Privacy
Policy

Wardova is a product of Cravid Labs LLC, a Wyoming limited liability company ("Wardova," "we," "us," or "our"). For privacy correspondence: Cravid Labs LLC, 30 N Gould St Ste R, Sheridan, WY 82801, United States. Email: privacy@cravidlabs.com.

This Privacy Policy explains how we collect, use, and protect your information when you install and use the Wardova Shopify app. By installing Wardova, you agree to the practices described in this policy. We are committed to transparency and to handling your data — and your shoppers' data — with the highest level of care.

We collect the minimum information needed to deliver AI-powered product recommendations. This includes:

• arrow_forwardStore domain and merchant email — collected during Shopify OAuth installation to identify your store and communicate with you.
• arrow_forwardProduct data — titles, descriptions, tags, categories, and pricing are read from your Shopify catalog to power AI style-cluster analysis.
• arrow_forwardAnonymous visitor IDs — randomly generated strings stored in localStorage on your shoppers' browsers. No PII is ever collected.
• arrow_forwardClick and impression events — anonymous behavioral signals used to personalize recommendations and populate your analytics dashboard.

Information collected is used exclusively to operate and improve the Wardova service:

• check_circleGenerate AI-powered product recommendations via Claude Opus catalog analysis and style-cluster computation.
• check_circleCompute and display analytics (impressions, CTR, A/B test results) in your merchant dashboard.
• check_circleServe the widget JavaScript on your storefront product pages via Shopify ScriptTag.
• check_circleSend Klaviyo recommendation events if you have configured the Klaviyo integration in your settings.
• check_circleMaintain your subscription and billing via Shopify's Billing API.

We never use your data or your shoppers' data for advertising, profiling, or any purpose outside of providing the Wardova service to your store.

All merchant and product data is stored on Gadget.dev infrastructure, which provides encrypted storage, automated backups, and SOC 2-compliant security practices. Recommendation caches are stored in Upstash Redis at the network edge with automatic TTL expiry (24 hours to 8 days depending on cache type). No raw payment data is ever accessed or stored by Wardova — all billing is handled directly through Shopify's Billing API.

All data in transit is encrypted via TLS 1.2+. We employ rate limiting, HMAC verification on webhooks, and input validation on all API endpoints to prevent unauthorized access.

To report a suspected security vulnerability or data breach, contact security@cravidlabs.com. We will acknowledge reports within 24 hours and provide a resolution timeline within 5 business days.

Wardova accesses your Shopify store via OAuth with the minimum required scopes: read_products and read_orders. We register a ScriptTag on your storefront to serve the recommendation widget, and we listen to product update, product delete, and orders/paid webhook events to keep our cache and analytics synchronized with your store in real time. Shopify webhooks are verified using HMAC signatures to prevent spoofed requests.

The Wardova widget stores the following data in your shoppers' browsers using localStorage:

• arrow_forwardwardova_vid — a randomly generated anonymous visitor ID used for personalization (expires after 30 days of inactivity).
• arrow_forwardwardova_ts — impression timestamps for rate-limiting duplicate event tracking.

No cross-site tracking cookies are used. No third-party advertising cookies are set. All localStorage keys are prefixed with wardova_ for easy identification.

Wardova uses the following trusted third-party services to operate:

• check_circleAnthropic (Claude AI) — your product catalog data is sent to Anthropic's API for style-cluster analysis. This analysis runs in background actions only and is never triggered at request time. Anthropic's privacy policy applies to this processing.
• check_circleUpstash Redis — recommendation caches, visitor behavior lists, and analytics counters are stored in Upstash's edge Redis service. All data is TTL-limited and automatically expires.
• check_circleKlaviyo (optional) — if you configure Klaviyo integration, top-3 recommended product IDs are sent as a Klaviyo event per visitor. Important: Klaviyo is a CRM — events sent to your Klaviyo account may be correlated to identified customer profiles within that account. As the data controller, you are responsible for ensuring your Klaviyo data practices comply with applicable privacy laws including GDPR. Your Klaviyo API key is stored encrypted in our database and is never included in Redis cache or client-side code.
• check_circleGadget.dev — our serverless backend platform. Application code, database, and file storage are hosted on Gadget.dev infrastructure.

