Zubby AI
  • Pricing
Sign inStart free trial
Home/Trust/CCPA
CCPA & US privacy

CCPA & US State Privacy Compliance

California, Colorado, Connecticut, Utah, and Virginia have similar but not identical state privacy regimes. This page walks through how Zubby AI handles each — as a Service Provider on behalf of merchant Businesses — and the controls that satisfy the strictest applicable standard.

Published 2026-05-19

What CCPA compliance means for an AI sales agent

Overview

The California Consumer Privacy Act, as amended by the California Privacy Rights Act, applies whenever a business processes the personal information of California residents and meets one of the threshold tests (annual revenue, volume of consumer data, or revenue derived from selling consumer data). For an AI sales agent that handles shopper conversations, product recommendations, and recovery emails for California residents, the merchant is the Business and Zubby AI is the Service Provider.

Compliance under the CCPA hinges on three things: clear Service Provider contractual terms (we have them), honest data handling that matches those terms (we have it), and a consumer-rights pipeline that actually fires when a shopper exercises a right (we have one — same plumbing as the GDPR erasure endpoint). Everything else on this page is the detail.

Roles under CCPA and CPRA

CCPACPRA

Under §1798.140(d), the merchant is the Business. Under §1798.140(ag), Zubby AI is the Service Provider. We process personal information only for the limited business purposes set out in the Subscription Agreement and the Data Processing Agreement.

We do not sell personal information under the CCPA's sale definition and we do not share personal information for cross-context behavioural advertising under the CPRA's share definition. The contractual terms required by §1798.140(ag) are included in our DPA, including:

  • Prohibition on retaining, using, or disclosing personal information outside the contracted business purpose.
  • Prohibition on combining personal information received from the Business with information from other sources, except for purposes permitted by §1798.140(ag).
  • Obligation to delete personal information at the end of the relationship.
  • Cooperation with the Business in responding to verifiable consumer requests.
  • Notice to the Business if Zubby can no longer meet its obligations.

What data we process under the CCPA

Categories

Categories of personal information we process for a California shopper:

  • Identifiers. Email, IP, device ID, shopper account ID.
  • Commercial information. Cart contents, order history, product browse events.
  • Internet activity. Conversation transcripts with the AI agent, on-store browse events when the widget is loaded.
  • Inferences.Predicted size, LTV bucket, VIP tier, churn risk score — derived for the merchant's use only.

We do not process Sensitive Personal Information under §1798.140(ae). SPI categories (precise geolocation, race, religion, sexual orientation, biometric identifiers, health information, government identifiers) are blocked at the data ingest layer for catalog and knowledge uploads and are not inferred from conversation data.

Where data lives

Residency

Default deployment is US-East. Enterprise customers can opt into US-West or EU residency at signup. CCPA does not impose a residency obligation, but where a merchant's shoppers are predominantly outside the US we make it easy to keep data closer to them. The data layer that respects the choice — Postgres + pgvector, Redis, object storage, AI provider routes — is documented in the DPA.

Encryption and security controls

Reasonable security

CCPA §1798.150 imposes statutory damages for breaches resulting from "failure to implement and maintain reasonable security procedures." The Zubby controls that satisfy that standard, all in production code today:

  • AES-256-GCM encryption at rest with AAD-bound ciphertexts — attacker with database write access cannot transplant ciphertext across rows or tenants.
  • TLS 1.3 in transit at every public endpoint. HSTS preload on marketing and app domains.
  • scrypt password hashing with 16-byte random salt and 64-byte derived key; verification via crypto.timingSafeEqual.
  • HMAC-SHA256 webhook verification for Shopify, Stripe, and WooCommerce, with idempotent handlers keyed by provider event ID to defeat replay.
  • NextAuth v5 JWT sessions with hard-invalidation on credential change.
  • Per-tenant store_id isolation on every row of every table.
  • Constant-time comparisons (crypto.timingSafeEqual) on every credential or API key check.
  • SSRF protection via assertSafeOutboundUrl on every outbound HTTP call from a user-controlled URL.
  • Magic-byte sniffing on every image upload — client-declared MIME type is not trusted.
  • Public API key auth with per-scope permissions and per-scope rate limits.

Retention and deletion

§1798.100(a)(3)
  • Conversations: 12 months default, shortenable per store.
  • Audit logs: 24 months.
  • Backups: 35 days rolling, encrypted, off-region.
  • End of contract: all personal information returned or deleted within 30 days, with written certification.

Retention notices are surfaced in the merchant's consumer-facing privacy policy via the Zubby privacy generator. We retain personal information for only as long as reasonably necessary for the business purpose, with documented disposal at the end.

