01 / Who we are
This privacy policy applies to Ecom Recovery OS — a customer-support automation platform operated by Recovery OS Ltd, a private limited company registered in the Republic of Cyprus.
| Legal entity | Recovery OS Ltd |
| Registered office | Nicosia, Republic of Cyprus |
| Registrar of Companies (HE number) | [HE number] |
| VAT | [CY VAT ID] |
| Data Protection Officer | dpo@ecomrecovery.io |
| Privacy contact | privacy@ecomrecovery.io |
In this policy, "we", "us", "Recovery OS" and "the platform" all mean the same thing: Recovery OS Ltd and its services.
We process personal data in accordance with:
- Regulation (EU) 2016/679 — the General Data Protection Regulation (GDPR);
- The Processing of Personal Data (Protection of Natural Persons) Law of 2018 — Law 125(I)/2018 of the Republic of Cyprus;
- Directive 2002/58/EC as transposed into Cypriot law by the Regulation of Electronic Communications and Postal Services Law (Law 112(I)/2004);
- All binding guidance issued by the Cypriot Commissioner for Personal Data Protection and the European Data Protection Board (EDPB).
02 / Scope & our two roles
Recovery OS processes personal data in two different capacities. This is important because your rights and our obligations differ in each case.
As a controller — for our customers (merchants)
When a merchant (e.g. a Shopify store owner) signs up, we decide how their account and billing data is processed. For that data, we are the controller under Article 4(7) GDPR and section 2 of Law 125(I)/2018. This Privacy Policy governs that relationship.
As a processor — for merchants' end customers
When a merchant's customer emails their support inbox, Recovery OS processes that message on behalf of the merchant. The merchant is the controller; we are the processor under Article 28 GDPR.
That relationship is governed by our Data Processing Agreement (DPA), which is automatically incorporated into every merchant's Terms of Service. End customers should contact the merchant directly to exercise their rights — though we will always facilitate that process.
If you're a store owner using Recovery OS: this document is about you.
If you emailed a store and your message ended up in Recovery OS: this document explains how, but your rights are exercised through the store.
03 / What data we collect
A. Data you give us directly (merchants)
- Account: full name, work email, hashed password (bcrypt), company name, optional phone, preferred language.
- Billing: billing address, VAT ID, invoice history. Card numbers are tokenised by Stripe — we never see or store them.
- Configuration: Shopify webhook URL, email-forwarding setup, tone-of-voice settings, escalation rules, Slack channel bindings.
- Communications: support tickets you open with us, feedback forms, replies to onboarding emails.
B. Data from your Shopify store (as processor)
- Order identifiers, values, line-item SKUs, fulfillment status, tracking numbers.
- Customer name and email address as delivered by the Shopify webhook.
- Shipping addresses only where strictly necessary to resolve delivery queries.
C. Data from inbound support messages (as processor)
- The email address and display name of the sender.
- The full message body and any attachments you choose to keep.
- Metadata: timestamps, subject line, thread ID, message ID, provider (SendGrid/Mailgun/Postmark).
D. Data generated by the platform
- Classification outputs (type, sentiment, escalation score).
- AI-drafted replies, whether sent or discarded.
- Immutable audit log entries: action, actor, timestamp, before/after JSON.
E. Technical data (everyone)
- IP address (truncated after 30 days), user agent, device type, approximate region.
- Pages visited, clicks, timestamps, request IDs.
- Error telemetry (stack traces, with PII redacted on capture).
No canvas fingerprinting. No behavioural ad-tracking. No location beyond region-level. No inferred demographics. No "special category" data (health, politics, religion) — and we scrub it on sight if a customer volunteers it in a message.
04 / Why we process it
Under GDPR Article 6, we need a legal basis for every processing activity. Here they are, in plain table form:
| Purpose | Data used | Legal basis (Art. 6) |
|---|---|---|
| Create and secure your account | Account data, email, hashed password | Contract (6.1.b) |
| Deliver the service Classifying messages, drafting replies, routing escalations | Messages, order data, config | Contract (6.1.b) |
| Billing and invoicing | Billing address, VAT, usage | Contract + Legal obligation under Cypriot tax law (6.1.b, 6.1.c) |
| Security, fraud prevention, abuse detection | Technical data, IP, request logs | Legitimate interest (6.1.f) |
| Service improvements Aggregated, de-identified analytics only | Usage metrics | Legitimate interest (6.1.f) |
| Product announcements | Work email, company name | Legitimate interest, opt-out anytime (6.1.f) |
| Marketing email to non-customers | Work email, company name | Consent (6.1.a) |
| Legal compliance and disputes | Any relevant records | Legal obligation (6.1.c) |
When we rely on legitimate interest, we've run a Legitimate Interests Assessment (LIA) balancing our interest against your rights. You can request a copy of any LIA by emailing privacy@ecomrecovery.io.
