Stravax Engage is operated by Stravax Group LLC, a limited liability company licensed by Sharjah Media City Free Zone Authority (Shams), Government of Sharjah, United Arab Emirates (Licence No. 2537844.01). Registered address: Sharjah Media City (Shams), Al Messaned, Al Bataeh, Sharjah, United Arab Emirates.
Stravax Engage is a WhatsApp engagement platform. Our Shopify app sends WhatsApp abandoned-cart and order-recovery messages to a merchant's customers, on the merchant's behalf and on the merchant's instructions.
We act in two roles:
This policy describes both roles, with emphasis on the customer personal data we process through the Shopify integration.
When a merchant installs the Stravax Engage Shopify app and enables cart recovery, Shopify sends us abandoned-checkout and order webhooks. From those we store, per abandoned checkout, only:
We do not store the customer's email address, billing address, shipping address, payment details, or order line-item contents. Those fields are not persisted by the app.
The customer name and phone number are the only Shopify Protected Customer Data fields the app requests or retains.
The sole purpose is to send the merchant's customer a WhatsApp cart-recovery or order-recovery message, and to record whether that message led to a completed order (so the merchant can see recovery performance).
We process this data only on the merchant's instruction. The merchant is responsible for having a lawful basis and the customer consent required to message their customers on WhatsApp. Our app respects the marketing-consent flag on the Shopify checkout: a marketing-category recovery message is only sent to a customer whose checkout indicated marketing opt-in.
We do not use this data to build our own marketing lists, profile customers across merchants, or for any purpose other than delivering the merchant's recovery messaging.
We do not sell customer personal data. We do not share it with third parties for their own purposes, for advertising, or for any purpose beyond operating the recovery service for the merchant. The only third parties that ever receive this data are the infrastructure sub-processors listed in section 6, and only to the extent needed to deliver the message.
We use the following sub-processors. For the Shopify customer name and phone number specifically, only the two marked (receives Shopify name + phone) are in that data path.
| Sub-processor | Purpose | In the Shopify name+phone path? |
|---|---|---|
| Cloudflare | Hosting, database (D1), object storage (R2), queues, security | Yes (storage) |
| Meta / WhatsApp (WhatsApp Business Platform) | Delivers the recovery message; the customer name is a message template parameter and the phone number is the recipient | Yes (delivery) |
| Shopify | Source of the checkout and order webhooks | Source, not a recipient |
| Stripe | Merchant billing and self-serve wallet top-up | No |
| Google Ads / Meta Ads | Conversion-event receipt for merchants who enable Ad Sync | No |
| Anthropic | Optional AI conversation qualifier (processes WhatsApp conversation message text only, for merchants who enable it) | No |
Anthropic is listed for completeness because a merchant may separately enable an AI conversation feature that sends WhatsApp message content to Anthropic. That optional feature does not receive the Shopify-sourced customer name or phone fields.
Abandoned-checkout records (customer name, phone, and cart metadata) are retained for up to 90 days from the time the checkout was abandoned, and are then deleted. See the accompanying Data Retention Policy for the full rationale. Recovery loses value quickly after a cart is abandoned; we keep records only long enough for the recovery to fire, for a late order to be attributed, and for the merchant to see recent recovery performance.
Records are also deleted earlier when a merchant uninstalls the app or when a deletion request is received (section 8).
Because we process customer personal data as a processor on the merchant's behalf, a customer exercises their rights through the merchant (the controller). We honour the merchant's instructions and Shopify's mandatory privacy webhooks automatically:
customers/redact): on receiving this webhook from
Shopify, we delete that customer's abandoned-checkout records for that store, matched by phone
number.shop/redact): on receiving this webhook (which Shopify sends
after a merchant uninstalls the app), we delete all abandoned-checkout records we hold for that
store.customers/data_request): we log the request to our administrative
audit trail and fulfil it manually, since the only data we hold for a customer is their
abandoned-checkout contact data (name, phone, cart URL) for that store.A customer or merchant may also contact us directly using the details in section 10.
Data may be processed outside the UAE through our global infrastructure providers (principally Cloudflare and Meta/WhatsApp). Transfers rely on those providers' own safeguards.
Stravax Group LLC, Sharjah, UAE.
Privacy and data requests: privacy@stravax.ai
Stravax Engage is a business tool and is not directed to children. We do not knowingly process data relating to anyone under 18.
We update this policy as the service evolves. Material changes will be posted here before they take effect.
© 2026 Stravax Group LLC. All rights reserved.