Security

All traffic between the marketing site, the Shopify embedded app, our cron server, and the database is encrypted in transit using TLS 1.2+. Database storage (Supabase Postgres) is encrypted at rest with AES-256 by default, including automated backups.

One-click unsubscribe tokens in outgoing email are signed with HMAC (SHA-256) and validated on arrival — tampered or forged links are rejected.

Merchants authenticate through Shopify's OAuth flow — we never see or store a merchant's Shopify password. Every admin API call is signed with a short-lived Shopify access token scoped to the minimum read permissions the rules engine needs.

Internal access to production systems follows least privilege: human access requires 2FA, is logged, and is revoked on role change. The Express cron server authenticates to the app using a rotating bearer secret, not a session cookie.

Every Shopify webhook we receive — orders, products, customers, uninstall, GDPR data-request/redact — is verified against the X-Shopify-Hmac-Sha256 header with the app's shared secret. Unsigned or mismatched requests are rejected with 401 and never persisted.

Public endpoints (newsletter, contact, data-request) are rate-limited by coarse IP prefix — we store /24 for IPv4 and /48 for IPv6 rather than full addresses. Current limits:

• Newsletter signup — 5 per minute per prefix
• Contact form — 3 per minute per prefix
• Data-request form — 1 per 10 minutes per prefix

The contact form is additionally gated on an installed merchant shop domain, so it can't be used as a generic message relay.

We keep the minimum needed to deliver the product:

• Behavioral events (Web Pixel page views, adds to cart, etc.): raw events less than ~36 hours, then rolled into anonymized daily summaries and deleted.
• Uninstalled shops: all store data is purged 90 days after the app is uninstalled. You can request earlier deletion via the contact form.
• GDPR redact: Shopify-initiated customer-redact webhooks are processed within 48 hours; shop-redact within 10 days.
• Email logs: retained 30 days for deliverability debugging, then purged.

We run on Vercel (embedded app + marketing site), a DigitalOcean droplet (cron server), and Supabase-hosted Postgres. Each is bound by its own DPA and reviewed annually. The full list — including Resend (email) and OpenAI/Gemini (LLM polish) — is at /subprocessors.

We monitor application errors and uptime continuously. If a security incident or data breach is detected, our response follows a fixed playbook:

1. Contain — isolate the affected service or credential.
2. Assess — identify the data, the shops, and the window of exposure.
3. Notify — affected merchants within 72 hours of confirmation, per GDPR Article 33 timing; regulators as required by jurisdiction.
4. Remediate — fix root cause and publish a postmortem.

Our public status page is at /status.

Found a vulnerability? Submit a report through the contact form with topic Technical Issue and a reproduction path in the message body. We acknowledge within 2 business days and will coordinate a disclosure timeline with you. We don't take legal action against good-faith researchers.