Data & Security

Our commitment

Vorena is an AI shopping concierge that merchants install on their Shopify stores (the "Service"), together with the website at vorena.ai. The Service is operated by Saga Information Technology Private Limited ("Saga," "we," "us," or "our"), a company incorporated in India under the Companies Act, 2013 (CIN U72100DC2026PTC471783), with its registered office at C-2/180, Upper Ground Floor, Janakpuri A-3, West Delhi, New Delhi, Delhi 110058, India. We operate from New Delhi, India, and serve merchants and their customers worldwide.

Protecting the data entrusted to us is fundamental to how we build and run Vorena. This page explains, in practical terms, the technical and organisational measures we apply. Our roles differ by data type. For website visitor personal data and merchant account data, Saga is the Data Fiduciary / Controller. For a merchant's shoppers' personal data processed through the concierge on the merchant's store, the merchant is the Data Fiduciary / Controller and Saga acts as a Data Processor, processing that data only on the merchant's documented instructions.

Hosting and encryption

Vorena runs on Vercel's cloud infrastructure, which operates from secure, professionally managed data centres. All data is encrypted in transit using TLS, and data at rest is encrypted with strong, industry-standard algorithms. Secrets, API keys, and access tokens are held in managed secret stores and are never kept in plain text in our codebase or configuration.

Access controls

Access to production systems and personal data is granted on a least-privilege, need-to-know basis. We enforce multi-factor authentication on administrative accounts, log access to production environments, review entitlements periodically, and revoke access promptly when it is no longer required — for example when a team member changes role or leaves.

Data segregation and AI use

Each merchant's catalogue, conversations, and analytics are logically isolated so that one merchant's data is not exposed to another. We use large language model and vision AI providers under enterprise terms that prohibit those providers from training their foundation models on customer data.

• Per-merchant isolation. Data is partitioned and accessed per store, keeping each merchant's information separate.
• No training on your data. Foundation models are not trained on your catalogue, your shoppers' conversations, or any personal data we process for you.
• Never sold. Saga never sells personal data.

Data minimisation

We request only the minimum Shopify scopes needed to run the concierge — typically catalogue, order, and theme access — and we collect only the data required to provide and improve the Service. We do not seek sensitive personal data, and we ask that merchants and shoppers do not submit such data through the assistant.

Sub-processors

We engage a small set of carefully chosen service providers (sub-processors) to operate Vorena. Each is bound by contract to protect personal data, to process it only on our instructions, and to apply appropriate security measures. Our current sub-processors include:

• Vercel — cloud hosting and infrastructure.
• Large language model and vision AI providers — under enterprise terms that prohibit training foundation models on customer data.
• Google Analytics — website and product analytics.
• Shopify — installation, catalogue access, and billing.

Saga never sells personal data, binds all sub-processors by contract, and maintains a current list of sub-processors that is available to merchants on request.

Data location and international transfers

Saga and our sub-processors may process data in India and in other regions, including the United States and the European Union. Where personal data is transferred across borders, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses and equivalent mechanisms, together with the contractual and technical protections described on this page.

Retention and deletion on uninstall

We retain data only as long as needed for the purposes for which it was collected:

• Catalogue and store data — kept in sync while the app is installed, and deleted or anonymised within 30 days of uninstall.
• Conversation data — retained for up to 12 months to support analytics and quality, then deleted or anonymised.
• Uploaded images — processed for the request and retained no longer than 30 days.
• Logs and diagnostics — typically retained for up to 90 days.

We honour Shopify's mandatory data-erasure requests and support Data Principals' erasure rights under the Digital Personal Data Protection Act, 2023. We may retain limited records longer where required for legal, accounting, or security purposes.

Incident response and breach notification

We maintain a documented incident-response process to detect, contain, investigate, and remediate security incidents. In the event of a personal data breach, we will notify the Data Protection Board of India and affected Data Principals as required by the Digital Personal Data Protection Act, 2023. Where we process data as a processor on a merchant's behalf, we will promptly inform the affected merchant controllers so that they can meet their own obligations under the GDPR and other applicable laws.

Compliance posture

Our security programme implements reasonable security practices and procedures as required by the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

• Aligned with recognised standards. Our practices are aligned with the principles of ISO/IEC 27001. This is a description of our approach and is not a claim that Saga holds an ISO 27001 or any other certification.
• Built for global privacy law. The Service is built to support the Digital Personal Data Protection Act, 2023, the EU/UK GDPR, and the CCPA/CPRA.
• Shopify requirements. We adhere to Shopify's protected customer data requirements.
• Data Processing Addendum. A Data Processing Addendum (DPA) is available to merchants on request.

Your responsibilities

Security is a shared responsibility. To help keep data safe, you should:

• Secure your credentials. Keep your Shopify and account credentials confidential, use strong, unique passwords, and enable multi-factor authentication where available.
• Use the Service lawfully. Only process data you are permitted to process, and do not submit sensitive personal data through the assistant.
• Maintain your own notices and consents. As the controller of your shoppers' personal data, maintain your own privacy notice and obtain any consents required for the concierge to operate on your store.

Responsible disclosure

We welcome reports from security researchers. If you believe you have found a vulnerability, please report it to us at hello@vorena.ai. We support good-faith security research and will not pursue or support legal action against researchers who act in good faith, avoid privacy violations and service disruption, and do not access or modify data beyond what is necessary to demonstrate the issue. Please give us a reasonable period to investigate and remediate before any public disclosure.

Contact and grievances

For questions about this page or our security practices, or to raise a grievance, contact us at hello@vorena.ai. Grievances may be addressed to the Grievance Officer of Saga Information Technology Private Limited at the same address. For more on how we handle personal data and the rights available to you, see our Privacy policy.

This document is provided for general information only and does not constitute legal advice. If you have any questions, please contact Saga Information Technology Private Limited at hello@vorena.ai.