Privacy Policy for ReturnGuard

Effective Date: March 10, 2026

ReturnGuard ("we", "our", or "us") provides a risk analysis and decision-support application for Shopify merchants. This Privacy Policy explains how personal data is collected, used, and stored when a merchant installs and uses the ReturnGuard app.

1. What Information Do We Collect Through Shopify's APIs?

When you install ReturnGuard, we are granted restricted, read-only access to specific store data solely to perform our risk analysis:

  • Order Data: Order ID, total amount, financial status (paid, refunded, chargeback), fulfillment status, and creation date. We do not collect specific product contents (e.g., shirt, shoes).
  • Customer Data: Shopify customer ID, first name, and last name. We strictly DO NOT collect customer email addresses, phone numbers, or physical delivery addresses.
  • Shop Data: Your store's domain, API authorization tokens, and the merchant's contact email address.

2. What Information Do We Collect Directly From Merchants or Customers?

  • From Merchants: We collect your contact email address to send automated risk alerts regarding your orders.
  • From Customers (End-Users): We do not collect any data directly from your customers. We do not drop cookies on your storefront, nor do we track customer navigation or browser behavior.

3. How Do We Use the Information?

The data collected is used strictly to provide the ReturnGuard service:

  1. To run our Risk Engine algorithm, calculating a 0-100 risk score based on historical return/chargeback patterns.
  2. To apply a physical Tag to the order in your Shopify admin panel (e.g., "High Return Risk").
  3. To send an automated alert email to the merchant if an order is deemed high-risk.

4. Data Retention and Storage

We practice strict Data Minimization:

  • Ephemeral Processing: To calculate risk, we temporarily read historical order statuses (e.g., past 100 orders). This calculation happens in server RAM and is deleted within seconds. Historical contents are never copied to our database.
  • Persistent Storage: We only store the final analysis log (Order ID, total cart amount, customer name, and Risk Score) and the Merchant's "Whitelist" preferences.
  • Automatic Deletion: Once an order is marked as "Fulfilled" or "Cancelled" in Shopify, the corresponding log in our database is automatically deleted.

5. Third-Party Service Providers

We do not sell or rent your data. We use secure third-party processors to operate our infrastructure:

  • Supabase: For encrypted cloud database storage.
  • Railway: For secure cloud hosting and code execution.
  • Resend: To deliver automated risk alert emails to the merchant.
  • Shopify Billing API: We do not touch or store credit card data. All subscription payments are handled securely by Shopify.

6. International Data Transfers

ReturnGuard is operated from Turkey. Data processed by our app is securely transmitted and stored using international cloud providers (Railway, Supabase) that comply with global security standards, ensuring adequate protections equivalent to those required by the GDPR and CCPA.

7. Data Rights of Individuals (GDPR & CCPA)

We fully comply with Shopify’s Mandatory Webhooks for data privacy.

  • Customers Redact: If a customer requests the deletion of their data from your store, Shopify notifies us, and we automatically purge their logs from our system.
  • Shop Redact: If you uninstall ReturnGuard, all your store's data and logs are permanently deleted from our servers within 48 hours.

8. Contact Us

If you have any questions about this Privacy Policy or your data, please contact us at: