Docs / Legal / Privacy Policy

Privacy Policy

Last updated: 9 July 2026

1. Who we are

Stravax Engage is operated by Stravax Group LLC, a limited liability company licensed by Sharjah Media City Free Zone Authority (Shams), Government of Sharjah, United Arab Emirates (Licence No. 2537844.01). Registered address: Sharjah Media City (Shams), Al Messaned, Al Bataeh, Sharjah, United Arab Emirates.

Stravax Engage is a WhatsApp engagement platform. Our Shopify app sends WhatsApp abandoned-cart and order-recovery messages to a merchant's customers, on the merchant's behalf and on the merchant's instructions.

We act in two roles:

This policy describes both roles, with emphasis on the customer personal data we process through the Shopify integration.

2. Customer personal data we process through Shopify

When a merchant installs the Stravax Engage Shopify app and enables cart recovery, Shopify sends us abandoned-checkout and order webhooks. From those we store, per abandoned checkout, only:

We do not store the customer's email address, billing address, shipping address, payment details, or order line-item contents. Those fields are not persisted by the app.

The customer name and phone number are the only Shopify Protected Customer Data fields the app requests or retains.

3. Why we process it, and our lawful basis

The sole purpose is to send the merchant's customer a WhatsApp cart-recovery or order-recovery message, and to record whether that message led to a completed order (so the merchant can see recovery performance).

We process this data only on the merchant's instruction. The merchant is responsible for having a lawful basis and the customer consent required to message their customers on WhatsApp. Our app respects the marketing-consent flag on the Shopify checkout: a marketing-category recovery message is only sent to a customer whose checkout indicated marketing opt-in.

We do not use this data to build our own marketing lists, profile customers across merchants, or for any purpose other than delivering the merchant's recovery messaging.

4. We do not sell or share your data

We do not sell customer personal data. We do not share it with third parties for their own purposes, for advertising, or for any purpose beyond operating the recovery service for the merchant. The only third parties that ever receive this data are the infrastructure sub-processors listed in section 6, and only to the extent needed to deliver the message.

5. How we protect it

6. Sub-processors

We use the following sub-processors. For the Shopify customer name and phone number specifically, only the two marked (receives Shopify name + phone) are in that data path.

Sub-processor Purpose In the Shopify name+phone path?
Cloudflare Hosting, database (D1), object storage (R2), queues, security Yes (storage)
Meta / WhatsApp (WhatsApp Business Platform) Delivers the recovery message; the customer name is a message template parameter and the phone number is the recipient Yes (delivery)
Shopify Source of the checkout and order webhooks Source, not a recipient
Stripe Merchant billing and self-serve wallet top-up No
Google Ads / Meta Ads Conversion-event receipt for merchants who enable Ad Sync No
Anthropic Optional AI conversation qualifier (processes WhatsApp conversation message text only, for merchants who enable it) No

Anthropic is listed for completeness because a merchant may separately enable an AI conversation feature that sends WhatsApp message content to Anthropic. That optional feature does not receive the Shopify-sourced customer name or phone fields.

7. How long we keep it

Abandoned-checkout records (customer name, phone, and cart metadata) are retained for up to 90 days from the time the checkout was abandoned, and are then deleted. See the accompanying Data Retention Policy for the full rationale. Recovery loses value quickly after a cart is abandoned; we keep records only long enough for the recovery to fire, for a late order to be attributed, and for the merchant to see recent recovery performance.

Records are also deleted earlier when a merchant uninstalls the app or when a deletion request is received (section 8).

8. Exercising data rights (access, correction, deletion)

Because we process customer personal data as a processor on the merchant's behalf, a customer exercises their rights through the merchant (the controller). We honour the merchant's instructions and Shopify's mandatory privacy webhooks automatically:

A customer or merchant may also contact us directly using the details in section 10.

9. International transfers

Data may be processed outside the UAE through our global infrastructure providers (principally Cloudflare and Meta/WhatsApp). Transfers rely on those providers' own safeguards.

10. Contact

Stravax Group LLC, Sharjah, UAE.

Privacy and data requests: privacy@stravax.ai

11. Children

Stravax Engage is a business tool and is not directed to children. We do not knowingly process data relating to anyone under 18.

12. Changes to this policy

We update this policy as the service evolves. Material changes will be posted here before they take effect.

© 2026 Stravax Group LLC. All rights reserved.