Privacy Policy

At a glance

When a shopper uses the Eturns chat widget on a merchant's storefront, the merchant is the data controller and Eturns is the data processor. We process shopper data strictly on the merchant's behalf.

We collect store data, order data, conversation transcripts, and merchant account data — only what's needed to handle returns, exchanges, refunds, cancellations, and intercepts. We do not sell personal information. We do not use customer data for advertising. We do not train AI models on your customer chats.

Conversation transcripts are retained for up to 24 months (configurable per merchant from 30 to 365+ days). Merchant configuration is deleted 30 days after uninstall. We honor Shopify's mandatory GDPR webhooks: customers/redact, customers/data_request, and shop/redact.

1. Who we are

Eturns is an AI-powered returns management app for Shopify stores. In this policy, “Eturns,” “we,” “us,” and “our” refer to the entity that operates the Eturns service. “You” refers to the reader — either a Shopify merchant who installed Eturns, or a shopper interacting with a merchant who uses Eturns.

For data-protection purposes, our role depends on whose data is being processed. See Scope & roles below.

2. Scope & roles

This policy covers data processed through the Eturns Shopify app, the Eturns storefront chat widget, and the website at www.eturns.app.

Customer (shopper) data

When a shopper uses the Eturns widget on a merchant's storefront, the merchant is the data controller and Eturns is the data processor. We process shopper data strictly on the merchant's behalf, per our Data Processing Addendum (available on request from support@eturns.app).

Merchant account data

When a merchant installs Eturns or visits our website, Eturns is the data controller for the merchant's own account data, billing data, and usage analytics. Merchant rights requests come directly to us — see Your rights.

3. Data we collect

From shoppers (on merchant stores)

• Order identifiers — order number, order email, order date — to look up the order in Shopify and verify the return request.
• Conversation transcripts — the messages the shopper sends and the AI's replies — used to run the conversation, escalate to the merchant, and audit decisions.
• Photos uploaded as evidence — damage photos, label photos, product close-ups — used to verify defect or delivery claims. Never used for AI training.
• Shopper email — when the shopper provides one to identify their order or to receive return updates.
• Coarse geographic data — country / region from the request IP at the edge — used to apply EU 14-day withdrawal and UK CRA defect floors automatically.

We do not collect: payment card data, government IDs, exact GPS location, browser fingerprints for cross-site tracking, advertising identifiers, third-party social profiles, or microphone / camera streams. The widget never asks the browser for these permissions.

From merchants

• Account profile — shop domain, shop name, billing plan, contact email.
• Product catalog + inventory — products, variants, SKUs, inventory levels, tags, collections — kept live via Shopify webhooks.
• Policy configuration — return windows, restocking fees, custom rules, disclosure profile.
• Shopify access tokens — OAuth offline tokens used to call Shopify on the merchant's behalf. Stored AES-256-GCM encrypted at rest with PBKDF2-derived keys.
• Operational logs — API call traces, error events, webhook delivery records — used for debugging and uptime.

4. How we use data

• Run the AI conversation — verify orders, check eligibility, suggest exchanges, file return requests, escalate to the merchant.
• Enforce policy + risk scoring — calculate risk per request, decide auto-approval vs manual review, surface fraud signals.
• Audit + compliance — log every decision so the merchant can review it later and meet GDPR right-to-access requests.
• Debug + incident response — diagnose failures, restore service quickly.
• Aggregate analytics — count conversations, measure resolution time, surface volume trends. We use de-identified aggregates for product decisions; we never publish per-merchant numbers without consent.
• Billing — meter conversation usage and bill through Shopify's billing API. We never see card details.

We never sell personal information. We have no advertising business. We never train AI models on your customer chats. We never hand your data to a third party for marketing purposes.

5. Legal basis (GDPR / UK GDPR)

• Service delivery — contract performance. We can't deliver Eturns to the merchant without processing this data.
• Risk scoring + fraud detection — legitimate interest of the merchant, balanced via the controls we expose.
• Compliance webhooks — legal obligation under GDPR and Shopify's App Store policy.
• Marketing analytics on the website — consent where required by your jurisdiction; legitimate interest with opt-out elsewhere.

6. Subprocessors

We share data only with the small number of subprocessors required to run the service. Each is contractually bound to GDPR-grade protections.

