This Privacy Policy applies to the veltez AI WordPress plugin. It explains what data the plugin collects, how it is used, and your rights as a site owner or end user. If you are a site owner deploying this plugin, you are responsible for disclosing this information to your own users in your site's privacy policy.
Overview
veltez AI is an AI Chatbot & Product Recommendations plugin for WooCommerce. When a visitor uses the chat widget on a WooCommerce store powered by veltez AI, certain data is processed to deliver AI-generated responses, store conversation history, and provide the site owner with analytics and enquiry management.
There are two distinct parties to consider:
- The Plugin Developer (veltez / veltez AI) — develops and distributes the plugin. Does not operate any central servers, does not receive chat data or enquiry data from end users.
- The Site Owner — installs the plugin on their WordPress site. Becomes the data controller for all visitor data processed through the plugin on their site.
The plugin routes visitor messages to third-party AI providers (OpenAI, Anthropic, Google). Site owners must disclose this to their visitors and ensure compliance with applicable privacy laws (GDPR, CCPA, etc.).
Who We Are
The plugin is a self-hosted WordPress plugin. All data it collects is stored within the site owner's own WordPress database. The Developer does not host, access, or process visitor data from sites running the plugin.
Data We Collect
The following data is collected and stored locally within the site owner's WordPress database when the plugin is active.
Chat Logs ({prefix}aiwoo_chat_logs)
| Field | Purpose | Source |
|---|---|---|
| Session ID | Groups messages into a conversation thread | Generated server-side per browser session |
| IP Address | Rate limiting, security, IP blocklist enforcement | $_SERVER['REMOTE_ADDR'] |
| Customer name | Personalised responses (if provided by visitor) | Visitor input |
| User messages | AI prompt construction and analytics | Visitor input via chat widget |
| AI responses | Chat history display and Top Requests analytics | AI provider response |
| Timestamp | Chronological ordering, retention management | Server time at message receipt |
Enquiry Submissions (aiwoo_enquiry post type)
When no matching products are found, the widget displays an enquiry form. The following fields are stored as a WordPress custom post:
- Name — visitor's full name
- Email address — for the site owner to follow up
- Phone number — optional contact detail
- Message — the visitor's enquiry text
Quick Reply Rules ({prefix}aiwoo_quick_replies)
Keyword-to-response rules configured by the site owner. This table does not contain visitor data — it is admin-configured content only.
AI Error Logs ({prefix}aiwoo_ai_error_logs)
| Field | Purpose |
|---|---|
| Error type | Classify failure (No Response, MCP Fallback, Legacy Fallback) |
| AI provider | Identify which provider failed |
| Error message / context | Diagnose the failure |
| IP address | Associate error with the request origin |
| Timestamp | Chronological debugging |
IP Blocklist & Plugin Settings (WordPress options)
- Blocked IPs — stored in
aiwoo_blocked_ips(max 500 entries). Supports IPv4, IPv6, and CIDR ranges. - Plugin settings — API provider selection, widget appearance, AI configuration. API keys are stored server-side only and are never exposed in the browser or frontend output.
The plugin does not collect payment information, passwords, or any data outside of what is listed above.
How We Use Data
| Data | Used For |
|---|---|
| Chat messages + session context | Constructing AI prompts; generating product recommendations; displaying conversation history in the admin Chat History page |
| IP address | Rate limiting (15 requests per 60 seconds), bot detection, IP blocklist enforcement |
| Customer name | Personalising AI responses when the visitor has identified themselves |
| Enquiry form data | Allowing the site owner to follow up with interested visitors via the Enquiries admin page |
| AI error logs | Debugging provider failures; visible only to site admins |
| Top Requests analytics | Aggregating frequent queries so site owners can optimise Quick Reply rules |
No data collected by the plugin is used for advertising, profiling, or sold to third parties by the Developer.
Third-Party Sharing
To generate AI responses, the plugin transmits data to the AI provider configured by the site owner. The following data is sent with each chat request:
- The visitor's current message
- Conversation history (up to the last 4 turns)
- Relevant WooCommerce product data (name, description, price, URL) matching the query
- A system prompt constructed by the plugin (does not include personal data)
API keys are never sent to the browser. All API calls are made server-to-server.
Supported AI Providers
-
OpenAI
Endpoint:https://api.openai.com
Privacy Policy | Terms of Use | Usage Policies -
Anthropic (Claude)
Endpoint:https://api.anthropic.com
Privacy Policy | Consumer Terms | Acceptable Use Policy -
Google (Gemini)
Endpoint:https://generativelanguage.googleapis.com
Privacy Policy | Gemini API Terms
Data sent to AI providers is subject to those providers' own privacy policies and data retention practices. veltez AI and its Developer do not control how these third parties store or use transmitted data. Site owners are responsible for reviewing and disclosing these third-party data flows to their visitors.
