Privacy Policy

1. Who we are

Vorena is operated by Saga Information Technology Private Limited ("Saga," "we," "us," or "our"), a company incorporated in India under the Companies Act, 2013 (CIN U72100DC2026PTC471783), with its registered office at C-2/180, Upper Ground Floor, Janakpuri A-3, West Delhi, New Delhi, Delhi 110058, India. We operate from New Delhi and serve merchants and their customers worldwide.

Vorena is an AI shopping concierge that merchants install on their Shopify stores (the "Service"). This policy also covers our website at vorena.ai.

Our role under data-protection law depends on whose personal data is involved:

• Website visitors and merchant accounts. For the personal data of people who visit our website and of the merchants who create accounts with us, Saga is the Data Fiduciary (controller). We decide why and how that data is processed.
• A merchant's shoppers. When the concierge processes the personal data of a merchant's shoppers on the merchant's store, the merchant is the Data Fiduciary (controller) and Saga acts as a Data Processor, processing that data only on the merchant's documented instructions. The merchant's own privacy policy governs how it uses that data.

2. Scope of this policy

This policy applies to (a) the vorena.ai website and our marketing, sales, and support interactions, and (b) the Service we provide to merchants. It explains what personal data we handle, why, the legal grounds we rely on, who we share it with, how long we keep it, and the rights you have. Where we act as a Data Processor for a merchant, the relevant merchant's privacy notice and our agreement with that merchant also apply.

3. Key definitions

• Data Principal / data subject. The individual to whom personal data relates.
• Data Fiduciary / controller. The person who determines the purpose and means of processing personal data.
• Data Processor. A person who processes personal data on behalf of, and on the instructions of, a Data Fiduciary or controller.
• Personal Data. Any data about an individual who is identifiable by or in relation to such data.
• Sensitive Personal Data. Special categories of data such as financial information, health data, or other categories given heightened protection under applicable law, including the SPDI Rules and the GDPR.
• Sub-processor. A third party engaged by a Data Processor to help deliver the Service, who may process personal data under contract.

4. Personal data we collect

From website visitors. When you use vorena.ai we may collect the information you submit through our contact form (such as your name, email, and message), newsletter sign-up details (your email), and information collected automatically through cookies and analytics (such as pages viewed and general device and usage data).

From merchants (account data). When you install Vorena and create an account, we receive identity details, your email, the plan you select, and billing information through Shopify. We do not store full payment-card numbers; billing is handled by Shopify.

Through the Service. To run the concierge on a merchant's store, we process catalog and store data, order data, shopper conversation data (the messages exchanged with the concierge), images shoppers upload for visual search, and usage, technical, and log data generated when the Service runs.

Sensitive data. We do not intentionally collect sensitive or special-category personal data, and we ask that shoppers and merchants do not submit such data through the Service.

5. How we use personal data

• To run the conversational concierge and answer shopper queries.
• To enrich a merchant's catalog, including using vision models to understand product images.
• To generate recommendations and add-to-cart suggestions inside the conversation.
• To provide analytics and revenue attribution for merchants.
• To secure, operate, maintain, and improve the Service.
• To create and manage accounts, billing, and support.
• To send communications where you have consented or where permitted by law.

6. Lawful bases and grounds

Under the DPDP Act. We process personal data on the basis of consent or for the legitimate uses permitted by the Act. Where consent is the basis, you may withdraw it at any time, as described below.

Under the GDPR. Where it applies, we rely on one or more of the following lawful bases: performance of a contract, legitimate interests, consent, and compliance with a legal obligation.

Shopper data. Where Saga acts as a Data Processor, the merchant is responsible for establishing the lawful basis for processing its shoppers' personal data and for providing any required notices and choices to those shoppers.

7. Cookies and analytics

Our website uses cookies and similar technologies, including Google Analytics, to understand how the site is used and to improve it. You can control cookies through your browser settings and, where shown, through on-site consent controls. Disabling some cookies may affect how parts of the website function.

8. How we share data

We do not sell personal data. We share personal data only as needed to run the Service and our business:

• Sub-processors. We use cloud hosting and infrastructure from Vercel; large language model and vision AI providers under enterprise terms that prohibit training foundation models on customer data; Google Analytics for website analytics; and Shopify for installation, catalog access, and billing. We bind sub-processors by contract and maintain a current sub-processor list, available on request.
• Legal and regulatory disclosures. We may disclose data where required by law, regulation, legal process, or enforceable governmental request, or to protect rights, safety, and the integrity of the Service.
• Business transfers. If we are involved in a merger, acquisition, financing, or sale of assets, personal data may be transferred as part of that transaction, subject to this policy.

9. International data transfers

We operate globally. Personal data may be processed in India and in other regions, including the United States and the European Union, by us and our sub-processors. Where we transfer personal data across borders, we use appropriate safeguards, such as the Standard Contractual Clauses and equivalent measures, to protect it. A Data Processing Addendum (DPA) is available to merchants on request.

10. Data retention

We keep personal data only as long as needed for the purposes described in this policy:

• Catalog data is deleted or anonymised within 30 days of uninstall.
• Conversation data is retained for up to 12 months.
• Images uploaded for visual search are kept no longer than 30 days.
• Log data is retained for up to 90 days.
• We retain data longer only where required to do so by law or for the establishment, exercise, or defence of legal claims.

11. Security

We implement administrative, technical, and physical measures designed to protect personal data, including encryption in transit, access controls on a least-privilege basis, and monitoring. These measures are aligned with recognised standards and constitute reasonable security practices and procedures as required by the SPDI Rules. For more detail, see our Data & security page.

12. Your rights as a Data Principal / data subject

Under the DPDP Act, you have the right to access your personal data; to correction, completion, and updating; to erasure; to grievance redressal; and to nominate another individual to exercise your rights in the event of death or incapacity. Where processing is based on consent, you may withdraw that consent at any time.

Under the GDPR, where it applies, you have the rights of access, rectification, erasure, restriction, objection, and data portability, and the right to lodge a complaint with a supervisory authority.

Under the CCPA/CPRA, California consumers have the rights to know, access, correct, and delete personal information, and to limit certain uses. Saga does not "sell" or "share" personal information as those terms are defined under the CCPA/CPRA.

How to exercise your rights. If you are a shopper on a merchant's store, please contact that merchant, who is the Data Fiduciary for your data; we will assist the merchant as its processor. For data that Saga controls, contact us at hello@vorena.ai. We will not discriminate against you for exercising your rights.

13. Children's data

The Service is not directed to children. We do not knowingly process the personal data of children — in India, individuals under 18 — without the verifiable consent of a parent or lawful guardian, as required by applicable law, including the DPDP Act and the rules made under it. If you believe a child's data has been provided to us without such consent, contact us at hello@vorena.ai and we will take appropriate steps.

14. Grievance redressal

If you have a concern or complaint about how your personal data is handled, you may contact the Grievance Officer of Saga Information Technology Private Limited at hello@vorena.ai. We will acknowledge and respond to grievances within the timelines required by applicable law. If you are a Data Principal in India and remain dissatisfied, you have the right to make a complaint to the Data Protection Board of India.

15. Changes to this policy

We may update this policy from time to time. When changes are material, we will update the date shown above and, where appropriate, provide additional notice. Your continued use of the website or the Service after an update means you accept the revised policy.

16. Governing law and jurisdiction

This policy and any dispute relating to it are governed by the laws of India. The courts at New Delhi, India have exclusive jurisdiction, subject to any mandatory local consumer-protection rights you have where you live. Disputes will be resolved by arbitration under the Arbitration and Conciliation Act, 1996, before a sole arbitrator, with the seat and venue at New Delhi and proceedings conducted in English.

17. Contact

Saga Information Technology Private Limited, registered office at C-2/180, Upper Ground Floor, Janakpuri A-3, West Delhi, New Delhi, Delhi 110058, India. You can reach us, including the Grievance Officer, at hello@vorena.ai.

This document is provided for general information and does not constitute legal advice. If you have questions, please write to us at hello@vorena.ai.