Solvias
Privacy Policy

Privacy at Solvias.

How we collect, use, and protect data — for our customers and the customers they serve. Operated by AB Collection LLC.

EFFECTIVE · MAY 6, 2026·VERSION 1.0
01

Introduction

AB Collection LLC ("we", "us", "our") operates Solvias, an AI-assisted customer support platform for ecommerce businesses ("Service"). This Privacy Policy explains what personal data we collect, how we use it, with whom we share it, and what rights you have in relation to it.

By using Solvias you agree to the practices described in this policy. If you do not agree, do not use the Service.

02

Who This Policy Covers

This policy applies to two groups of people:

  • Store owners / team members — ecommerce brand owners and their staff who create a Solvias account, connect integrations, and manage support tickets ("Users"). Users are the data controllers for End Customer data processed through their connected mailboxes; AB Collection LLC acts as a data processor with respect to that End Customer data.
  • End Customers — individuals who send emails to a store's support address and whose email content is processed by Solvias on behalf of the store owner who controls that mailbox ("End Customers"). End Customers do not have a Solvias account and do not have a direct contractual relationship with AB Collection LLC.

For data Users provide to us directly (account information, integration credentials, billing data, usage of the Solvias dashboard), AB Collection LLC is the data controller.

03

Data We Collect

Account and Profile Data

When you register for Solvias we collect:

  • Full name and email address
  • Password (stored as a bcrypt hash — we never store plaintext passwords)
  • Organisation / store name

Store Integration Data

When you connect third-party services we collect the credentials and tokens necessary to access those services on your behalf:

IntegrationData collected
GmailOAuth 2.0 refresh token (AES-256-GCM encrypted at rest); Gmail history ID for change polling; the email messages described below
ShopifyStore domain; API client ID and secret (encrypted at rest)
ParcelPanelAPI key (encrypted at rest)

Gmail Data (Sensitive and Restricted Scopes)

Solvias accesses your Gmail mailbox using two scopes:

ScopeWhat is accessed
gmail.readonlyEmail message metadata (sender address, recipient address, subject line, date, thread ID, message ID) and message body content of inbound emails received at the connected mailbox
gmail.sendThe ability to send a reply email on your behalf using the connected mailbox's address

Scope of access in practice. Although the gmail.readonly scope grants technical access to all messages in the connected mailbox, our application code only reads messages that arrive in the connected mailbox's primary inbox after the connection date, and only for the purpose of creating support tickets. We do not index, search, retrieve, or expose historical messages, archived messages, sent items, drafts, or other Gmail folders or labels. We strongly recommend connecting a dedicated support mailbox (e.g., support@yourstore.com) rather than a personal mailbox to ensure clear separation between support correspondence and personal email.

Specifically, we read and process:

  • Inbound email subject lines and body text (plain text and HTML)
  • Sender name and email address
  • Gmail thread IDs and message IDs (used to associate messages with support tickets and to send replies into the correct thread)
  • Email attachment metadata (file name, content type, size) and attachment files where present

Support Ticket and Message Data

When an inbound customer email arrives, Solvias creates a support ticket. We store:

  • The full email content (subject, body, sender) associated with that ticket
  • AI-generated draft replies and the final sent reply
  • Agent actions (draft approval, edits, manual replies)
  • Attachments uploaded to Vercel Blob Storage

Order and Tracking Data

When a ticket is related to an order (shipping, return, etc.) we fetch and temporarily store:

  • Shopify order data: order number, items, fulfilment status, customer name and address
  • ParcelPanel tracking data: carrier, tracking number, delivery status events

This data is fetched in real time per ticket and stored alongside the ticket for support purposes.

Usage and Log Data

We collect:

  • Activity logs (who approved a draft, who sent a reply, AI mode changes)
  • AI token usage logs: model used, token counts, action type (classify / generate / refine)
  • AI generation audit logs: the system prompt used, the customer email, the AI response, confidence score, and which knowledge-base articles were referenced

These logs are used for billing, debugging, and auditability.

Technical Data

Standard server and application logs: IP address, browser type, pages visited, timestamps. Used for security monitoring and debugging.

04

How We Use Your Data

Core Service Delivery

We use the data described in section 3 to:

  • Operate the support ticketing inbox — create tickets from inbound emails, display them in the Solvias dashboard
  • Generate AI-assisted draft replies using the email content, order context, and your store's knowledge base
  • Send approved replies on your behalf via Gmail (gmail.send) so the reply appears in the customer's existing email thread from your store's support address
  • Fetch Shopify order data and ParcelPanel tracking data to enrich relevant tickets
  • Log activity and AI usage for your own auditing and billing purposes

AI Processing of Gmail Data

Solvias passes the text content of inbound customer emails to the Anthropic Claude API for two purposes:

  • Classification — identifying the ticket category (e.g., shipping inquiry, return request) and extracting an order number if present
  • Draft generation — producing a suggested reply based on the email, order context, and your store's knowledge base and instructions

This processing is performed in real time, on a per-ticket basis, solely to produce a reply for the authenticated store account that owns that email thread.

Anthropic data handling. Under Anthropic's commercial terms applicable to the Claude API, Anthropic does not use API inputs or outputs to train or improve its models. Anthropic retains API inputs and outputs for up to 30 days for Trust & Safety and abuse-monitoring purposes, after which the data is automatically deleted from Anthropic's systems. Anthropic acts as our sub-processor under a data processing agreement and is not permitted to use this data for any purpose other than providing the Claude API service to us.

Gmail message content is never used to train, fine-tune, or improve any AI or machine learning model — whether our own, Anthropic's, or any other third party's.

Service Improvement

We may use aggregated, de-identified usage statistics (counts, durations, error rates — never linked to individual email content or identifiable users) to improve the platform.

Legal and Safety

We may use or disclose data where required by law, court order, or to protect the rights, property, or safety of AB Collection LLC, our users, or others.

05

How We Share Your Data

We do not sell your data. We do not transfer Gmail data to advertising platforms, data brokers, or information resellers. We share data only in the following circumstances:

Sub-processors

We share data with the following service providers who process data strictly on our behalf, under data processing agreements, and solely for the purpose of delivering the Service:

Sub-processorPurposeData shared
Anthropic, PBC (Claude API)AI classification and draft generationEmail body text, order context, knowledge-base content
Neon, Inc. (PostgreSQL database)Persistent storageAll structured data including email message records
Vercel, Inc. (hosting, Blob Storage)Serving the application and storing email attachmentsAttachment files; encrypted tokens via environment variables
Upstash, Inc. (Redis)Short-lived caching of poll state and rate-limit countersGmail poll cursor (history ID); no email content
ResendTransactional email (account invitations)User email addresses for invitation emails only

Each sub-processor is contractually obligated to maintain confidentiality and security standards consistent with this policy and is prohibited from using data received from us for any purpose other than providing their services to us.

Legal Requirements

We may disclose data if required to do so by law or in response to valid legal process.

Business Transfer

If AB Collection LLC is involved in a merger, acquisition, or sale of assets, user data may be transferred as part of that transaction. We will notify affected users before data is transferred and becomes subject to a different privacy policy.

06

Google API Services — Limited Use

The use of information received from Google Workspace APIs (including data obtained via gmail.readonly and gmail.send) will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

In compliance with Google's Limited Use requirements, Solvias affirms that Gmail user data:

  • Is used only to provide the customer support ticketing features described in this policy and visible to the authenticated user who authorised access
  • Is not transferred, sold, or used to serve advertisements — including personalised, interest-based, or retargeted advertising
  • Is not transferred or sold to third parties, except to the sub-processors listed in Section 5, who process data on our behalf under data processing agreements solely for the purpose of delivering the Service
  • Is not used to determine creditworthiness or for lending purposes
  • Is not used to build permanent profiles beyond what is necessary to operate the support inbox for the authenticated account
  • Is not used to train, fine-tune, or improve any generalised AI or machine learning model — whether our own systems, Anthropic's models, or any other third-party model
  • Is passed to the Anthropic Claude API solely for real-time, per-ticket response generation for the account that authorised access; this is a user-directed processing action equivalent to the user pasting an email into a tool to draft a reply, and does not constitute training data use
  • Is subject to human access only where the user who authorised access explicitly requests support, where we believe in good faith that human access is necessary for security incidents or legal obligations, or where required by law — and only to the minimum necessary extent
07

Data Retention

Active Accounts

While your Solvias account is active, we retain data as follows:

Data typeRetention period
Email message content (ticket messages)Lifetime of the support ticket, plus 12 months after the ticket is closed, then permanently deleted
AI generation logs and audit records24 months from creation
Activity logs12 months from creation
AI token usage logs24 months from creation
OAuth refresh tokensDeleted immediately upon Gmail disconnection
Shopify / ParcelPanel credentialsDeleted immediately upon integration disconnection

Account Deletion

When you delete your Solvias account, all Gmail-derived data and associated records are deleted on the timeline below, regardless of any other retention period stated above:

Data typeDeletion timeline
OAuth refresh tokens (Gmail, Shopify, ParcelPanel)Within 24 hours of account deletion request
Email message content (ticket messages) and attachmentsWithin 30 days of account deletion request
AI generation logs and audit recordsWithin 30 days of account deletion request
Account and profile dataWithin 30 days of account deletion request
Activity logs and AI token usage logsWithin 30 days of account deletion request

We retain de-identified, aggregated statistics (counts of tickets processed, total token usage) that cannot be linked back to you or your End Customers.

We may retain limited records longer where strictly necessary to comply with legal obligations, resolve disputes, or enforce our agreements; in such cases, only the minimum necessary records are retained, and Gmail-derived content is excluded from any such retention.

08

Data Security

We implement the following technical and organisational measures to protect your data:

  • Encryption in transit — All connections between your browser, our servers, and third-party APIs use TLS 1.2 or higher
  • Encryption at rest — OAuth tokens, API keys, and other secrets stored in our database are encrypted using AES-256-GCM with a 32-byte key held in a separate environment secret
  • Access controls — Multi-tenant architecture: each store's data is scoped to that store's account. Cross-tenant access is prevented at the database query level
  • Least-privilege API access — We request only the Gmail scopes required for the described features. We do not request write access beyond gmail.send
  • Audit logging — All AI actions, draft approvals, and sent replies are logged with timestamps and user identifiers
  • No plaintext secrets — Credentials are never logged in plaintext; logs are sanitised before storage
09

Your Rights

Rights Applicable to All Users

Subject to applicable law, you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Correction — request correction of inaccurate data
  • Deletion — request deletion of your account and associated data (deletion timelines are listed in section 7)
  • Data portability — request an export of your data in a machine-readable format
  • Objection / restriction — object to or request restriction of certain processing

To exercise these rights, email us at info@solvias.io.

Revoking Gmail Access

You can disconnect Solvias from your Gmail account at any time:

  • In Solvias: go to Store Settings → Integrations and click Disconnect Gmail
  • Alternatively, visit myaccount.google.com/permissions, find Solvias, and click Remove Access

Upon disconnection, we delete the stored OAuth refresh token within 24 hours. Existing ticket message records follow the active-account retention schedule in section 7. To request immediate deletion of all Gmail-derived data without deleting your account, email info@solvias.io.

End Customer Rights

End Customers (individuals who emailed a store's support address) who wish to exercise data rights regarding their personal data should contact the store owner directly, since the store owner is the data controller for that data. We will support store owners in fulfilling such requests. End Customers may also contact us at info@solvias.io and we will route the request appropriately.

California Residents (CCPA/CPRA)

California residents have the right to:

  • Know what personal information is collected, disclosed, or sold
  • Delete personal information (subject to legal exceptions)
  • Opt out of the sale or sharing of personal information — we do not sell or share personal information
  • Non-discrimination for exercising these rights

To submit a verifiable consumer request, email info@solvias.io from the email address associated with your account.

European / UK Residents (GDPR / UK GDPR)

If you are located in the European Economic Area or the United Kingdom, your personal data is processed on the following legal bases:

  • Contract performance — processing necessary to deliver the Service you signed up for
  • Legitimate interests — security monitoring, fraud prevention, aggregate analytics
  • Legal obligation — where required by law

You have the right to lodge a complaint with your local supervisory authority.

10

International Data Transfers

AB Collection LLC is based in the United States. By using Solvias, data may be transferred to and processed in the United States and other countries where our sub-processors operate. We ensure appropriate safeguards (such as Standard Contractual Clauses) are in place for transfers from the EEA or UK to the United States.

11

Children's Privacy

Solvias is not directed at children under the age of 13. We do not knowingly collect personal data from children. End Customer emails received via connected mailboxes are processed under the store owner's existing relationship with that End Customer; we do not collect End Customer ages, do not direct support communications at children, and rely on the store owner to comply with applicable child-protection laws (such as COPPA) in their relationship with their customers. If you believe we have inadvertently collected data from a child, contact us at info@solvias.io and we will delete it promptly.

12

Third-Party Links

The Service may contain links to third-party websites (e.g., Shopify, Gmail). This policy does not cover third-party sites. We encourage you to read the privacy policies of any site you visit.

13

Changes to This Policy

We may update this policy from time to time. When we make material changes, we will notify you by email (to the address on your account) and update the "Last updated" date at the top of this document. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

14

Contact Us

If you have questions, requests, or complaints about this privacy policy or our data practices:

AB Collection LLC — Attn: Privacy — 15442 Ventura Blvd. Ste 201-2072, Sherman Oaks, California 91403, United States of America

Email: info@solvias.io

We aim to respond to all privacy requests within 30 days.

Need a signed copy or a DPA?
Email info@solvias.io and we'll turn it around within 2 business days.
Contact legal