All four sub-processors are US-based. GDPR data transfers to these processors are made under Standard Contractual Clauses (SCCs) per EU Commission Decision 2021/914. UK merchants: UK IDTAs apply.

Data is retained only as long as necessary to provide the service:

• arrow_forwardRedis recommendation caches: 24 hours (personalized) to 8 days (Opus pre-computed).
• arrow_forwardVisitor behavior lists: 30 days of inactivity, then automatically purged.
• arrow_forwardAnalytics counters: retained for a maximum of 24 months on a rolling basis, or until subscription cancellation, whichever comes first. Data older than 24 months is automatically purged.
• arrow_forwardDatabase records (product data, widget settings): retained while your subscription is active and permanently deleted within 30 days of app uninstallation.
• arrow_forwardMerchant email and store domain: retained for billing and support purposes for up to 90 days after subscription cancellation.

As a Wardova merchant, you have the following rights regarding your data:

• check_circleAccess: request a copy of all data we hold about your store.
• check_circleCorrection: request correction of any inaccurate data.
• check_circleDeletion: request deletion of your data at any time. Uninstalling the app initiates a 30-day deletion process.
• check_circlePortability: request an export of your analytics and settings data in JSON format.

To exercise any of these rights, email privacy@cravidlabs.com. We will respond within 45 days.

For EU merchants and their shoppers, Wardova processes data under the following specific legal bases as required by GDPR Article 6:

• arrow_forwardContract performance (Art. 6(1)(b)): billing, account management, and service delivery.
• arrow_forwardLegitimate interest (Art. 6(1)(f)): AI recommendation generation and analytics processing.
• arrow_forwardConsent (Art. 6(1)(a)): localStorage usage where required by the ePrivacy Directive.

We do not engage in automated decision-making that produces legal effects on any individual. EU merchants are entitled to a Data Processing Agreement (DPA) as required by GDPR Article 28. To receive your DPA, email legal@cravidlabs.com or visit wardova.com/gdpr-dpa. We will execute and return within 5 business days.

EU data subjects have the right to lodge a complaint with their national supervisory authority. A directory of EU supervisory authorities is available at: edpb.europa.eu.

Wardova does not sell or share personal information for cross-context behavioral advertising. No opt-out action is required.

California residents may exercise the following rights under the CCPA:

• check_circleRight to Know: request disclosure of the categories and specific pieces of personal information we have collected.
• check_circleRight to Delete: request deletion of personal information we have collected, subject to certain exceptions.
• check_circleRight to Correct: request correction of inaccurate personal information.
• check_circleRight to Non-Discrimination: we will not discriminate against you for exercising your CCPA rights.

Please direct shopper-level requests to the merchant whose store you visited, as Wardova processes data as a service provider on behalf of the merchant. Merchant requests may be submitted to privacy@cravidlabs.com. We will respond within 45 days, with an extension to 90 days where reasonably necessary.

Wardova is a B2B service directed exclusively to Shopify merchants. We do not knowingly collect personal information from children under 13 (COPPA) or under 16 (GDPR Article 8, subject to applicable member state law). If we become aware that we have inadvertently collected such information, we will delete it promptly. Merchants are responsible for ensuring appropriate age verification on their storefronts. If you believe a child has provided personal information, please contact us at privacy@cravidlabs.com.

If you have any questions about this Privacy Policy or how we handle your data, please contact us:

In the event of a personal data breach, Wardova will notify affected merchants within 72 hours of becoming aware, as required by GDPR Article 33. Notification will include:

• arrow_forwardNature of the breach and data categories affected
• arrow_forwardEstimated number of data subjects and records involved
• arrow_forwardLikely consequences of the breach
• arrow_forwardMeasures taken or proposed to address the breach

To report a suspected security vulnerability, contact security@cravidlabs.com.

This Privacy Policy is governed by the laws of the State of Wyoming, USA. Nothing in this policy limits your rights under applicable data protection laws in your jurisdiction, including GDPR and CCPA.