05 / AI & automated processing
Recovery OS uses Claude (Anthropic's large language model) to classify messages and draft replies. Because AI processing deserves extra transparency, here's what actually happens:
What gets sent to Anthropic
- The customer's message body.
- Relevant order context: order ID, order value, fulfillment status, tracking number.
- Your configured tone-of-voice and a short system prompt.
What does not get sent
- Your account credentials, API keys, or billing information.
- Customer PII beyond what the merchant has chosen to include in their webhook (e.g. we don't upload your entire customer database).
- Historical messages from other conversations or customers.
Retention at the AI provider
We use Anthropic's zero-data-retention inference endpoint. Anthropic does not retain inputs or outputs, and does not use your data to train models. Our contract with Anthropic prohibits both.
Automated decision-making (Article 22 GDPR · section 29 of Law 125(I)/2018)
Recovery OS performs automated classification and drafting. However, it does not make decisions with legal or similarly significant effects on individuals:
- Replies are drafted, not auto-sent by default. Merchants must enable auto-reply explicitly.
- Even with auto-reply on, tickets flagged as angry, high-value, or from repeat contacts are routed to a human.
- The platform never denies service, refuses refunds, or makes financial decisions autonomously.
If you believe an automated decision affected you: you have the right to request human review, express your point of view, and contest the decision. Contact your merchant first, then us.
If Anthropic is unavailable, Recovery OS falls back to template-based replies — it never escalates or auto-resolves silently. You'll always see what happened in the audit log.
06 / Subprocessors
We use the following subprocessors to deliver the service. All of them are bound by data-processing contracts that meet Article 28 requirements.
| Vendor | Purpose | Location | Safeguards |
|---|---|---|---|
| Anthropic | AI classification & reply drafting | US | SCCs (EU 2021/914), DPA, zero-retention endpoint, no model training |
| AWS (eu-central-1) | Primary hosting and database | EU · Frankfurt | AWS Data Processing Addendum, EU-region only |
| Supabase | Managed Postgres & auth | EU · Frankfurt | DPA, EU region, row-level security |
| Stripe | Payments & billing | US / IE | SCCs, PCI-DSS Level 1, tokenised cards |
| SendGrid (Twilio) | Transactional email (outbound replies) | US | SCCs, Twilio DPA |
| Mailgun (optional) | Email ingestion (merchant-enabled) | US | SCCs |
| Postmark (optional) | Email ingestion (merchant-enabled) | US | SCCs |
| Slack (optional) | Escalation notifications | US | SCCs, Slack DPA, metadata-only delivery |
| Cloudflare | CDN, DDoS protection, DNS | Global edge | SCCs, enterprise DPA |
| Sentry (EU-hosted) | Error tracking | EU | DPA, EU region, PII scrubber enabled |
| Plausible Analytics | Cookieless website analytics | EU · Frankfurt | DPA, no cookies, no cross-site tracking |
We publish a live subprocessor list and email merchants at least 30 days before adding or changing a subprocessor, giving you time to object or terminate.
07 / International transfers
As a company established in the Republic of Cyprus — an EU Member State — we host primary data within the EU. Where transfers outside the European Economic Area (EEA) are necessary (for example, Anthropic's US infrastructure), we rely on:
- The European Commission's Standard Contractual Clauses (Implementing Decision 2021/914), module 2 or 3 as applicable.
- Supplementary measures: encryption in transit (TLS 1.3) and at rest (AES-256), pseudonymisation where possible, and contractual prohibitions on government-access requests beyond what is legally compelled.
- A documented Transfer Impact Assessment for each non-adequate-country transfer, prepared in line with EDPB Recommendations 01/2020 — available on request.
Transfers to countries with adequacy decisions recognised by the European Commission (e.g. the United Kingdom, Switzerland) rely on those decisions. No onward transfer leaves our subprocessor chain without equivalent safeguards.
08 / How long we keep data
| Data type | Retention | Why |
|---|---|---|
| Active account & configuration | Lifetime of account | To deliver the service |
| Tickets, messages, AI drafts | Lifetime of account, or as merchant instructs | Merchant-controlled; exportable anytime |
| Immutable audit log | 365 days rolling | Accountability & debugging |
| Billing & invoice records | 6 years | Cypriot tax law — Assessment and Collection of Taxes Law, Cap. 4; and VAT Law 95(I)/2000 |
| Web server logs | 90 days | Security and abuse investigation |
| IP addresses in analytics | Truncated to /24 after 30 days | Data minimisation |
| Marketing email list | Until unsubscribe, then 30 days | Compliance with opt-outs |
| After account deletion | Production data deleted within 7 days; backups within 35 days | Right to erasure |
| Support tickets to our team | 2 years | Quality and training purposes |
We minimise wherever we can. If a shorter retention is legally required in your jurisdiction, we'll honour it.
