Privacy Policy

Plain-language summary: Chargeback Shield reads your Shopify order, customer, and refund data to calculate fraud risk scores. We never sell your data. We never access payment card numbers. If you uninstall, your data is deleted within 24 hours. If you have any questions, email support@chargebackshielding.com.

Contents

Who We Are
Data We Collect
How We Use Your Data
Cross-Shop Fraud Network
Data Sharing and Third Parties
Legal Basis for Processing (GDPR)
Data Retention and Deletion
Security
Your Rights Under GDPR (EU/EEA)
California Privacy Rights (CCPA/CPRA)
Children's Data
Cookies and Tracking
Shopify GDPR Webhooks
Changes to This Policy
Contact Us

1. Who We Are

Chargeback Shield ("we", "us", "our") is a Shopify application that helps e-commerce merchants detect and manage refund abuse and chargeback risk. We operate as a data processor on behalf of Shopify merchants (our customers), who are the data controllers for their stores' data.

This Privacy Policy explains how we collect, use, store, and protect information when you install and use the Chargeback Shield Shopify application and when you visit our marketing website at chargebackshielding.com.

If you are a merchant using our app, this policy applies to your store's data. If you are a customer of a merchant who uses Chargeback Shield, your personal data is processed by us on behalf of that merchant — you should contact the merchant directly to exercise your rights.

2. Data We Collect

2.1 Merchant Account Data

When you install Chargeback Shield, we store:

Your Shopify store domain (e.g. yourstore.myshopify.com)
An encrypted OAuth access token that allows the app to read your store data via the Shopify API
Your app settings and preferences (risk thresholds, tag names, email alert address, etc.)
Your current subscription plan name

2.2 Order Data

For every order processed through your store (both incoming webhook events and historical backfill scans), we collect and store:

Shopify order ID and display name (e.g. #1001)
Order value and currency
Payment gateway names (e.g. "Stripe", "PayPal") — not card details
Order tags
Shopify's own fraud risk assessment for the order
Fulfilment order IDs (used to place holds on high-risk orders)
Order processing timestamp
Shipping and billing address data — specifically the street address, postcode, and country code, used to detect address clustering patterns

2.3 Customer Data

For each customer associated with a scored order, we collect and store:

Shopify customer ID (a numeric identifier internal to your store)
Customer email address
A normalised version of the email domain (e.g. gmail.com)
Customer account creation date
Aggregated order and refund statistics: order count, refund count, refund amounts, and order values over configurable time windows
A calculated risk score and risk level (LOW / MED / HIGH)

We do not collect or store customer names, phone numbers, full addresses, or any payment card information.

2.4 Refund Data

When a refund is issued on your store, we receive and process:

The associated order ID
Refund amount and currency
Refund timestamp

This data is used to re-evaluate a customer's risk score when a refund occurs.

2.5 Risk Evaluation Records

For each order scored, we store a risk evaluation record containing:

The calculated risk score and level
The reasons the score was assigned (e.g. "High refund rate", "Disposable email domain")
Whether the order was automatically held or tagged
Merchant review notes and decisions (Approved / Fraud / Dismissed)
Estimated and confirmed savings figures

2.6 Website Visitor Data

When you visit our marketing website (chargebackshielding.com), we do not use any analytics tools, tracking pixels, or advertising cookies. Standard web server logs may temporarily record your IP address and browser user-agent, but these logs are not retained beyond 30 days and are not linked to personal profiles.

3. How We Use Your Data

We use the data described above exclusively to deliver the Chargeback Shield service. Specifically:

Risk scoring: Analysing order and customer data to calculate a fraud and refund abuse risk score for each order.
Automation: Automatically tagging orders and customers in Shopify, and placing holds on high-risk fulfilment orders, based on your configured thresholds.
Merchant dashboard: Displaying risk evaluations, flagged orders, customer profiles, and analytics to you inside the app.
Email alerts: Sending you an email notification when a HIGH-risk order is detected, if you have enabled this feature and provided an alert email address.
Historical backfill: Scanning your recent order history on first install so risk profiles are available immediately.
Cross-shop fraud signals: Identifying customers who have been flagged across multiple independent Chargeback Shield merchants (see Section 4 for full details).
Billing: Determining which features are available to you based on your active Shopify subscription plan.
Service improvement: Aggregated, anonymised metrics may be used to improve the accuracy of our risk models. We do not use individual merchant or customer records for this purpose.

