Skip to main content

Privacy Policy

How we protect and handle your data

Last updated: November 30, 2025

DRAFT - Pending Legal Review

At HQWebs, we take your privacy seriously. Elira, our AI shopping assistant, is built with a Zero-PII (Personal Identifiable Information) Architecture - meaning our servers never receive, process, or store your real personal information.

What We Collect

Personal Information (Stored in Your Browser Only)

  • • Your name, email, and contact details
  • • Shopping preferences (skin type, product interests)
  • • Masking map (how your data is anonymized)

This information NEVER leaves your browser. We cannot see or access this data.

Anonymous Information (Stored on Our Servers)

  • • An anonymous user ID (e.g., "user_abc123") - NOT linked to your real identity
  • • Chat conversation history with masked personal information
  • • Non-identifying preferences (skin type, product interests)
  • • Conversation metadata (timestamp, locale)

How Our Zero-PII Architecture Works

Before any message leaves your browser, we automatically mask your personal information:

You Type"Hi, I'm Sarah Johnson (sarah@email.com)"
We Receive"Hi, I'm {{FIRST_NAME_0}} {{LAST_NAME_0}} ({{EMAIL_0}})"
AI Sees"Hi, I'm {{FIRST_NAME_0}} {{LAST_NAME_0}} ({{EMAIL_0}})"
You See"Hi Sarah! How can I help you today?"

Result: Our servers and the AI never see your real name, email, or personal details.

Data Storage & Retention

Data TypeLocationRetention
Personal data (name, email)Your browser onlyUntil you clear cache
Masked conversationsEU servers (Supabase)365 days, then auto-deleted
OpenAI processingUS (with SCCs)30 days maximum
Anonymous user IDWordPress databaseUntil account deleted
CookiesYour browserJWT: 5 min, ID: 1 year

Our system automatically deletes conversations older than 365 days (daily at 2:00 AM UTC).

Your Rights (GDPR Articles 15-22)

Right to Access (Article 15)

Request a copy of your data by emailing us. For browser data, open DevTools (F12) → Application → Local Storage.

Right to Rectification (Article 16)

Update your information in widget settings → "Edit Personal Information". Changes take effect immediately.

Right to Erasure (Article 17)

Request deletion by clicking "Request Deletion" in widget settings or emailing us. Completed within 30 days.

Right to Data Portability (Article 20)

Export your data via "Export Data" button in widget settings. Format: JSON (machine-readable).

Right to Restriction (Article 18)

Email us with subject "Restrict Processing". Chat will be disabled but data preserved.

Right to Object (Article 21)

Click "Revoke Consent" in widget settings. AI processing stops immediately.

Response Time: We respond to all rights requests within 30 days (GDPR Article 12(3)).
No Cost: Exercising your rights is free.

Data Security

Technical Security

  • ✓ HTTPS/TLS 1.3 encryption in transit
  • ✓ AES-256 encryption at rest
  • ✓ JWT tokens (5-minute lifetime)
  • ✓ Rate limiting (10 req/min)
  • ✓ Zero-PII architecture

Organizational Security

  • ✓ OWASP Top 10 compliant
  • ✓ Annual security audits
  • ✓ Staff GDPR training
  • ✓ 24/7 monitoring
  • ✓ Incident response procedures

Third-Party AI Processing

We use OpenAI (US-based) for AI chat responses. Here's how we protect your data:

OpenAI Integration

  • Data Sent: ONLY masked messages (e.g., {{FIRST_NAME_0}}) - never your real personal information
  • Location: United States
  • Retention: 30 days maximum (auto-deleted)
  • Safeguards: Data Processing Agreement (DPA) + Standard Contractual Clauses (SCCs)

Learn more: OpenAI Privacy Policy

Age Restriction

You must be 16 years or older to use Elira (GDPR Article 8). An age verification gate is displayed before first use. Parental consent is available for ages 13-16 where permitted by EU member state law.

Data Controller & Processor

Data Controller

The merchant (store owner) who installed Elira on their website. They determine how your data is used and are responsible for GDPR compliance of their store.

Data Processor

HQWebs (operating Elira) - processes data on behalf of merchants under Data Processing Agreements. We only process masked/anonymous data.

Sub-Processor

OpenAI, LLC (US) - processes masked chat messages for AI responses. Protected by Standard Contractual Clauses.

Cookies

We use 2 strictly necessary cookies for chat functionality. We do NOT use tracking, advertising, or analytics cookies.

For full details, see our Cookie Policy.

Contact Us

Questions about privacy or exercising your rights?

HQWebs (operating Elira)
Email: hello@getelira.com

We aim to respond within 15 business days.

Supervisory Authority: If you're not satisfied with our response, you can lodge a complaint with your national Data Protection Authority (GDPR Article 77).

Changes to This Policy

We'll notify you of material changes via widget banner and 30 days' notice. Minor changes (clarifications, contact updates) will update the "Last Updated" date.

Related Policies

Privacy Policy - Data Protection & Security | Elira