09 / How we keep it safe
Security is not a section — it's a product requirement. We implement both organisational and technical measures that meet or exceed industry standard for SaaS handling commercial data.
Technical measures
- In transit: TLS 1.3 everywhere; HSTS, OCSP stapling, modern cipher suites.
- At rest: AES-256 for database and object storage.
- Passwords: bcrypt with cost factor 12. No passwords ever logged, cached, or transmitted in plaintext.
- Tenancy: Postgres row-level security enforces tenant isolation at the database layer, not just the application layer.
- Secrets: hardware-backed key management (AWS KMS); automated rotation.
- Logging: every privileged action logged immutably; PII scrubbed from application logs on capture.
Organisational measures
- Principle of least privilege — engineers request access per incident; all access is audit-logged.
- MFA required for every employee; hardware keys for anyone who can reach production.
- Annual third-party penetration test. Bug bounty via security@ecomrecovery.io.
- SOC 2 Type II audit in progress (estimated Q3 2026).
- Incident response plan drilled quarterly.
10 / Your rights
Under the GDPR and equivalent laws (UK GDPR, Swiss FADP), you have the following rights. We honour them globally — not only for EU residents.
How to exercise them
- Email privacy@ecomrecovery.io — or, as a merchant, use Settings → Privacy → Data request.
- We'll verify your identity (to protect you, not to stall).
- We respond within one month, as required by Article 12(3) GDPR. Complex or numerous requests may extend by up to two further months; we'll tell you early if that's the case.
- There's no fee, unless a request is manifestly unfounded or excessive (Article 12(5) GDPR).
If you aren't satisfied with how we handle your request, you can lodge a complaint with the Cypriot supervisory authority:
| Supervisory authority | Office of the Commissioner for Personal Data Protection (Γραφείο Επιτρόπου Προστασίας Δεδομένων Προσωπικού Χαρακτήρα) |
| Address | 1 Iasonos Street, 1082 Nicosia, Cyprus · P.O. Box 23378, 1682 Nicosia |
| Telephone | +357 22 818 456 |
| commissioner@dataprotection.gov.cy | |
| Website | www.dataprotection.gov.cy |
If you reside in another EU Member State, you may alternatively complain to your local data protection authority.
11 / Cookies & tracking
We keep cookies to a minimum and don't use any third-party advertising or cross-site tracking cookies.
| Cookie | Category | Purpose | Duration |
|---|---|---|---|
ros_session | Strictly necessary | Keep you logged in | Session |
ros_csrf | Strictly necessary | Prevent CSRF attacks | Session |
ros_theme | Preference | Remember your light/dark theme | 12 months |
ros_sidebar | Preference | Remember sidebar state | 12 months |
We use Plausible Analytics (EU-hosted, cookieless) for aggregate page statistics. No personal data is collected by the analytics script; there is nothing to consent to.
12 / Children
Recovery OS is a B2B service for merchants. We do not offer it to anyone under 16, and we don't knowingly collect personal data from children. If you believe a child has provided personal data to us, please contact privacy@ecomrecovery.io and we'll delete it.
13 / Data breaches
If a personal-data breach occurs that's likely to result in a risk to rights and freedoms, we will:
- Notify the Cypriot Commissioner for Personal Data Protection within 72 hours of becoming aware, as required by Article 33 GDPR.
- Where the breach is likely to result in a high risk to data subjects, communicate it directly to them without undue delay (Article 34 GDPR).
- Notify affected merchants without undue delay, with concrete facts: what happened, what data was involved, what we've done, what you should do.
- If the breach involves end-customer data (our processor role), we notify the relevant merchant controller, who is then responsible for downstream notifications.
- Publish a post-incident report within 30 days of resolution on our status page.
14 / Changes to this policy
We update this policy when our practices change — for instance, adding a subprocessor, shipping a new feature, or responding to new legal guidance.
- Minor edits (typos, clarifications): reflected instantly, dated at the top of this page.
- Material changes (new categories of data, new purposes, new subprocessors): we email every active merchant at least 30 days in advance.
- Historical versions of this policy are kept — email privacy@ecomrecovery.io if you need a diff.
15 / Contact
Anything on your mind about how we handle data — real question, theoretical concern, audit request, or compliment — the fastest channel is email.
| General privacy questions | privacy@ecomrecovery.io |
| Data Protection Officer | dpo@ecomrecovery.io |
| Security vulnerabilities | security@ecomrecovery.io |
| Postal | Recovery OS Ltd [street address] 1082 Nicosia, Republic of Cyprus |
We read everything. We respond to everything. And if you'd rather just delete it all and walk away — that's fine too. Reply with "delete everything" and it's gone within seven days.
We don't do the things you're probably worried about
Recovery OS Ltd · Nicosia, Republic of Cyprus · privacy@ecomrecovery.io
Version 3.1 · Effective and last updated 17 April 2026.