ShieldCommerce

Privacy Policy

Last updated: March 13, 2026

1. Introduction

ShieldCommerce (“we,” “us,” or “our”) provides fraud prevention and chargeback defense services for Shopify merchants. This Privacy Policy describes how we collect, use, and protect information when you use our application and visit our website at shieldcommerce.app.

2. Information We Collect

2.1 Merchant Information

When you install ShieldCommerce, we collect:

  • Shop domain and store name (from Shopify OAuth)
  • Shopify access token (encrypted with AES-256-GCM)
  • Plan selection and billing information (managed by Shopify Billing API)

2.2 Order Data

When orders are placed in your store, we receive via Shopify webhooks:

  • Order details (number, amount, currency, products, timestamps)
  • Customer information (email, phone, billing/shipping address)
  • IP address and browser information
  • Payment method details (card BIN, payment status)

2.3 How We Protect PII

All personally identifiable information (email, phone, IP address) is hashed with SHA-256 plus a server-side pepper before storage. We never store PII in plaintext. Access tokens are encrypted with AES-256-GCM. We never log sensitive data.

3. How We Use Information

  • Fraud risk scoring using our Bayesian analysis engine
  • Generating CE 3.0 evidence for chargeback defense
  • Building customer risk profiles across orders
  • Sending weekly intelligence reports and alerts
  • Improving our fraud detection algorithms over time
  • Providing customer support

4. Third-Party Services

We use the following third-party services:

  • Shopify: Platform integration, OAuth, billing
  • Supabase (EU region): Database hosting with row-level security
  • IPQS (IPQualityScore): IP reputation, email validation, transaction scoring (Growth+ plans only)
  • Resend: Transactional email delivery
  • MaxMind GeoLite2: IP geolocation
  • Railway: Application hosting
  • Vercel: Frontend and website hosting

5. Data Retention

We retain order and scoring data for as long as your ShieldCommerce account is active, plus 30 days after cancellation. SignalSnapshot data (used to improve our scoring models) is retained in anonymized form for up to 24 months.

6. GDPR Compliance

We comply with the General Data Protection Regulation (GDPR). As a data processor acting on behalf of merchants (data controllers), we:

  • Process data only as instructed by merchants via our app
  • Store data in the EU region (Supabase EU)
  • Support data export and deletion requests
  • Hash all PII before storage
  • Respond to Shopify GDPR webhooks (customer data request, customer data erasure, shop data erasure)

7. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Request correction or deletion of your data
  • Object to or restrict our processing of your data
  • Request data portability
  • Withdraw consent at any time

To exercise these rights, contact us at privacy@shieldcommerce.app.

8. Security

We implement industry-standard security measures including: SHA-256 hashing for PII, AES-256-GCM encryption for tokens, HMAC webhook verification with timing-safe comparison, rate limiting on all API endpoints, and HTTPS-only communication.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the “Last updated” date.

10. Contact Us

If you have questions about this Privacy Policy, please contact us at privacy@shieldcommerce.app.