We do not use your data for advertising, marketing to your customers, training external AI models, or any purpose unrelated to providing the service.

4. Cross-Shop Fraud Network

Chargeback Shield includes an optional cross-shop fraud signal feature available on Growth plan and above. This feature helps merchants identify customers who have been flagged for fraud-related behaviour across multiple independent stores using Chargeback Shield.

How it works

When a customer is marked as fraud on a merchant's store, Chargeback Shield stores a one-way SHA-256 cryptographic hash of the customer's email address in a shared signals table. This hash cannot be reversed to recover the original email address.

When a new order arrives at any participating store, the customer's email is hashed and compared against the shared table. If a match is found, this is used as one signal in the overall risk calculation.

What is and is not shared

Shared: A one-way hash of customer email addresses, a fraud report count, and a timestamp. No personally identifiable information is stored in or readable from the shared table.
Not shared: Order values, refund amounts, merchant identity, customer names, addresses, or any other data about the specific transaction.

Opting out

Merchants on Starter plan do not participate in or receive signals from the cross-shop network. Growth, Scale, Pro, and Enterprise merchants receive cross-shop signals by default when the feature is enabled in settings. You can disable this feature at any time from within the Chargeback Shield settings page.

We do not sell, rent, trade, or share your data with any third party for commercial purposes. We share data only with the following infrastructure providers necessary to operate the service:

Provider	Purpose	Data shared	Privacy policy
Shopify	App platform; API access to your store data	OAuth session tokens; API requests	shopify.com/legal/privacy
Railway (railway.app)	Application hosting and PostgreSQL database	All app data described in Section 2	railway.app/legal/privacy
Resend (resend.com)	Transactional email delivery for HIGH-risk order alerts	Alert email address, order name, risk score (only if email alerts are enabled)	resend.com/legal/privacy-policy

All providers listed above are bound by their own privacy policies and data processing agreements. Railway and Resend operate under GDPR-compliant data processing agreements.

We may disclose data if required by law, court order, or to protect the rights and safety of our users or the public.

6. Legal Basis for Processing (GDPR)

For merchants and their customers in the European Economic Area (EEA) or United Kingdom, we process personal data under the following legal bases:

Contract performance (Article 6(1)(b) GDPR): Processing is necessary to deliver the Chargeback Shield service you subscribed to, including risk scoring, tagging, and fraud detection.
Legitimate interests (Article 6(1)(f) GDPR): We have a legitimate interest in maintaining the integrity of the fraud detection network and improving service accuracy. We have assessed that this interest is not overridden by your fundamental rights.
Legal obligation (Article 6(1)(c) GDPR): We process certain data to comply with Shopify's mandatory GDPR webhook requirements for apps on their platform.

We act as a data processor on behalf of merchants (who are the data controllers) when processing end-customer personal data. Merchants are responsible for ensuring they have an appropriate legal basis for using Chargeback Shield to process their customers' data.

7. Data Retention and Deletion

Active subscriptions: We retain all order, customer, and risk evaluation data for as long as your Chargeback Shield subscription is active.
On uninstall: When you uninstall Chargeback Shield from your Shopify store, all data associated with your store — including order records, customer profiles, risk evaluations, and settings — is automatically deleted from our database within 24 hours.
Cross-shop hashes: SHA-256 email hashes in the cross-shop fraud table are retained for up to 12 months from the date the signal was created, then automatically purged.
Backups: Database backups may retain data for up to 7 days after deletion from the live database, after which they are permanently overwritten.
GDPR deletion requests: Individual customer data deletion requests received via Shopify's GDPR webhooks (customers/redact) are processed within 30 days.

8. Security

We take the security of your data seriously and implement the following measures:

Encryption in transit: All data transmitted between your Shopify store, the Chargeback Shield app, and our servers uses TLS 1.2 or higher.
Encryption at rest: The PostgreSQL database hosted on Railway encrypts all data at rest.
Webhook verification: All incoming Shopify webhooks are verified using HMAC-SHA256 signature validation. Requests with invalid signatures are rejected with a 401 status.
Access control: App data is scoped per store. Each merchant can only access their own store's data. No cross-merchant data access is possible via the app interface.
No payment data: We never request, receive, store, or process payment card numbers, CVV codes, bank account numbers, or any other financial credentials. These are handled exclusively by Shopify and their payment providers.
OAuth tokens: Shopify access tokens are stored encrypted in the session storage database and are never exposed to the client browser.

Despite our security measures, no system can guarantee absolute security. In the event of a data breach that affects your personal data, we will notify you and any relevant authorities as required by applicable law within 72 hours of becoming aware of the breach.

If you are located in the European Economic Area or United Kingdom, you have the following rights regarding your personal data:

Right of access: You may request a copy of the personal data we hold about you or your store.
Right to rectification: You may request that we correct inaccurate or incomplete data.
Right to erasure ("right to be forgotten"): You may request that we delete your personal data. Uninstalling the app will trigger automatic deletion within 24 hours.
Right to restriction: You may request that we restrict how we process your data in certain circumstances.
Right to data portability: You may request a machine-readable export of your data.
Right to object: You may object to processing based on legitimate interests.
Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact us at support@chargebackshielding.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

Note for end-customers of merchants: If you are a customer of a Shopify store that uses Chargeback Shield, your data is controlled by that merchant. Please contact the merchant directly. We will cooperate with merchants in responding to any requests from their customers.

10. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) gives you certain rights:

Right to know: You have the right to know what personal information we collect, use, disclose, and sell (we do not sell personal information).
Right to delete: You have the right to request deletion of personal information we hold about you, subject to certain exceptions.
Right to correct: You have the right to request correction of inaccurate personal information.
Right to opt out of sale or sharing: We do not sell or share personal information for cross-context behavioural advertising.
Right to non-discrimination: We will not discriminate against you for exercising your rights.

To exercise these rights, contact us at support@chargebackshielding.com with the subject line "California Privacy Rights Request".

11. Children's Data

Chargeback Shield is a business-to-business service intended for Shopify merchants. It is not directed at or intended for use by children under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child, we will delete it promptly.

12. Cookies and Tracking

The Chargeback Shield application, when embedded inside Shopify Admin, uses session cookies managed by Shopify's authentication system. These cookies are essential for the app to function and cannot be disabled.

Our marketing website (chargebackshielding.com) does not use:

Advertising or marketing cookies
Third-party analytics scripts (e.g. Google Analytics)
Social media tracking pixels
Any form of cross-site behavioural tracking

As a Shopify app, we are required to respond to the following mandatory GDPR webhook topics sent by Shopify:

customers/data_request: When a merchant's customer requests a copy of their data, Shopify sends us a notification. We will provide the relevant data to the merchant within 30 days so they can respond to the customer.
customers/redact: When a merchant requests deletion of a customer's data (or Shopify does so on their behalf), we will delete all records associated with that customer's Shopify ID and email address within 30 days.
shop/redact: When a merchant uninstalls the app and the post-uninstall grace period expires (typically 48 hours), Shopify sends a shop redact request. We will confirm deletion of all the merchant's store data within 30 days of receiving this webhook.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:

Update the "Last updated" date at the top of this page.
Where practical, notify active merchants via the app or by email.

Your continued use of Chargeback Shield after changes are posted constitutes your acceptance of the updated policy. If you do not agree with the updated policy, you may uninstall the app at any time.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your data, please contact us:

Email: support@chargebackshielding.com
Response time: We aim to respond to all privacy-related enquiries within 5 business days.

For GDPR-related requests requiring a formal response, please use the subject line "Privacy Request – [Your Store Domain]" so we can prioritise and track your request.