• Shopify Inc. — required source of truth for orders, inventory, and billing.
• Convex (Convex Inc.) — primary database. SOC 2-aligned, row-level merchant isolation, data stays in the configured region.
• Vercel Inc. — hosting + edge runtime for the app and website.
• Google (via Vercel AI Gateway) — Gemini 2.5 Flash Lite model that powers the AI conversation. Inference only; never used for training.
• PostHog — product analytics + session replay on the merchant dashboard only.
• Sentry — error monitoring with PII-scrubbing enabled.
• Clerk — authentication for our internal founder dashboard (never used by merchants or shoppers).

We notify merchants of material subprocessor changes 30 days in advance via email and the changelog at the bottom of this page.

7. Storage & security

• Tokens at rest — Shopify offline access tokens are encrypted with AES-256-GCM using PBKDF2-derived keys. Key rotation supported without merchant re-auth.
• Endpoint integrity — every public chat, escalate, rating, and verify endpoint requires a valid Shopify-signed App Proxy HMAC with a ±5 minute timestamp replay window. Production fails closed.
• Transport — HTTPS-only, HSTS preloaded for two years with includeSubDomains.
• Browser security — strict Content Security Policy, Cross-Origin-Opener-Policy same-origin, Cross-Origin-Resource-Policy same-site, X-Frame-Options DENY, FLoC / Topics opted out.
• Tenant isolation — every Convex query scopes to the authenticated merchantId. Defense-in-depth allowlists in our admin clients reject any query outside an explicit list.

If we discover an incident affecting your data, we'll notify you within 72 hours of confirmation, with a description of the impact and the steps we're taking.

8. Retention & deletion

• Conversation transcripts: 24 months. Configurable from 30 to 365+ days per merchant.
• Merchant configuration + product catalog: live while installed; deleted 30 days after uninstall.
• Operational logs: 30 to 90 days depending on log class.
• GDPR audit log: immutable. Survives shop_redact so we have proof-of-deletion if regulators ask.

Deletion isn't a flag — it's a chained-batch process across every merchant-scoped table. At lakhs scale (hundreds of thousands of conversations) the redact still completes.

9. International transfers

Eturns operates from Convex's configured region (currently EU-West-1) with Vercel edge serving from the visitor's nearest region. AI inference may be served from Google's data centers under our agreement with Vercel AI Gateway.

Where data crosses borders, we rely on the European Commission's Standard Contractual Clauses (SCCs) (2021/914) as the transfer mechanism. The UK addendum applies for UK-origin data. Adequacy decisions cover transfers to jurisdictions where they exist.

10. Your rights (GDPR / UK)

If you're a shopper

Your data is held by the merchant (data controller). Contact the merchant first. If they don't respond, write to support@eturns.app and we'll route or fulfill the request. Rights include access, correction, erasure, restriction, portability, and the right to object.

If you're a merchant

Email support@eturns.app. We confirm receipt within 48 hours and complete within 30 days (or extend with notice for complex requests). Rights include access, rectification, erasure, restriction, portability, objection, and (where applicable) withdrawal of consent.

Right to lodge a complaint

If you're in the EU / EEA / UK / Switzerland and you believe we haven't handled your data lawfully, you can lodge a complaint with your local supervisory authority.

11. California (CCPA / CPRA)

California residents have the right to know, delete, correct, and opt out of sale or sharing of personal information. We don't sell or share personal information for cross-context behavioral advertising — there is nothing to opt out of, but the right itself remains. Submit a verifiable request via support@eturns.app.

12. Shopify mandatory compliance webhooks

Shopify requires every app to handle three GDPR webhooks. Eturns implements all three to actually delete data — not just acknowledge the request:

• customers/data_request — when a shopper exercises GDPR access against the merchant, we package the data we hold and return it to the merchant within 30 days.
• customers/redact — when a shopper exercises GDPR erasure, we hard-delete the shopper's data from every merchant-scoped table.
• shop/redact — when a merchant uninstalls and 48 hours pass, Shopify fires this webhook. We run the chained-batch deletion across every merchant-scoped table and write an immutable audit log entry.

13. Children's privacy

Eturns is a B2B SaaS app for Shopify merchants. The customer-facing chat widget is intended for use by adults transacting on a merchant store. We don't knowingly collect personal information from children under 13 (under 16 in the EU). If you believe a child has interacted with the widget and provided personal information, contact support@eturns.app and we'll delete it.

14. Changes to this policy

Material changes that affect merchant data processing get email notice 30 days before they take effect. Continued use after the effective date means you accept the changes; if you don't, the escape hatch is straightforward — uninstall the app, and we delete the data per the retention schedule.

15. Contact & data requests

Privacy questions, DPA requests, security questionnaires, vendor reviews — write to support@eturns.app. We answer within one business day.