Browser & Session Storage
The chat widget stores the following data in the visitor's browser using sessionStorage — not cookies:
| Item | Purpose | Cleared |
|---|---|---|
| Chat message history | Maintains conversation continuity within the current tab | When the browser tab or window is closed |
| Browsing context (personalisation) | Recently viewed product categories, used to improve recommendations — only when personalisation is enabled by the site owner | When the browser tab or window is closed |
sessionStorage data is scoped to a single browser tab and is never sent to the Developer. It is cleared automatically when the tab is closed. No persistent cookies are set by the plugin.
Because the plugin uses sessionStorage rather than cookies, it does not trigger cookie consent requirements under ePrivacy regulations for this specific data. However, site owners should still disclose AI data routing in their privacy notice.
Data Retention
All data stored by the plugin resides within the site owner's WordPress database. The Developer does not hold copies of this data.
| Data Type | Retention | How to Remove |
|---|---|---|
| Chat logs | Indefinite (site owner-managed) | Delete via veltez AI → Chat History admin page or direct DB query |
| Enquiry submissions | Indefinite (site owner-managed) | Delete via veltez AI → Enquiries admin page |
| AI error logs | Indefinite (site owner-managed) | Delete via veltez AI → AI Error Log admin page or direct DB query |
| IP blocklist & settings | Until plugin is uninstalled | Automatically removed on plugin uninstall via uninstall.php |
| Quick reply rules | Until deleted by admin or plugin uninstall | Manage via veltez AI → Quick Replies |
On plugin uninstall, uninstall.php removes all plugin database tables and WordPress options automatically.
Security
The plugin implements multiple layers of security to protect data in transit and at rest:
- Nonce verification — every AJAX request is validated with a WordPress nonce to prevent CSRF attacks.
- Input sanitization — all user-supplied input is sanitized before processing or storage using WordPress core functions.
- Rate limiting — each IP is limited to 15 chat requests per 60 seconds. Exceeding this triggers a
429 Too Many Requestsresponse. - Bot detection — 17 known bot User-Agent signatures are blocked server-side.
- IP blocklist — supports IPv4, IPv6, and CIDR range blocking, enforced entirely server-side using
$_SERVER['REMOTE_ADDR'](X-Forwarded-For is never trusted). - API key protection — API keys are stored in the WordPress options table and are never output to the browser or frontend HTML.
- Honeypot anti-spam — the enquiry form includes a hidden honeypot field to block automated submissions.
- Server-to-server API calls — all communication with AI providers happens server-side; visitor browsers never communicate directly with AI APIs.
Site owners should ensure their WordPress installation uses HTTPS and keeps WordPress, WooCommerce, and all plugins up to date to maintain a secure environment for this plugin to operate in.
Your Rights
Depending on your location, you may have rights over the personal data processed through this plugin. These rights are typically exercised against the site owner (the data controller), not the Plugin Developer.
GDPR (European Union & UK)
- Right of access — request a copy of data held about you.
- Right to rectification — request correction of inaccurate data.
- Right to erasure ("right to be forgotten") — request deletion of your personal data.
- Right to restriction of processing — request that processing be limited.
- Right to data portability — receive your data in a structured, machine-readable format.
- Right to object — object to processing based on legitimate interests.
CCPA (California, USA)
- Right to know — request disclosure of personal information collected.
- Right to delete — request deletion of personal information.
- Right to opt-out — opt out of the sale of personal information (the plugin does not sell personal data).
- Right to non-discrimination — exercise your rights without receiving discriminatory treatment.
To exercise any of these rights, contact the owner of the website where you used the veltez AI chat widget — they are the data controller. If you are a site owner with questions, contact hello@veltez.com.
Children's Privacy
veltez AI is not directed at children under the age of 13 (or 16 in the EU/UK under GDPR). The plugin does not knowingly collect personal data from children.
Site owners are responsible for ensuring their use of the plugin complies with applicable laws regarding children's online privacy, including COPPA (USA) and GDPR Article 8 (EU/UK).
Site Owner Responsibilities
If you install veltez AI on your WordPress site, you become the data controller for all personal data processed through the plugin on your site. Your responsibilities include:
- Updating your privacy policy to disclose: chat data collection, AI provider data routing, IP address logging, and enquiry form data collection.
- Providing a lawful basis for processing under GDPR (e.g., legitimate interests, consent) for each type of data collected.
- Handling data subject requests (access, deletion, portability) from your visitors.
- Reviewing AI provider policies — including data retention and processing terms of OpenAI, Anthropic, and Google — and disclosing them to visitors where required.
- Implementing appropriate safeguards if transferring personal data outside your jurisdiction (e.g., EU-to-US transfers under GDPR).
- Configuring data retention — the plugin stores chat logs and enquiries indefinitely until manually deleted. Set a retention schedule appropriate for your compliance obligations.
If you are deploying veltez AI on client websites or in production environments, consider consulting legal or compliance professionals to ensure appropriate safeguards and disclosures are in place.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in the plugin's functionality, legal requirements, or third-party service policies. The "Last updated" date at the top of this page will be revised accordingly.
We encourage site owners to review this policy periodically. Continued use of the plugin after changes are published constitutes acceptance of the updated policy.
Contact
For privacy-related questions about the veltez AI plugin itself, contact:
For questions about personal data collected on a specific website running this plugin, contact the owner of that website directly — they are the data controller.
