Revert Revert

Privacy Policy

Last updated: May 7, 2026

1. Introduction

Revert ("we", "our", "the app") is a Shopify embedded application for return and warranty management. This policy describes how we collect, use, store and protect personal data in compliance with the General Data Protection Regulation (GDPR - EU 2016/679) and Shopify platform requirements.

Service operator: Revert, contact: support@getrevert.cloud. Data Protection Officer (DPO): privacy@getrevert.cloud.

2. Data we collect

When a merchant installs Revert on their Shopify store, we access the following data via Shopify GraphQL APIs:

  • Shop information - shop name, myshopify domain, currency, timezone, owner (email, name).
  • