Skip to content
Sumzy
FeaturesAboutPricingRoadmapFAQDocs
Start free trial
FeaturesAboutPricingRoadmapFAQDocs
Start free trial

14-day free trial · cancel anytime before it ends.

ContactPrivacyTerms
Legal

Privacy Policy

Choose your platform to read the policy that applies to your store.

Effective: 2026-06-05 · Last updated: 2026-07-13

This policy explains how Sumzy (the AI review-summary plugin for WooCommerce, operated from sumzy.io by Flamboyant Flamingos SRL) handles data. It is written to describe what Sumzy actually does, not generic boilerplate.

These terms apply to the WooCommerce version of Sumzy. Use the platform toggle at the top of this page to switch to the Shopify Privacy Policy, which covers the Shopify app instead. The Shopify app reads reviews from a review provider (Judge.me) and is billed through Shopify, so its data flow differs from the WooCommerce plugin described here. Read the version that matches your install.

This document also incorporates two sections that previously stood as separate pages and now live here as anchored sections: the Sub-processors disclosure (GDPR Art. 28(4)) and the Data Processing Agreement (the GDPR Art. 28 controller-to-processor contract). Both retain their full legal effect. Links to /dpa and /subprocessors resolve to those sections.

There are two distinct relationships to keep separate:

  1. Sumzy as a service to merchants (processor role). When a store installs Sumzy, the merchant is the data controller of its customers' reviews and Sumzy is a processor acting on the merchant's behalf. The legal terms of that relationship are in the Data Processing Agreement section below.
  2. Sumzy as a website/account operator (controller role). For the merchant's own account, marketing, and support data we collect directly at sumzy.io, Sumzy is the controller.

In this document:

  • 1. What review data leaves the store
  • 2. What we retain
  • 3. AI transparency
  • 4. Account and site data
  • 5. Sub-processors (summary)
  • 6. Billing and Merchant of Record
  • 7. International transfers
  • 8. Retention periods
  • 9. Data-subject rights
  • 10. Children's data and automated decisions
  • 11. Contact
  • Sub-processors (full disclosure)
  • Data Processing Agreement

1. What review data leaves the store, and what we do with it

In short. For each approved review, only the text, the star rating, and a coarse recency band leave your store. Never the reviewer's name, email, IP, or the exact date. The text goes to our backend and to Anthropic's Claude to make the summary, and is not used to train AI models. Sumzy keeps no raw review text.

This is the core of Sumzy, so we describe it precisely.

Sent from the store to Sumzy (over HTTPS, from a background job; never on a shopper page load):

  • For each approved review: its text, its star rating (1 to 5, when present), and a coarse recency band derived from the review date (recent, older, or historical). The exact review date is never sent, only this coarse band.
  • An opaque product reference (a numeric product id, not the product name or URL) so the summary maps to the right product.
  • The merchant's configured output language and summary tone for the request.
  • The plugin's license key (sent as a bearer token over TLS) and the site URL, for authentication and entitlement checks. The license key is stored only as a hash at rest (see §2); it travels in the request itself to authenticate the call.

Deliberately NOT sent: the reviewer's name, email, or IP address; the exact review date; the product title; the verified-purchase flag; or any WooCommerce customer, order, billing, or shipping identifier. The reviewer is never identified as a structured field; only the review's free text, its rating, and a coarse age band leave the store.

What happens to the review text:

  1. The Sumzy backend (hosted on Railway, United States) receives the review text.
  2. It is sent to Anthropic's Claude API (United States) to generate a structured summary. Under Anthropic's commercial API terms, this input is not used to train AI models.
  3. The summary is returned; Sumzy runs a PII scrub over the summary text, the aspect labels, and the per-aspect summaries.
  4. Sumzy stores no raw review text. In Sumzy's own systems the review text is held only for the duration of the request and the AI call, and the raw-input field is nulled the moment the job finishes. There is no database column that keeps it at rest.
  5. What Anthropic holds, and for how long. Anthropic (our AI sub-processor) processes the review text to produce the summary. How long Anthropic retains that input depends on the processing mode: on the standard, interactive path it is held only as long as Anthropic's commercial API requires; when a summary is produced through Anthropic's batch processing mode (which Sumzy may use for bulk generation), Anthropic retains the batch request and result for up to about 29 days before deleting it. In both modes the input is not used to train AI models, and the same Standard Contractual Clauses apply. So the retention picture is exact: Sumzy keeps no raw reviews; our sub-processor holds the input briefly, then deletes it.

2. What we retain (and what we do not)

In short. We keep the derived summary, a one-way hash of the review set (to detect changes), and your account/entitlement data (with the license key stored only as a hash). We do not keep raw reviews.

Sumzy does NOT retain raw review text in its own systems. (Separately, our AI sub-processor holds the input briefly to do the processing and then deletes it; see the retention note in §1 and §8.) What persists in the Sumzy backend is only:

  • The derived summary (result_json): the prose gist, the ranked product aspects (each with a short per-aspect summary and per-aspect mention counts), the overall sentiment, confidence, and the count of reviews analyzed (all subject to a PII scrub so reviewer personal data does not appear in shopper-visible strings).
  • A one-way SHA-256 hash of the review set (review_set_hash), used solely to detect when the underlying reviews have changed and a refresh is warranted. It is not reversible to the original review text.
  • Merchant account / entitlement data: email, Freemius user reference, subscription/usage state, hashed license key (SHA-256, never plaintext), site URL.
  • Operational metadata: AI token counts and cost per generation (no review content), and truncated, PII-stripped error logs.

The merchant's own WordPress database also keeps a local copy of the finished summaries so product pages render fast without calling our backend. That local copy is under the merchant's control.

Alongside that copy, the plugin keeps a small sentiment history in the merchant's own WordPress database: a short, bounded log of each summary's sentiment label and confidence over time (up to about 12 snapshots per product, kept for roughly 180 days, oldest dropped first). This history records only those two derived values and a timestamp; it contains no review text and no reviewer personal data. It stays on the merchant's site, is never sent to or stored by Sumzy, and is the merchant's own first-party data. It is removed if the merchant opts in to delete Sumzy data on uninstall.

3. AI transparency

In short. Every summary is clearly labeled AI-generated, for sighted and screen-reader shoppers alike. The summary reflects the reviews proportionally; a complaint that genuinely recurs is always surfaced.

Every summary Sumzy displays is disclosed as AI-generated: the widget shows an "AI" pill and includes a screen-reader phrase so assistive technology announces "AI-generated summary." This is a product requirement, not just a legal one. Shoppers should always know the summary was produced by AI from the store's reviews.

The summary is a faithful, proportional reflection of the reviews. A complaint that genuinely recurs across reviews is surfaced; Sumzy provides no "positive-only" mode, tier, or toggle that would hide or down-weight a real recurring negative.

4. Account, site, and support data (Sumzy as controller)

When a merchant signs up, uses the dashboard, or contacts support, we process: name/email, license and subscription state, site URL, support correspondence, and standard server/edge logs (via Cloudflare) such as IP and request metadata for security and abuse prevention. We use this to provide the service, authenticate accounts, prevent abuse, and communicate about the product.

4a. Website analytics (consent-based)

On the sumzy.io marketing site we use Google Analytics 4 and PostHog (EU Cloud) to understand aggregate site usage and improve the site. We treat this as a separate, consent-based activity from the essential processing described above.

  • What is collected: pseudonymous usage and event data (page paths, referrer, approximate device/browser type, a client identifier) together with a truncated, anonymized IP address (anonymize_ip is enabled for Google Analytics). We do not collect advertising identifiers, and we do not enable Google's advertising signals or cross-site tracking. No reviews and no merchant billing data are sent to analytics.
  • Lawful basis: your consent. Both tools run under the same consent gate: before you accept, Google Analytics operates in a cookieless mode that sets no analytics cookies and sends only aggregate modeled measurement (Google Consent Mode), and PostHog is not initialized at all, so it sets no cookie and captures nothing. Analytics cookies (_ga, _ga_*) and PostHog's cookie are set only after you choose "Accept all" in the cookie banner.
  • Roles: for analytics on sumzy.io, Sumzy is the controller and Google LLC and PostHog, Inc. are our processors. Google processes the data under the Standard Contractual Clauses (see §7); PostHog's processing runs on its EU Cloud instance.
  • Withdrawing consent / opting out: choose "Essential only" in the banner, or clear the site's storage in your browser to be re-prompted. Analytics never runs on the account dashboard or operator pages. See the Cookie Policy for the specific cookies and durations.

4b. Product-usage analytics from the plugin and Shopify app (legitimate interest)

In short. Separately from the sumzy.io cookie banner above, PostHog also receives a small set of pseudonymous, merchant-scoped product-usage events describing how a store adopts and uses Sumzy (install, trial start, first summary generated, onboarding progress, widget going live). These events are keyed to Sumzy's own internal account identifier, never a shopper identifier, and never contain review text.

Sumzy needs to know, in aggregate, whether merchants are able to install the plugin, complete onboarding, and see their first summary go live, so we can find and fix friction in that path. To measure this, the Sumzy backend sends a small, fixed set of lifecycle events to PostHog (EU Cloud):

  • Events the backend computes itself from Freemius or Shopify billing webhooks (merchant_installed, trial_started, trial_outcome, first_summary_generated).
  • A short list of events relayed server-side from the WooCommerce plugin (onboarding_step_completed, widget_live), and the equivalent events from the Shopify app, each carrying only a small allowlisted set of non-sensitive properties (a step name, a numeric progress fraction).

Every event is keyed to Sumzy's internal account/shop identifier as the distinct id, chosen so a merchant can never be identified as a person from it. The events carry no shopper data, no review text, no email, and no site URL. This processing never touches a shopper's browser and is separate from the sumzy.io cookie banner described in §4a.

Lawful basis: Sumzy's legitimate interest (GDPR Art. 6(1)(f)) in understanding and improving product onboarding and reliability across both platforms, balanced against the merchant's interests by minimizing the data to a pseudonymous identifier and a closed set of non-PII properties, and by never including shopper or review data. A merchant who objects can contact hello@sumzy.io.

5. Sub-processors

In short. Anthropic (AI), Railway (hosting and primary database), Cloudflare (edge CDN/WAF and Cloudflare R2 for encrypted off-site database backups), Sentry (errors), Google and PostHog (consent-based analytics on sumzy.io; PostHog also receives pseudonymous, merchant-scoped product-usage events relayed server-side from the plugin and Shopify app, see §4b), Freemius (billing/MoR), and Mango Mail (transactional email). Database-derived data has a second at-rest location: a daily encrypted snapshot in Cloudflare R2 for disaster recovery (last 3 retained; raw review text excluded). The full disclosure is in the Sub-processors section, and we give advance notice before adding or replacing one.

Sumzy relies on the sub-processors listed in the Sub-processors section below:

  • Anthropic (US): AI summarization. Processes the review text to generate the summary, then deletes it (request-duration on the interactive path, up to about 29 days for batch processing), and does not train on it.
  • Railway (US): hosting and database (stores derived summaries and hash; no raw reviews).
  • Cloudflare (US/global edge): CDN, security/WAF, and operator-console access control. Cloudflare R2 is used for encrypted off-site database backups (daily snapshot, last 3 retained, raw review text excluded).
  • Sentry (US): error tracking, with PII scrubbing enabled.
  • Google (US): Google Analytics for sumzy.io site usage measurement, set only after you consent (see §4a).
  • PostHog (EU): product analytics. On sumzy.io, consent-based visitor analytics alongside Google Analytics, under the same consent gate (see §4a). Separately, receives pseudonymous, merchant-scoped product-usage and onboarding-funnel events relayed server-side from the plugin and the Shopify app, or computed by the backend from billing webhooks, under Sumzy's legitimate interest (see §4b). Never a shopper identifier, an email, or review text.
  • Freemius (US): Merchant of Record for billing/tax (see §6).
  • Mango Mail (US): transactional email delivery (admin auth codes; no review data). Transfers to Mango are limited to transactional email data; see §7 and the sub-processors table for the applicable transfer basis.

We commit to advance notice before adding or replacing a sub-processor.

6. Billing data and Merchant of Record

In short. On WooCommerce, Freemius is the Merchant of Record. Freemius collects and controls your billing data and handles VAT/sales tax. Sumzy never sees full payment-card data.

Sumzy subscriptions are sold by Freemius as Merchant of Record. Freemius collects and controls the buyer's billing data (name, billing address, tax IDs, payment details) to process the sale and handle global VAT/sales tax. Sumzy never sees full payment-card data. Freemius's own privacy terms govern that billing data; Sumzy receives only the account/license information needed to run entitlements.

7. International transfers

In short. Our sub-processors are in the United States. EEA/UK/Swiss transfers rely on the Standard Contractual Clauses. Because we keep only derived, PII-scrubbed summaries, the data actually transferred is minimal. The data exporter is Flamboyant Flamingos SRL (Romania).

Our sub-processors process data in the United States. For data subjects in the EEA, UK, or Switzerland, transfers rely on the Standard Contractual Clauses (plus the UK Addendum / Swiss adaptations) incorporated into each sub-processor's terms. Because Sumzy discards raw reviews and stores only derived, PII-scrubbed summaries, the personal-data actually transferred is minimal.

The data exporter (and controller of the data described in §4) is Flamboyant Flamingos SRL, a company incorporated in Romania, registration number CUI 38631092 (Romanian cod unic de înregistrare), whose registered address is on file with the Romanian Trade Register (Registrul Comerțului) under CUI 38631092 and is available on request. Our competent supervisory authority is the Romanian ANSPDCP (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal); you have the right to lodge a complaint with it, or with the supervisory authority of your own EEA country of residence. The completed SCC annex identifying the exporter and importers is set out in the Data Processing Agreement section §7 and is available on request.

8. Retention periods

In short. No raw reviews are kept. Derived summaries and the hash are kept while you subscribe, and up to 12 months after cancellation so you can reactivate; you can ask us to delete sooner at any time.

  • Raw review text: not retained by Sumzy. Our AI sub-processor (Anthropic) holds the input only to process it, then deletes it (for the duration of the request on the interactive path, or up to about 29 days when batch processing is used); in neither case is it used to train models.
  • Derived summaries + review-set hash: kept while the merchant's subscription is active and the product is summarized. If the subscription is cancelled, we retain this backend-derived summary and aggregate data for up to 12 months after cancellation, so that a merchant who comes back can reactivate quickly without regenerating everything; after that period it is permanently deleted. A merchant may ask us to delete it sooner at any time (the right to erasure, see §9), and we will. We never retain raw review text in either case; only the derived summaries and the one-way hash. The local copy of the summaries stored in the merchant's own WordPress site is governed by the plugin's uninstall behavior (preserved unless the merchant opts in to delete it on uninstall), not by this 12-month clock.
  • Account/entitlement data: kept for the life of the account plus any period required by law.
  • Billing/tax records: retained by Freemius per its legal obligations as MoR.
  • Error logs: retained only as long as needed to diagnose and fix failures, on Sentry's short default retention window, and PII-scrubbed before they are stored.

9. Data-subject rights (GDPR and similar)

In short. You have the usual GDPR rights (access, rectification, erasure, and so on). For a request about a specific review, the merchant is the controller and should handle it; Sumzy assists. There is no raw review text to erase, and deleting a review auto-refreshes the summary.

Data subjects (a store's customers, or merchants) have rights of access, rectification, erasure, restriction, portability, and objection. Because Sumzy is usually a processor of review data, a customer's request about their review should generally go to the merchant (the controller); Sumzy will assist the merchant in responding.

How an erasure request is handled: the specific Sumzy position

  • There is no raw review text to erase. Sumzy does not store raw reviews, so there is no at-rest copy of a reviewer's original words to delete.
  • The retained review_set_hash is a one-way SHA-256 hash of the whole review set. It is a fingerprint of all the sampled reviews for a product taken together, not of any one review or reviewer, and it is not reversible to any individual's review or identity. Sumzy's position is that this hash does not, by itself, constitute personal data, because it cannot be used to single out, contact, or re-identify a data subject: it changes wholesale whenever the review set changes, and it carries no per-person value an attacker could test against. We recognize that a stricter reading can treat a hash derived from personal data as "pseudonymized" data; our posture is safe under either reading, because (a) we hold no raw reviews to begin with, and (b) we will delete the hash on request along with the cached summary (see the last bullet of this section). So whether or not a regulator classifies the hash as personal data, the practical outcome for a data subject is the same.
  • The derived summary is aggregate and PII-scrubbed. It describes recurring themes across many reviews and is scrubbed of names, emails, phone numbers, and order numbers, so it generally does not contain an identifiable individual's personal data.
  • Deleting the source review auto-refreshes the summary. When a merchant deletes or hides a customer's review in WooCommerce, the review set changes; its hash changes; Sumzy regenerates the summary from the remaining reviews on the next scheduled refresh. The erased review therefore stops contributing to the summary without any separate deletion step inside Sumzy.
  • If a merchant nonetheless needs the cached summary and hash for a product purged, Sumzy will delete them on request.

10. Children's data, automated decisions

Sumzy is a B2B product for store operators and does not knowingly process children's data. Sumzy's AI summary is an informational display; it does not make automated decisions that produce legal or similarly significant effects on individuals under GDPR Art. 22.

11. Contact

Privacy questions / data-subject requests: hello@sumzy.io. For requests about review content on a specific store, contact that store (the controller); we will support them.


In short. The full, current list of third parties that help run Sumzy, what each one processes, where, and on what transfer basis. We give merchants at least 30 days' notice before adding or replacing any of them.

This section lists the third-party companies ("sub-processors") that Sumzy engages to help deliver the Sumzy WooCommerce plugin and backend service. We publish it because, when a merchant uses Sumzy, that merchant is the data controller and Sumzy acts as a data processor on their behalf (GDPR Art. 28). The Data Processing Agreement section requires us to disclose the sub-processors we use and to notify merchants before we add or replace one. This section previously stood as a standalone page dated 2026-06-05; it is reproduced here without change of substance.

What Sumzy actually processes (context for this list)

Sumzy's purpose is to turn a store's existing customer reviews into a short AI-generated summary shown on product pages. The data that leaves the merchant's store is deliberately minimal:

  • Review content. For each approved review the plugin sends its text, its star rating (1 to 5, when present), and a coarse recency band (recent/older/historical) derived from the review date; never the exact date. It does not send the reviewer's name, email, IP, the exact date, the product title, the verified-purchase flag, or any WooCommerce customer/order/billing/shipping identifier.
  • A product reference (an opaque numeric product id) so the summary can be matched to the right product, plus the merchant's chosen output language and summary tone.
  • The license key + site URL for authentication and entitlement checks. The license key is sent in the request as a bearer token over TLS and is stored only as a hash at rest.

The review text is sent to our backend and passed to the AI model to generate a summary. Sumzy does not retain raw review text; only the derived summary (result_json) and a one-way SHA-256 hash of the review set (review_set_hash, used to detect when a refresh is needed) are stored. The AI sub-processor (Anthropic) holds the input only to process it and then deletes it (request-duration on the interactive path, up to about 29 days for batch processing) and does not train on it. See sections §1, §2, and §8 above for the full retention story.

Sub-processor list

Sub-processorRole / purposeData category processedProcessing regionTransfer mechanism
Anthropic, PBCAI summarization: generates the review summary from the submitted review text via the Claude API.Review text, each review's star rating and coarse recency band (recent/older/historical; never the exact date), plus the request's product id, output language, and tone (no reviewer name/email/IP, no exact date, no product title, no order/customer data). Not retained by Sumzy at rest. Anthropic retains the input only to process the request (request-duration synchronously, or up to ~29 days when the Message Batches API is used) then deletes it.United StatesSCCs (EU-to-US) + UK Addendum, via Anthropic's commercial terms / DPA. API inputs are not used to train Anthropic models under their commercial terms.
Freemius, Inc.Merchant of Record: sells the Sumzy subscription, handles checkout, billing, invoicing, VAT/sales-tax, license issuance, and plugin update delivery. As MoR, Freemius is the seller and the controller of the buyer's billing data.Merchant (buyer) billing and account PII: name, email, billing address, tax identifiers, payment-method metadata (card data handled by Freemius's PCI-compliant gateways, not by Sumzy).United States (Freemius is US-based; payment gateways may process globally)SCCs / Freemius's own processor + MoR terms. Note Freemius's dual role below.
Railway Corp.Hosting and database: runs the Sumzy backend and the PostgreSQL database that stores summaries, the review-set hash, hashed license keys, entitlement/usage state, and cost-accounting metadata.Derived summary (result_json), review_set_hash (one-way), hashed license keys, site URL, merchant account/entitlement records. No raw review text at rest.United StatesSCCs (EU-to-US) via Railway's DPA.
Cloudflare, Inc.CDN / edge network + access control: fronts Sumzy's API and account site (TLS termination, DDoS/WAF protection) and provides Cloudflare Access authentication for the internal operator console.Network metadata (IP addresses, request headers, TLS data) transiting the edge; access-control identities for Sumzy staff. Review/summary content transits encrypted.Global edge network; company US-basedSCCs (EU-to-US) + Cloudflare's DPA; Cloudflare's edge keeps EU traffic regionalizable where configured.
Sentry (Functional Software, Inc.)Application error tracking: captures backend exceptions and stack traces so we can diagnose and fix failures.Error/diagnostic data: stack traces, request metadata, error messages. Configured to scrub PII; Sumzy does not intentionally send review text to Sentry, and backend error messages are truncated and stripped of secrets/PII before logging (see backend lastError handling).United StatesSCCs (EU-to-US) via Sentry's DPA; PII scrubbing / data-scrubbing rules enabled.
Google LLC (Google Analytics)Website usage analytics on the sumzy.io marketing site only: measures aggregate visitor behavior (pages viewed, traffic sources) so we can improve the site. Loaded under Google Consent Mode and active only after a visitor accepts analytics; advertising signals are disabled.Pseudonymous usage and event data (page paths, referrer, device/browser type, a client identifier) plus a truncated/anonymized IP address (anonymize_ip enabled). No reviews, no merchant account or billing data, and no advertising/cross-site tracking data.United StatesSCCs (EU-to-US) + UK Addendum, via the Google Ads Data Processing Terms / Google's DPA.
PostHog, Inc. (EU Cloud)Product analytics, two separate purposes on the SAME instance: (1) consent-based visitor analytics on the sumzy.io marketing site, loaded under the same consent gate as Google Analytics and active only after a visitor accepts analytics; and (2) pseudonymous, merchant-scoped product-usage and onboarding-funnel telemetry, computed by the backend from Freemius/Shopify billing webhooks or relayed server-side from the WooCommerce plugin and the Shopify app (install, trial start/outcome, first summary generated, onboarding step, widget live).Purpose (1): pseudonymous usage/event data (page paths, event names, a client identifier); no advertising or cross-site tracking data. Purpose (2): non-PII lifecycle and progress properties (a step name, a numeric progress fraction) keyed to Sumzy's internal account/shop identifier, never a shopper identifier, email, site URL, or review text.European Union (PostHog EU Cloud)Purpose (1) is consent-based (see §4a). Purpose (2) relies on Sumzy's legitimate interest (GDPR Art. 6(1)(f), see §4b). Both are processed within the EU under PostHog's DPA; the UK Addendum applies for UK data subjects where relevant.
Mango MailTransactional email delivery: sends admin authentication codes and password-reset links. Marketing broadcasts are not sent through Mango; only low-volume system emails.Recipient email address; message content of system emails (no review text, no billing data).United States (Mango Mail LLC, St. Petersburg, FL 33702, USA; smtp.mymangomail.com)Transfers to Mango are limited to transactional email delivery data (recipient email address and system email content). Sumzy relies on the GDPR Art. 49(1)(b) derogation (transfer necessary for the performance of a contract between the data subject and the controller, or for the implementation of pre-contractual measures taken at the data subject's request) for these occasional, necessary transfers pending the execution of Standard Contractual Clauses with the provider. All data in transit is protected by TLS.
Cloudflare R2 (Cloudflare, Inc.)Encrypted off-site database backup storage: holds a daily encrypted snapshot of the Sumzy production database (last 3 retained) for disaster recovery.Full database snapshot at rest: derived summaries (result_json), one-way review-set hashes, hashed license keys, merchant account and entitlement records. Raw review text (the transient raw_input field) is excluded from the backup, so no raw review text is stored at rest.Cloudflare object storage (bucket region per configuration).SCCs (EU to US) plus Cloudflare's DPA.

A note on Freemius's dual role

Freemius acts as Merchant of Record, meaning for the purchase transaction Freemius is the seller of record and an independent controller of the buyer's billing data (it determines how that billing/tax data is handled to meet its own legal obligations). For the limited account/license data Freemius passes back to Sumzy, Sumzy is the controller. This is different from Anthropic/Railway/Cloudflare/Sentry/Google, which act as Sumzy's processors/sub-processors. Accordingly, we list Freemius here as a sub-processor for disclosure and transparency, while treating it as an independent controller / Merchant of Record for the sale itself.

Change notification (GDPR Art. 28(2))

Sumzy commits to giving merchants advance notice of any intended change to this list (adding a new sub-processor or replacing an existing one) so that a merchant has the opportunity to object. We will:

  1. Update this section and revise the "Last updated" date.
  2. Notify subscribed merchants (by email and/or in the account dashboard) at least 30 days before a new or replacement sub-processor begins processing personal data on our behalf.
  3. If a merchant has a reasonable, documented data-protection objection to a new sub-processor that we cannot resolve, the merchant may terminate the affected service per the DPA.

To receive change notifications, ensure your account email at sumzy.io is current. Questions: hello@sumzy.io.


In short. This is the GDPR Article 28 contract between you (the controller of your customers' reviews) and Sumzy (the processor). It is click-accepted with the Terms of Service; no signature is needed. It governs both the WooCommerce plugin and the Shopify app.

This section is Sumzy's Data Processing Agreement (DPA). It constitutes Sumzy's GDPR Article 28 processing terms and applies to every customer who installs and activates the Sumzy plugin; no separate document or signature is required for it to take effect. It previously stood as a standalone page and is reproduced here without change of substance. Throughout this Data Processing Agreement section, references to a section number ("§4", "§7", "§10", and so on) refer to the numbered clauses within this DPA section, not to the numbered sections of the Privacy Policy above.

Effective: on the merchant's acceptance of the Sumzy Terms of Service (of which this DPA forms part) and activation of the Sumzy plugin. This DPA section previously carried its own "Last updated" date of 2026-06-05.

0. How this DPA is accepted

This DPA is a click-accept agreement. By installing and activating the Sumzy plugin and accepting the Sumzy Terms of Service, the merchant ("Controller") and Flamboyant Flamingos SRL, operator of Sumzy ("Sumzy", the "Processor"), enter into this DPA. No signature is required; acceptance is recorded against the merchant's account/license. Where a merchant requires a counter-signed DPA, contact hello@sumzy.io.

1. Roles and subject matter

  • The merchant is the Controller of the personal data contained in the customer reviews on its WooCommerce store. The merchant determines the purposes and means of processing those reviews.
  • Sumzy is the Processor. Sumzy processes review text only to generate AI summaries of those reviews for display on the merchant's product pages, and to operate the service (authentication, entitlement, refresh scheduling).
  • This DPA applies to Sumzy's processing of personal data on the merchant's behalf. It does not cover the separate purchase transaction, for which Freemius acts as Merchant of Record and as an independent controller of the buyer's billing data (see §10 and the Sub-processors section).

2. Scope and nature of processing (Art. 28(3))

ItemDetail
Subject matterGeneration of AI summaries from customer review text.
DurationFor the term of the merchant's Sumzy subscription, plus the limited retention in §8.
Nature & purposeFor each product summarized, the plugin transmits to the Sumzy backend: each approved review's text, its star rating (1 to 5, when present), and a coarse recency band (recent/older/historical) derived from the review date (the exact date is not sent); an opaque product reference (numeric id); the merchant's output language and summary tone; and, in the request itself, the plugin's license key (bearer token over TLS) and site URL for authentication. The backend submits the review text to the AI model (Anthropic Claude); the model returns a structured summary; Sumzy then discards the raw review text (never stored at rest); only the derived summary and a one-way hash are retained by Sumzy. The AI sub-processor (Anthropic) retains the submitted input only to perform the processing (duration-of-request synchronously, or up to ~29 days when the Message Batches API is used) then deletes it, and does not use it for training.
Type of personal dataFree-text customer review content, which may incidentally contain personal data the reviewer chose to write (e.g. a name in the body of a review). The plugin does not transmit reviewer names, emails, IP addresses, the exact review date, the product title, the verified-purchase flag, or any WooCommerce customer/order/billing/shipping identifiers as structured fields.
Categories of data subjectsThe merchant's customers who left reviews.
Data NOT processed by Sumzy as processorReviewer account fields (name/email/IP), order data, payment data. Buyer billing data is handled by Freemius (see §10).

Sumzy applies data minimization at source: only review text, each review's star rating and coarse recency band, and the references needed to route and gate the request (product id, language, tone, license, site URL) leave the store; no reviewer identity or order data leaves. Sumzy further applies a PII scrub to the model output before storage (see §4) and instructs the model not to echo personal data into the summary.

3. Controller instructions (Art. 28(3)(a))

Sumzy processes personal data only on the Controller's documented instructions, which are: (a) this DPA and the Terms of Service; (b) the merchant's configuration in the plugin (which products are summarized, output language, minimum-review thresholds, auto-publish vs. approval); and (c) any subsequent written instruction the parties agree to. Sumzy will inform the Controller if, in its opinion, an instruction infringes data-protection law. Sumzy will not process the data for its own purposes; in particular, review text is not used to train AI models (Anthropic's commercial API terms exclude API inputs from model training), and Sumzy does not sell or share review data.

4. Security measures (Art. 32)

Taking into account the state of the art and the risks, Sumzy implements appropriate technical and organizational measures, including:

  • No raw input at rest. Within Sumzy's own systems, raw review text exists only in the request payload and in worker memory for the duration of the AI call; the worker nulls the raw-input field on job completion (success or terminal failure). There is no raw-review column that persists review text at rest in Sumzy's database. (The AI sub-processor, Anthropic, separately holds the input only to process it and then deletes it (request-duration on the interactive path, or up to about 29 days for batch processing) and does not train on it; see the Sub-processors section.)
  • Derived-output PII scrub. Before persisting a summary, Sumzy runs a code-side scrub over the summary text and every theme label (emails, phone numbers, order/transaction numbers, long digit runs) as defense-in-depth, in addition to the prompt-level instruction not to echo personal data. PII detected in the model output is redacted in place, meaning the offending span is removed from the text before anything is stored, so raw PII is never persisted.
  • Hashing of secrets. License keys are stored only as SHA-256 hashes, never in plaintext. The review-set fingerprint is a one-way SHA-256 hash that is not reversible to the source text.
  • Encryption in transit. All plugin↔backend and backend↔sub-processor traffic is over TLS (Cloudflare edge termination).
  • Access control. The internal operator console sits behind Cloudflare Access; production database and hosting access (Railway) is restricted to authorized personnel.
  • Error-log hygiene. Backend error messages are truncated and stripped of secrets and PII before logging; Sentry is configured with PII scrubbing.
  • No PII in API responses. License keys, provider secrets, and raw review PII are never returned in any API response.

5. Confidentiality (Art. 28(3)(b))

Sumzy ensures that persons authorized to process the personal data are bound by confidentiality obligations (employment terms or equivalent) and process the data only as instructed.

6. Sub-processors (Art. 28(2), 28(4))

The Controller provides general authorization for Sumzy to engage the sub-processors listed in the Sub-processors section, currently:

Sub-processorFunctionRegion
Anthropic, PBCAI summarization (Claude): processes review text, then deletes it (request-duration interactive, up to ~29 days batch); not used to train modelsUS
Railway Corp.Hosting + PostgreSQL (stores derived summary + hash; no raw reviews)US
Cloudflare, Inc.CDN / edge / WAF + operator-console access controlGlobal edge / US
SentryApplication error tracking (PII-scrubbed)US
Freemius, Inc.Merchant of Record: billing/tax (also independent controller, see §10)US
Mango MailTransactional email delivery (admin auth codes; no review data)United States; Art. 49(1)(b) derogation (contract necessity) pending SCCs
Cloudflare R2 (Cloudflare, Inc.)Encrypted off-site database backup storage: daily encrypted snapshot (last 3 retained) for disaster recovery. Raw review text excluded.Cloudflare object storage (bucket region per configuration); SCCs (EU to US) plus Cloudflare's DPA.

Sumzy will:

  • impose data-protection obligations on each sub-processor that are no less protective than this DPA ("flow-down");
  • remain liable to the Controller for a sub-processor's failure to meet those obligations;
  • give the Controller at least 30 days' advance notice before adding or replacing a sub-processor, with the opportunity to object on reasonable data-protection grounds (see the Sub-processors section).

7. International transfers (Chapter V)

Anthropic, Railway, Cloudflare, and Sentry process data in the United States. Where the Controller or its data subjects are in the EEA/UK/Switzerland, transfers are made under the EU Standard Contractual Clauses (Module 2 / Module 3 as applicable) plus the UK International Data Transfer Addendum and Swiss adaptations, as incorporated in each sub-processor's DPA. The operative SCC module (with Annexes I through III completed: parties, processing description, and the technical/organizational measures in §4) is incorporated into this DPA as an annex and is available on request. Given Sumzy stores no raw reviews and keeps only derived, PII-scrubbed summaries, the transferred personal-data surface is deliberately small.

SCC Annex I.A: identity of the parties (data exporter). For the SCCs incorporated by this DPA, the data exporter is:

  • Name: Flamboyant Flamingos SRL, the operator of Sumzy.
  • Status: a company incorporated in Romania.
  • Registration number: CUI 38631092 (Romanian unique registration code / cod unic de înregistrare).
  • Registered address: on file with the Romanian Trade Register (Registrul Comerțului) under CUI 38631092 and available on request.
  • Competent supervisory authority: the Romanian ANSPDCP (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal, the Romanian supervisory authority under GDPR Art. 51).
  • Contact: hello@sumzy.io.
  • Role: controller of the merchant's account/license data; processor of customer review text on the merchant's behalf (Module 3 export to the sub-processors above where the merchant is the controller). The data importers are the sub-processors listed in §6 and in the Sub-processors section, each with the processing description set out in §2 and the technical/organizational measures in §4.

8. Deletion and return (Art. 28(3)(g))

  • Raw review text is already discarded at generation time (see §4), so there is nothing raw to return or delete on termination.
  • On termination of the subscription, or on Controller request, Sumzy will delete the derived summaries, the review-set hashes, and the merchant's account/entitlement records held in the Sumzy backend within 30 days, except where retention is required by law (e.g. billing/tax records held by Freemius as MoR). This is consistent with, and does not extend, the up-to-12-month post-cancellation reactivation retention described in the Privacy Policy: a Controller request to delete is honored within 30 days regardless of that window.
  • The merchant's plugin-side local copy of summaries (in the WordPress database) is under the merchant's control; Sumzy's uninstall behavior preserves merchant data unless the merchant opts in to removal.
  • Sumzy will, on request, certify deletion.

9. Audit (Art. 28(3)(h))

Sumzy will make available to the Controller the information reasonably necessary to demonstrate compliance with Art. 28, primarily this DPA, the Sub-processors section, the Privacy Policy, and on reasonable request a summary of the technical/organizational measures in §4. For most merchants this documentation satisfies the audit right; on-site audits are by prior written agreement, at the requesting Controller's cost, subject to confidentiality, and limited so as not to compromise other merchants' data.

10. Freemius / Merchant of Record

The Sumzy subscription is sold by Freemius as Merchant of Record. Freemius determines and controls the processing of the buyer's billing and tax data to meet its own legal obligations and is therefore an independent controller for that processing. It is not acting as Sumzy's processor for the sale. Freemius's own privacy terms govern that billing data. Sumzy receives back only the limited account/license data needed to operate entitlements, for which Sumzy is the controller. Sumzy's position is therefore that Freemius is an independent controller for the sale (not Sumzy's processor), and is listed on the Sub-processors page for disclosure/transparency rather than because Sumzy directs its processing of buyer billing data.

11. Personal-data breach (Art. 33)

Sumzy will notify the Controller without undue delay after becoming aware of a personal-data breach affecting the Controller's data, with the information available to enable the Controller to meet its own Art. 33 notification duties (nature of the breach, categories/approximate number of data subjects and records affected, likely consequences, measures taken/proposed). Notification will be made without undue delay and, where feasible, within 72 hours of Sumzy becoming aware.

12. Liability, term, governing law

Liability under this DPA is subject to the limitations in the Terms of Service. This DPA remains in force for as long as Sumzy processes personal data on the Controller's behalf. Governing law and jurisdiction follow the Terms of Service: this DPA is governed by the laws of Romania, with the competent courts of Romania having jurisdiction. GDPR and the Controller's local data-protection law continue to apply regardless, because Sumzy sells internationally.

This policy explains how Sumzy (the AI review-summary app for Shopify, operated from sumzy.io by Flamboyant Flamingos SRL) handles data when it runs as a Shopify app. It is written to describe what the Sumzy Shopify app actually does, not generic boilerplate. The terms governing the Shopify app are in the Terms of Service, which cover both the WooCommerce plugin and the Shopify app.

These terms apply to the Shopify version of Sumzy. Use the platform toggle at the top of this page to switch to the WooCommerce Privacy Policy, which covers the WooCommerce plugin instead. The WooCommerce plugin reads reviews directly from your store and is billed through Freemius, so its data flow differs from the Shopify app described here. Read the version that matches your install.

The Sumzy Shopify app reads your existing product reviews from your review provider, Judge.me, as the source for the AI summaries. It sends only the minimum needed to summarize them and writes a short AI-generated summary back to each product so your theme can display it. It installs with two scopes, write_products (to write the summary back) and read_locales (a read-only scope to list your store's enabled languages so the summary can be produced per market locale). It requests no access to Shopify Protected Customer Data. There is no customer, order, or checkout access of any kind.

There are two distinct relationships to keep separate:

  1. Sumzy as a service to merchants (processor role). When a store installs Sumzy, the merchant is the data controller of its customers' reviews and Sumzy is a processor acting on the merchant's behalf. The legal terms of that relationship are in the Data Processing Agreement section of the main Privacy Policy, which governs the Shopify app as well.
  2. Sumzy as a website/account operator (controller role). For the merchant's own account, marketing, and support data we collect directly at sumzy.io, Sumzy is the controller.

In this document:

  • 1. What review data leaves your store
  • 2. What we write back to Shopify
  • 3. What we retain
  • 4. App permissions and Protected Customer Data
  • 5. AI transparency
  • 6. Sub-processors
  • 7. Billing and Merchant of Record
  • 8. International transfers
  • 9. Retention periods
  • 10. Data-subject rights and Shopify's mandatory webhooks
  • 11. Children's data and automated decisions
  • 12. Contact

1. What review data leaves your store, and what we do with it

In short. Sumzy reads your reviews from Judge.me, not from Shopify customer or order data. The provider adapter strips the reviewer's name, email, phone, and IP before anything leaves your store. Only the review text, rating, and a coarse recency band are kept and sent to our backend and Anthropic's Claude to make the summary. The text is not used to train AI models, and Sumzy keeps no raw review text.

This is the core of Sumzy, so we describe it precisely.

Where the reviews come from. Sumzy does not read Shopify's customer or order records. It reads your existing product reviews from your connected review app. At launch the supported provider is Judge.me. You connect Judge.me to Sumzy by authorizing it with your Judge.me API token; Sumzy then reads reviews through the Judge.me API. Sumzy never collects reviews by scraping your storefront or by touching Shopify customer data.

Stripped at the source, before anything leaves your store. When Sumzy reads a review from Judge.me, the provider adapter discards the reviewer's name, email address, phone number, and IP address immediately. These reviewer-identifying fields are never forwarded, never logged, and never stored. Only three things are kept from each review:

  • the review's text,
  • its star rating (1 to 5, when present), and
  • a coarse recency band derived from the review date (recent, older, or historical). The exact review date is never sent, only this coarse band.

Alongside those review fields, each summarization request carries an opaque product reference (the Shopify product identifier, so the summary maps to the right product), the merchant's configured output language and summary tone, and the plugin's license key (sent as a bearer token over TLS) plus the site/shop identifier, for authentication and entitlement checks. The license key is stored only as a hash at rest (see §3); it travels in the request itself to authenticate the call.

Deliberately NOT sent: the reviewer's name, email, phone, or IP address; the exact review date; and any Shopify customer, order, billing, or shipping identifier. The reviewer is never identified as a structured field. Only the review's free text, its rating, and a coarse age band leave the store.

What happens to the review text:

  1. The Sumzy backend (hosted on Railway, United States) receives the review text.
  2. It is sent to Anthropic's Claude API (United States) to generate a structured summary. Under Anthropic's commercial API terms, this input is not used to train AI models.
  3. The summary is returned; Sumzy runs a PII scrub over the summary text and theme labels.
  4. Sumzy stores no raw review text. In Sumzy's own systems the review text is held only for the duration of the request and the AI call, and the raw-input field is nulled the moment the job finishes (on success or terminal failure). There is no database column that keeps it at rest.
  5. What Anthropic holds, and for how long. Anthropic (our AI sub-processor) processes the review text to produce the summary. How long Anthropic retains that input depends on the processing mode. On the standard, interactive path it is held only as long as Anthropic's commercial API requires. When a summary is produced through Anthropic's batch processing mode, which Sumzy uses for bulk generation to keep costs down, Anthropic retains the batch request and result for up to about 29 days before deleting it. In both modes the input is not used to train AI models, and the same Standard Contractual Clauses apply. We disclose this so the retention picture is accurate. Sumzy keeps no raw reviews; our sub-processor holds the input briefly and then deletes it.

2. What we write back to Shopify

In short. The only thing Sumzy writes to your store is the finished summary, into an app-owned product metafield. It never creates, edits, or deletes your products, customers, or orders. The write_products scope is used only for that summary metafield.

The only thing Sumzy writes to your Shopify store is the finished summary. Sumzy stores each product's summary in an app-owned product metafield (namespace $app, key summary). This metafield holds the derived summary data: the prose blurb, the positive and negative themes, the sentiment, the confidence, and the count of reviews used, all after the PII scrub described in §1. Your theme reads this metafield to render the summary on the product page, so the storefront shows the summary without any live call to Sumzy. The metafield is app-owned, which means it is created and managed by Sumzy and is removed when you uninstall the app.

Sumzy does not create, edit, or delete your products, your customers, your orders, or any other store data. The write_products scope is used solely to write the summary metafield on the products you choose to summarize.

3. What we retain (and what we do not)

In short. We keep the derived summary, a one-way hash of the review set, your account/entitlement data (shop identifier, Shopify subscription state, hashed access token), and the review-provider connection (your Judge.me token) so we can refresh. We do not keep raw reviews. The connection is erased on uninstall.

Sumzy does NOT retain raw review text in its own systems. Separately, our AI sub-processor holds the input briefly to do the processing and then deletes it; see the retention note in §1 and §9. What persists in the Sumzy backend is only:

  • The derived summary: the prose blurb, positive and negative themes, sentiment, confidence, and the count of reviews used, all subject to a PII scrub so reviewer personal data does not appear in shopper-visible strings.
  • A one-way SHA-256 hash of the review set, used solely to detect when the underlying reviews have changed and a refresh is warranted. It is not reversible to the original review text, and it carries no per-reviewer value. Sumzy also keeps a small, PII-free snapshot of counts and ordering for the same change-detection purpose; it stores no review text.
  • Merchant account / entitlement data: the shop identifier (your myshopify.com domain and Shopify shop id), the Shopify subscription identifier and the plan, trial, and usage state synced from Shopify's billing webhooks, and the hashed backend access token (SHA-256, never stored in plaintext). No Freemius account reference is stored for the Shopify app; Shopify, not Freemius, is the billing party for the Shopify subscription (see §7).
  • The review-provider connection you authorize (for example, the Judge.me token needed to read reviews), held so Sumzy can fetch new reviews on the refresh schedule. This is erased on uninstall (see §10).
  • Operational metadata: AI token counts and cost per generation (no review content), and truncated, PII-stripped error logs.

The finished summary also lives in the Shopify product metafield described in §2, under your control, so your storefront renders fast without calling our backend.

4. App permissions and Protected Customer Data

In short. Two scopes: write_products (writes the summary metafield) and read_locales (read-only, lists your store's enabled languages so summaries can be produced per market locale). Sumzy requests no access to Shopify Protected Customer Data (no customer names, addresses, emails, phones, orders, or browsing data). It has no need for that data and does not collect it.

Sumzy for Shopify installs with two OAuth scopes: write_products and read_locales. The write_products scope lets Sumzy write the summary back to an app-owned product metafield. The read_locales scope is read-only: it lets Sumzy list the languages and locales your store has enabled, so a summary can be generated for each market locale. It reads no customer, order, or personal data. Sumzy requests no permission beyond these two. In particular, it does not request read_customers, read_orders, or any other permission that would grant access to Shopify Protected Customer Data (customer names, addresses, emails, phone numbers, order contents, or browsing data). Sumzy has no need for that data and does not collect it.

Because Sumzy reads reviews only from your connected review provider, and because the provider adapter strips reviewer-identifying fields before they leave your store, Sumzy never holds Shopify customer PII. This is why the data-erasure position in §10 holds: there is no stored customer personal data for Sumzy to return or erase.

5. AI transparency

In short. Every summary is clearly labeled AI-generated, for sighted and screen-reader shoppers alike, with the count of reviews it is based on. The summary reflects the reviews proportionally; a complaint that genuinely recurs is always surfaced.

Every summary Sumzy displays is disclosed as AI-generated. The summary block shows an "AI" pill and includes a screen-reader phrase so assistive technology announces "AI-generated summary," along with the count of reviews the summary is based on. This is a product requirement, not just a legal one. Shoppers should always know the summary was produced by AI from the store's reviews.

The summary is constrained to be a faithful, proportional reflection of the reviews. A complaint that genuinely recurs across reviews is surfaced; Sumzy provides no "positive-only" mode, tier, or toggle that would hide or down-weight a real recurring negative.

6. Sub-processors

In short. Anthropic (AI), Judge.me (your review source), Railway (hosting), Cloudflare (edge), Sentry (errors), PostHog (pseudonymous merchant product-usage telemetry relayed server-side from this app), Shopify (billing/MoR), and Mango Mail (transactional email). The full disclosure and the advance-notice commitment are in the Sub-processors section of the main Privacy Policy.

Sumzy relies on the sub-processors listed below. The full sub-processor disclosure and the GDPR Article 28(2) change-notification commitment are maintained in the Sub-processors section of the main Privacy Policy and apply to the Shopify app as well.

Sub-processorRole / purposeData category processedRegionTransfer mechanism
Anthropic, PBCAI summarization: generates the review summary from the submitted review text via the Claude API.Review text, each review's star rating and coarse recency band (never the exact date), plus the request's product reference, output language, and tone. No reviewer name, email, phone, or IP; no Shopify customer or order data. Not retained by Sumzy at rest. Anthropic holds the input only to process the request (request-duration on the interactive path, or up to about 29 days when the Message Batches API is used), then deletes it. Not used to train models.United StatesSCCs (EU-to-US) + UK Addendum, via Anthropic's commercial terms / DPA. API inputs are not used to train Anthropic models.
Judge.me (Judge.me Pty Ltd)Review data source / provider: Sumzy reads the merchant's existing product reviews from Judge.me through the Judge.me API, using the API token the merchant authorizes. Judge.me is the merchant's own review platform; Sumzy is a reader of the review content the merchant already collects there.Review content read from the merchant's Judge.me account: each review's text, star rating, and review date (used only to derive the coarse recency band). Reviewer-identifying fields returned by the Judge.me API (name, email, phone, IP) are discarded at Sumzy's adapter and never forwarded or stored.Set by the merchant's Judge.me account regionThe merchant's existing relationship and terms with Judge.me govern the review data held in Judge.me. Sumzy accesses it under the merchant's authorization and applies the minimization above before any data leaves the store.
Railway Corp.Hosting and database: runs the Sumzy backend and the PostgreSQL database that stores derived summaries, the one-way review-set hash, hashed license keys, the review-provider connection, and entitlement/usage state.Derived summary, review-set hash (one-way), hashed license keys, shop identifier, merchant account/entitlement records. No raw review text at rest.United StatesSCCs (EU-to-US) via Railway's DPA.
Cloudflare, Inc.CDN / edge network and access control: fronts Sumzy's API and account site (TLS termination, DDoS/WAF protection) and provides access control for the internal operator console.Network metadata (IP addresses, request headers, TLS data) transiting the edge; access-control identities for Sumzy staff. Review and summary content transits encrypted.Global edge network; company US-basedSCCs (EU-to-US) + Cloudflare's DPA.
Sentry (Functional Software, Inc.)Application error tracking: captures backend exceptions so we can diagnose and fix failures.Error and diagnostic data: stack traces, request metadata, error messages. Configured to scrub PII; review text is not intentionally sent to Sentry, and error messages are truncated and stripped of secrets and PII before logging.United StatesSCCs (EU-to-US) via Sentry's DPA; PII scrubbing enabled.
PostHog, Inc. (EU Cloud)Product analytics: pseudonymous, merchant-scoped product-usage and onboarding-funnel telemetry, computed by the backend from Shopify billing webhooks or relayed server-side from the Sumzy app (install, trial start/outcome, first summary generated, onboarding step, widget going live). The main Privacy Policy's Sub-processors section also covers the separate, consent-based visitor analytics PostHog runs on the sumzy.io marketing site.Non-PII lifecycle and progress properties (a step name, a numeric progress fraction) keyed to Sumzy's internal shop identifier. Never a Shopify customer identifier, email, or review content.European Union (PostHog EU Cloud)Processed within the EU under Sumzy's legitimate interest (GDPR Art. 6(1)(f)) in understanding and improving onboarding and reliability; PostHog's DPA governs the processing relationship.
Shopify (Shopify Inc.)Merchant of Record and billing: through Shopify Managed Pricing, Shopify sells the Sumzy subscription, handles checkout, billing, invoicing, and applicable VAT/sales tax, and charges your Shopify account. As MoR, Shopify is the seller and an independent controller of your billing data for this subscription.Merchant (buyer) billing and account data held by Shopify: your Shopify account and billing details, plan selection, and tax identifiers. Card data is handled by Shopify's payment systems, not by Sumzy. Sumzy receives only the plan, subscription status, and the Shopify subscription identifier needed to run entitlements.Per Shopify's own infrastructure and DPAGoverned by Shopify's own privacy terms and DPA, including its international-transfer mechanisms (see §7).
Mango MailTransactional email delivery: sends admin authentication codes and similar system emails. No review data.Recipient email address; message content of system emails (no review text, no billing data).United StatesGDPR Art. 49(1)(b) derogation (contract necessity) for these occasional, necessary transfers pending execution of SCCs; all data in transit over TLS.
Cloudflare R2 (Cloudflare, Inc.)Encrypted off-site database backup storage: holds a daily encrypted snapshot of the Sumzy production database (last 3 retained) for disaster recovery. The backup covers the shared production Postgres that serves both the WooCommerce plugin and the Shopify app.Full database snapshot at rest: derived summaries (result_json), one-way review-set hashes, hashed license keys, merchant account and entitlement records. Raw review text (the transient raw_input field) is excluded from the backup, so no raw review text is stored at rest.Cloudflare object storage (bucket region per configuration).SCCs (EU to US) plus Cloudflare's DPA.

We commit to advance notice before adding or replacing a sub-processor, as set out in the Sub-processors section.

7. Billing data and Merchant of Record

In short. On Shopify, billing runs through Shopify Managed Pricing with Shopify as the Merchant of Record. Shopify charges your account and handles VAT/sales tax. Sumzy never sees your payment-card data. Freemius is not involved in the Shopify billing path.

The Sumzy subscription is sold through Shopify Managed Pricing, with Shopify as the Merchant of Record. Shopify processes your payment, charges your Shopify account, issues your billing records, and handles applicable VAT/sales tax for this subscription. Sumzy never sees your payment-card data and is not the seller of record for the Shopify subscription. Shopify's own privacy terms govern that billing data; Sumzy receives only the plan, subscription status, and the Shopify subscription identifier needed to run entitlements. Freemius is not involved in the Shopify billing path.

8. International transfers

In short. Our sub-processors are in the United States. EEA/UK/Swiss transfers rely on the Standard Contractual Clauses. Because we keep only derived, PII-scrubbed summaries, the data actually transferred is minimal. The data exporter is Flamboyant Flamingos SRL (Romania).

Our sub-processors process data in the United States. For data subjects in the EEA, UK, or Switzerland, transfers rely on the Standard Contractual Clauses (plus the UK Addendum and Swiss adaptations) incorporated into each sub-processor's terms. Because Sumzy discards raw reviews and stores only derived, PII-scrubbed summaries, the personal data actually transferred is minimal.

The data exporter is Flamboyant Flamingos SRL, a company incorporated in Romania, registration number CUI 38631092 (Romanian cod unic de înregistrare), whose registered address is on file with the Romanian Trade Register (Registrul Comerțului) under CUI 38631092 and is available on request. Our competent supervisory authority is the Romanian ANSPDCP (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal); you have the right to lodge a complaint with it, or with the supervisory authority of your own EEA country of residence. The completed SCC annex identifying the exporter and importers is set out in the Data Processing Agreement section and is available on request.

9. Retention periods

In short. No raw reviews are kept. Derived summaries and the hash are kept while you subscribe, and up to 12 months after cancellation so you can reactivate; you can ask us to delete sooner at any time. The Judge.me connection and the metafield summary are removed on uninstall.

  • Raw review text: not retained by Sumzy. Our AI sub-processor (Anthropic) holds the input only to process it, then deletes it (for the duration of the request on the interactive path, or up to about 29 days when batch processing is used). In neither case is it used to train models.
  • Derived summaries and review-set hash: kept while the merchant's subscription is active and the product is summarized. If the subscription is cancelled, we retain this backend-derived summary and aggregate data for up to 12 months after cancellation, so a merchant who comes back can reactivate quickly without regenerating everything; after that period it is permanently deleted. A merchant may ask us to delete it sooner at any time (the right to erasure, see §10), and we will. The summary stored in the Shopify product metafield is removed when the app is uninstalled.
  • Review-provider connection (for example, the Judge.me token): kept while the connection is active so Sumzy can refresh summaries; erased on uninstall.
  • Account and entitlement data: kept for the life of the account plus any period required by law.
  • Billing and tax records: retained by Shopify per its legal obligations as Merchant of Record for the Shopify subscription.
  • Error logs: retained only as long as needed to diagnose and fix failures, on Sentry's short default retention window, and PII-scrubbed before they are stored.

10. Data-subject rights and Shopify's mandatory webhooks

In short. You have the usual GDPR rights. Sumzy implements Shopify's three compliance webhooks (customers/data_request, customers/redact, shop/redact). Because Sumzy holds no reviewer PII, the two customer webhooks have nothing to disclose or erase; shop/redact triggers a full erase of that shop's data.

Data subjects (a store's customers, or merchants) have rights of access, rectification, erasure, restriction, portability, and objection. Because Sumzy is usually a processor of review data, a customer's request about their review should generally go to the merchant (the controller), and to the merchant's review platform where the review is held; Sumzy will assist the merchant in responding.

Shopify requires every app to implement three compliance webhooks. Sumzy implements all three, and the way each behaves follows directly from the fact that Sumzy holds no reviewer PII.

  • customers/data_request. Sumzy stores no customer personal data. The provider adapter strips reviewer name, email, phone, and IP, only the review text and rating reach generation, and raw text is never retained. There is therefore no customer data to return. Sumzy acknowledges the request and has nothing to disclose.
  • customers/redact. Because Sumzy retains no reviewer PII, this is a defensible no-op: there is no stored personal data about that individual to erase. The reviewer's identity never entered Sumzy's systems in the first place.
  • shop/redact. This fires after a shop uninstalls. Sumzy cascades a full erase of that shop's data: the shop record, its product mappings, its stored summaries, its review snapshots, and the review-provider connection are deleted, and the app session is cleared. After this runs, Sumzy holds no data for that shop.

Separately, when a merchant deletes or hides a review in their review platform, the review set changes, its one-way hash changes, and Sumzy regenerates the summary from the remaining reviews on the next scheduled refresh. The removed review therefore stops contributing to the summary without any separate deletion step inside Sumzy. If a merchant needs the cached summary and hash for a product purged sooner, Sumzy will delete them on request.

11. Children's data, automated decisions

Sumzy is a B2B product for store operators and does not knowingly process children's data. Sumzy's AI summary is an informational display; it does not make automated decisions that produce legal or similarly significant effects on individuals under GDPR Art. 22.

12. Contact

Privacy questions and data-subject requests: hello@sumzy.io. For requests about review content on a specific store, contact that store (the controller) and its review platform; we will support them.

Sumzy

Your shoppers read the summary. Your reviews do the convincing. Works on any WooCommerce or Shopify store, out of the box.

Built for

Product

FeaturesPricingHow it worksRoadmapChangelogFAQ

Resources

AboutDocsBlogContactCompare WooCommerceCompare Shopify

Legal

TermsPrivacyCookie policyRefund policy
© 2026 Sumzy
Fully private. Your data stays yours.

We keep cookies to a minimum. We use essential cookies to run the site and, with your OK, a little analytics to improve it. Read our cookie policy.