Consumer rights we support

§1798.100§1798.105§1798.106§1798.121

The full slate of California consumer rights, all wired into the merchant dashboard:

  • Right to know. Disclosure of categories and specific pieces of personal information collected, sources, business purposes, and recipients.
  • Right to delete. One-click delete propagates across linked systems via /api/v1/merchant/gdpr/delete — same fanout as GDPR erasure: conversations, embeddings, journey state, customer record, AI tool-call logs, CDN-cached avatars.
  • Right to correct. Merchants edit shopper records inline; changes propagate to downstream caches.
  • Right to opt out of sale and share.No sale or share occurs; toggling the merchant's Do Not Sell My Personal Information control or detecting a Global Privacy Control signal triggers an end-to-end opt-out flag respected by every connector and channel adapter.
  • Right to limit use of Sensitive Personal Information. We do not use SPI for any purpose beyond service delivery; the right is satisfied by default.
  • Right to non-discrimination.Exercising rights does not degrade the AI agent's service quality, response time, or recommendations.

Consumer rights requests are resolved against a 48-hour internal SLA, well inside the 45-day statutory window (extendable to 90 days for complex requests). A verifiable request flow is documented in the dashboard so merchants can satisfy the verification requirement under §1798.130(a)(7).

Other US state regimes

CPACTDPAUCPAVCDPA

Zubby's controls align with the substantive requirements of:

  • Colorado Privacy Act (CPA). Opt-out of targeted advertising, sale, and profiling. Universal Opt-Out Mechanism (UOOM) honoured.
  • Connecticut Data Privacy Act (CTDPA). Similar opt-out scope plus universal opt-out signals.
  • Utah Consumer Privacy Act (UCPA). Limited subset; we exceed the floor where it does not conflict.
  • Virginia Consumer Data Protection Act (VCDPA). Right to access, correct, delete, port; right to opt out of sale, targeted advertising, and certain profiling.

Where state law differs, we apply the strictest applicable standard by default — merchants can override per workspace. We will extend support to Texas, Oregon, and other emerging regimes as they take effect.

Universal opt-out signal handling

GPC

Zubby honours universal opt-out signals end-to-end. Specifically, the Sec-GPC HTTP header set by Global Privacy Control-aware browsers (Brave, Firefox, DuckDuckGo) is detected on the widget's first request. When detected, the shopper is treated as having opted out of sale and share, and an opt-out flag is persisted on the shopper record so the choice survives the session and any linked-identity stitching.

The opt-out flag is respected by every connector and channel adapter: GA4, Meta CAPI, TikTok pixel, Klaviyo, Mailchimp, Segment, and the in-store widget itself. Merchants can override the default for state-by-state edge cases from the dashboard.

Contact for consumer rights and Service Provider questions

Contact

For consumer rights questions, Service Provider compliance enquiries, or to verify a request, email privacy@zubbyai.com. For security vulnerability reports, use security@zubbyai.com. For counter-signed DPA addendums covering specific state regimes, use legal@zubbyai.com.

Related

  • Data Processing Agreement
  • GDPR compliance
  • Sub-processor list
  • Responsible AI
  • Security disclosure
  • Privacy policy
Multi-state

Selling into all 50 states?

Our compliance lead will walk you through the Zubby defaults that satisfy the strictest US state regime. Universal opt-out signal handling, Service Provider terms in the DPA, and a 48h consumer-rights SLA delivered out of the box.

Talk to complianceBack to Trust Center

Footer

Zubby AI

The AI sales agent for Shopify and WooCommerce. Learns your store, guides shoppers in real time, and recovers the revenue you would have otherwise lost.

System status

Product

  • All Features
  • AI Sales Agent
  • Cart Rescue
  • Widget Designer
  • Multi-Language
  • Pricing
  • Changelog

Solutions

  • Solutions Hub
  • Cart Recovery
  • Product Discovery
  • 24/7 Support
  • Upsell + Cross-sell
  • Conversion Optimization

Industries

  • Fashion & Apparel
  • Beauty & Cosmetics
  • Electronics
  • Jewelry & Accessories
  • Food & Beverage
  • Health & Wellness

Integrations

  • Shopify
  • WooCommerce
  • All integrations
  • vs Rep AI
  • vs Tidio
  • vs Klaviyo
  • vs Gorgias

Resources

  • Documentation
  • Guides
  • ROI Calculator
  • Glossary
  • Answers (AI Q&A)
  • Blog
  • Case Studies

Company

  • About
  • Careers
  • Contact
  • Trust
  • Security
  • Status
  • Privacy
  • Terms

© 2026 Zubby AI, Inc. All rights reserved.

Built for merchants.Made with care.