📋 Legal Document

Privacy Policy

Effective: June 20, 2026

Last Updated: June 20, 2026

GDPR Compliant

Table of Contents

Overview & Who We Are
Information We Collect
How We Use Your Information
Third-Party Services
Data Storage & Security
GDPR — Your Rights
Data Retention
Cookies
Children's Privacy
Changes to This Policy
Contact Us

Plain English Summary: Return Automator stores the minimum data needed to process returns for Shopify merchants. We never sell your data. Customer data is used only to process returns and send confirmation emails. Merchants control all their customer data and can request deletion at any time.

01 Overview & Who We Are

Return Automator ("we," "us," or "our") is a Shopify application that automates the customer return and refund process for e-commerce merchants. This Privacy Policy explains how we collect, use, disclose, and protect information when you use our Service, whether as a Shopify merchant ("Merchant") or as an end customer of a Merchant ("Customer").

By installing or using Return Automator, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use our Service.

Operator: Return Automator
Contact: privacy@returnautomator.com
Service URL: returnautomator.com

02 Information We Collect

From Merchants (Shopify Store Owners)

Data Type	What It Is	Why We Collect It
Shop domain	yourstore.myshopify.com	Identify your store, route returns correctly
Shopify access token	OAuth token from Shopify	Make API calls (refunds, gift cards, orders) on your behalf
Subscription status	Active / Trial / Cancelled	Control access based on billing status
App settings	Return window, label fee, thresholds	Apply your configured policies to returns
Shippo API token	Your personal Shippo key (optional)	Generate labels billed to your Shippo account

From Customers (End Shoppers)

Data Type	What It Is	Why We Collect It
Order number	Shopify order ID / number	Verify return eligibility
Email address	Used to look up the order	Verify identity, send confirmation email
Return reason	Text selected or entered by customer	Record why the item was returned
Damage photos	Images uploaded by customer (optional)	Document item condition for the merchant
Refund method choice	Cash / Store Credit / Exchange	Process the appropriate refund type

Automatically Collected Technical Data

IP address (for security logging and abuse prevention)
Browser type and version (for debugging only)
Timestamps of return submissions
API call logs (retained for 30 days for debugging)

03 How We Use Your Information

We use the information collected for the following purposes only:

Process return requests and verify order eligibility
Issue refunds, gift cards, and store credit via the Shopify API
Generate prepaid shipping labels via the Shippo API
Send automated return confirmation emails to customers via SendGrid
Store damage photos permanently in Cloudinary cloud storage
Tag Shopify orders with return metadata
Display return records in the merchant admin dashboard
Maintain your app subscription via Shopify Billing
Detect and prevent fraud or abuse of the return portal

⚠️ We never sell, rent, or trade your personal information or your customers' personal information to any third party for marketing purposes.

04 Third-Party Services

Return Automator integrates with the following third-party services to deliver its functionality. Each operates under their own privacy policy:

Service	Purpose	Data Shared	Privacy Policy
Shopify	Order lookup, refunds, gift cards, billing	Shop domain, access token, order IDs	shopify.com/legal/privacy
Shippo	Prepaid return label generation	Customer name, shipping address	goshippo.com/privacy
Cloudinary	Damage photo cloud storage	Uploaded images only	cloudinary.com/privacy
SendGrid (Twilio)	Transactional confirmation emails	Customer email address, order summary	sendgrid.com/privacy
Railway	Cloud hosting & infrastructure	Application data (encrypted at rest)	railway.app/legal/privacy

05 Data Storage & Security

All data is stored on Railway-hosted PostgreSQL databases located in the US East region
Shopify access tokens are stored and handled in compliance with Shopify's Partner Program requirements
Access tokens are immediately cleared when a merchant uninstalls the app
All data transmission uses TLS 1.2+ encryption in transit
Shopify webhook payloads are verified using HMAC-SHA256 signatures to prevent spoofing
Damage photos are stored in Cloudinary with access-controlled URLs
We do not store full credit card numbers or payment instrument details

Security Incident Notice: In the event of a data breach that affects your personal information, we will notify affected parties within 72 hours in accordance with GDPR Article 33 requirements.

06 GDPR — Your Rights

If you are located in the European Economic Area (EEA) or United Kingdom, you have the following rights regarding your personal data:

Right of Access — Request a copy of the personal data we hold about you
Right to Rectification — Request correction of inaccurate personal data
Right to Erasure — Request deletion of your personal data ("right to be forgotten")
Right to Restrict Processing — Request that we limit how we use your data
Right to Data Portability — Receive your data in a machine-readable format
Right to Object — Object to our processing of your personal data

Return Automator implements all mandatory Shopify GDPR webhooks:

customers/data_request — We provide all stored customer data upon request
customers/redact — We permanently delete all customer data within 30 days
shop/redact — We permanently delete all shop data within 48 hours of uninstall

To exercise any of these rights, contact us at privacy@returnautomator.com. We will respond within 30 days.

07 Data Retention

Data Type	Retention Period	Reason
Return records	2 years from creation	Merchant recordkeeping, dispute resolution
Damage photos	2 years from upload	Merchant documentation and dispute resolution
Shopify access tokens	Until uninstall	Deleted immediately on app/uninstalled webhook
Email logs	90 days	Debugging and delivery confirmation
API access logs	30 days	Security and debugging only
Customer email addresses	2 years or until erasure request	Associated with return records

After the retention period, data is permanently deleted and cannot be recovered.

08 Cookies

The Return Automator return portal uses minimal, functional cookies only:

Session cookies — Temporary cookies to maintain your return session during the multi-step return process. Deleted when you close your browser.
No tracking cookies — We do not use advertising, analytics, or cross-site tracking cookies.
No third-party cookies — We do not allow third-party services to set cookies on our return portal pages.

09 Children's Privacy

Return Automator is a business tool intended for use by Shopify merchants and their adult customers. We do not knowingly collect personal information from anyone under the age of 13. If we become aware that we have inadvertently collected personal data from a child under 13, we will delete it immediately.

10 Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will:

Update the "Last Updated" date at the top of this page
Notify merchants via email at least 14 days before changes take effect
Display a notice in the Return Automator admin dashboard

Continued use of the Service after changes take effect constitutes your acceptance of the updated policy.

11 Contact Us

For any privacy-related questions, data requests, or to exercise your GDPR rights:

Privacy Questions?

We typically respond within 2 business days. For GDPR requests, we respond within 30 days as required by law.

privacy@returnautomator.com