals regarding checkout activities (specifically checkouts/create, checkouts/update, and checkouts/delete) to determine when cart abandonment campaigns should be triggered.
  • Customer Transaction Data: Email addresses, customer names, checkout total values, abandoned item names, product images, and currency parameters. This allows the AI agent to draft highly contextual personal notes.
  • Order Telemetry: History of past purchase count and total lifetime value (LTV) to trigger automated customer winback and VIP segments.

2. Processing Logic and AI Infrastructure

Cursive utilizes proprietary Large Language Model (LLM) orchestration structures to compose text-first marketing copy.

  • Data Isolation: All customer data processed by Cursive is isolated within a dedicated database environment. We do not merge or combine customer profiles across different Merchant databases.
  • Model Security: Customer names, email handles, and cart contents are securely structured as single-use generation context. Our API agreements with third-party LLM providers (including OpenAI and Anthropic) explicitly prohibit the use of Merchant or End User data for generalized model training.

3. Subprocessors and Data Sharing

Cursive shares limited data with third-party subprocessors solely to provide the Service. These subprocessors comply with the GDPR and CCPA requirements and are bound by strict data processing agreements:

Subprocessor Purpose Data Categories
AWS / PostgreSQL Cloud Infrastructure & Storage Encrypted database of webhook history
Anthropic / OpenAI AI Generation Layer Customer name, cart items (Zero-Retention APIs)
Resend / Twilio SendGrid Email Transmission Recipient email address, name, message body

4. Retention, Erasure, and Shopify GDPR Webhooks

We adhere strictly to Shopify's mandatory GDPR compliance framework. We run the following automated privacy procedures:

  • Shopify Uninstall Trigger: When you uninstall the Cursive app, all active webhook listeners are deactivated immediately. Within 48 hours, an automated process purges your store credentials, brand tokens, and customer metadata from our active systems.
  • GDPR Customer Redaction Webhook (customers/redact): If an End User requests deletion of their personal information through your storefront, Shopify sends us a webhook. We locate all historical email records relating to that user and permanently redact their personal data within 14 days.
  • GDPR Customer Request Data Webhook (customers/data_request): If an End User requests access to their stored history, we compile and deliver the raw delivery data to you within 5 days so you can fulfill their controller request.
  • GDPR Shop Redaction Webhook (shop/redact): Purges all remaining database records associated with the shop within 48 hours.

5. Data Security Standards

Cursive protects your store and customer data using modern security measures:

  • All network traffic is encrypted using TLS 1.3.
  • Databases are encrypted at rest using AES-256 with automated daily backups.
  • We execute automated dependency sweeps and regular penetration testing.

6. Contact Information

If you have questions regarding this Privacy Policy, your rights under GDPR, or CCPA compliance, please contact our Data Protection Officer at: privacy@cursive-email.com.