Legal
Last updated: June 2026
This Privacy Policy ("Policy") describes how Dude Lemon, LLC, located in Wyoming, United States ("Company," "we," "us," and "our"), collects, uses, shares, and protects personal data in connection with ConvertPilot (the "Service"), including its web dashboard and its iOS and Android mobile apps.
ConvertPilot is a business-to-business customer-support tool. The people who sign in to ConvertPilot are business owners and their team members ("Merchants") who use it to manage conversations with their own customers. ConvertPilot is installed by a business, typically through the Wix App Market, and account registration takes place there, not inside the mobile app. The app sells nothing and contains no in-app purchases.
If you have questions about this Policy, contact us at https://dudelemon.com/contact.
The mobile app is a companion client for existing ConvertPilot business accounts. It lets a signed-in team member read and reply to their customer conversations on the go. Specifically:
When your business registers and when you sign in, we collect your work email address, and optionally your name and profile photo.
As you use the inbox, we process the messages exchanged between your business and your customers, the contact details a customer chooses to share (name, email, phone), AI-derived signals such as intent and sentiment, and conversation metadata (timestamps, channel, page or referral source, and a short conversational memory kept so the assistant can maintain context).
To send you push notifications about new messages, we collect a push-notification token for your device. You can turn notifications off at any time.
We collect limited, non-identifying crash and error reports to keep the Service stable.
We do not sell your personal data or your customers' personal data, we do not use any of it for advertising, and we do not use it to train AI models for other customers. We never disclose your customers' data to any third party for that party's own purposes. The only time customer data, order data, or other personal information leaves our systems for an outside platform is when you, the Merchant, choose to connect and enable one of our optional Integrations, and then only the specific data that integration needs. See Data sharing.
ConvertPilot uses artificial intelligence only to help a Merchant run customer support inside ConvertPilot. We are deliberately narrow about what the AI does, what data it sees, and where that processing happens.
The AI is used solely for these support functions:
All AI processing, including orchestration, intent and sentiment signals, conversation memory, routing, spam detection, and generating a suggested reply, happens on our own servers (hosted on Amazon Web Services in the United States) under strict access controls and security protocols. We do not send your conversations, your customers' personal data, your order data, or any personal information to any outside party for AI processing. We process only the minimum content needed to produce the result, and never your billing details or credentials.
When a customer asks about their own order or a product, the assistant may use that order's or product's details for the duration of that single conversation, only to answer the customer in that conversation. This is processed on our own servers, only for that purpose. It is not used to train any model, is not used for advertising, and is not shared with any other business. We do not build or keep a separate copy of a store's order or customer database for AI purposes.
ConvertPilot runs on Wix stores, Shopify stores, and custom or standalone websites. On whichever platform a Merchant uses, ConvertPilot accesses only a limited set of store data, strictly to operate the features the Merchant turned on. We follow the same principles across every platform: data minimization, purpose limitation, and strong safeguards. On Shopify specifically, this also meets Shopify's Protected Customer Data requirements.
On Shopify, this maps to the read_products, read_orders, and write_customers scopes. On Wix and on custom sites, the equivalent access is granted by the Merchant at install or connection. In every case the access is the minimum needed for these features.
Where the GDPR applies, we process personal data under these legal bases: consent; legitimate interest (operating and improving the Service); contractual necessity (providing the Service you signed in for); and legal obligation. You may withdraw consent at any time by contacting us; withdrawal does not affect processing performed before withdrawal.
We do not sell your personal data or your customers' personal data, and we never disclose your customers' data to any third party for that party's own purposes. We share information only in these limited ways: with the infrastructure providers listed below, who act only on our behalf, under contract, and use the data only to operate the Service as we specify; with an outside platform you choose to connect through one of our optional Integrations, and then only the specific data that integration requires; where required by law, regulation, legal process, or a governmental request; in connection with a merger, acquisition, or sale of assets (with notice); and with your consent.
By default, your customers' data and order data stay within our own systems. No outside platform receives them unless you, the Merchant, deliberately connect and enable an Integration that needs them. We never turn an Integration on for you, and we never share data with another business that uses ConvertPilot.
To operate ConvertPilot we rely on the providers below. Each receives only the data needed for its function, governed by its own terms and privacy policy:
All channel and marketing integrations are off by default and are activated only when you choose to connect and enable them yourself. We do not share data with these providers beyond what each integration requires to function, and we never enable an integration on your behalf.
When you sign in to ConvertPilot or contact us directly, Dude Lemon is the data controller for your account data. When a Merchant uses ConvertPilot to handle its own customers' data, the Merchant is the controller of that customer data and Dude Lemon acts as a processor (a "service provider" under U.S. privacy law) on the Merchant's behalf and under its instructions. Merchants are responsible for providing their own privacy notice to their customers. If your data was collected through a Merchant's use of ConvertPilot and you wish to exercise privacy rights, please contact that Merchant; you may also contact us and we will route your request appropriately.
Your information may be transferred to and processed in countries other than your own, including the United States. When we transfer personal data from the EEA, United Kingdom, or Switzerland to countries not deemed adequate, we implement appropriate safeguards such as Standard Contractual Clauses approved by the European Commission.
We implement appropriate technical and organizational measures to protect your data, including encryption of data in transit using TLS, access controls limiting access to authorized personnel, regular monitoring, and secure coding practices. No method of transmission or storage is completely secure, but we maintain industry-standard protections.
In the event of a personal data breach likely to result in a risk to your rights, we will notify the relevant supervisory authority within 72 hours of becoming aware, notify affected individuals without undue delay where the risk is high, document the breach and our response, and take immediate steps to contain and remediate it.
We retain your data only for as long as your account is active or as needed to provide the Service, then delete or anonymize it, except a limited set of billing records we are required to keep by tax and accounting law, and data in encrypted backups that ages out on a rolling 30-day schedule.
You can delete your account and personal data at any time:
Depending on your jurisdiction, you may have the right to access, correct, delete, restrict, or port your personal data, to object to certain processing, and to withdraw consent. To exercise any of these, use our data request form or contact us. We respond within 30 days and may ask you to verify your identity first.
California residents have the right to know the categories and specific pieces of personal information we collect, its sources, the purposes, and the categories of third parties we share it with; to delete personal information; to correct inaccurate information; to opt out of sale or sharing (we do not sell or share personal information for cross-context behavioral advertising); and to non-discrimination for exercising these rights. To submit a request, use our data request form. We verify identity and respond within 45 days.
Nevada residents may opt out of the sale of certain covered information. We do not sell covered information, but you may submit an opt-out request through our data request form and we will respond within 60 days.
ConvertPilot is a business tool and is not directed to individuals under 16. We do not knowingly collect personal data from children under 16. If we learn we have done so without parental consent, we will delete it promptly.
We do not track you across other companies' apps or websites, we do not use your data for advertising, and we do not use Apple's App Tracking Transparency tracking. ConvertPilot contains no advertising and no third-party advertising or analytics SDKs in the mobile app.
For transparency, in App Store and Google Play terms, the data the app handles is used to provide the Service and is not used for tracking or advertising:
None of this data is sold, and none is used to track you across other companies' apps or websites.
We may update this Policy from time to time. When we make material changes, we will update the "Last updated" date above. Your continued use of the Service after changes constitutes acceptance of the updated Policy.
Questions, concerns, or requests regarding this Policy or your data: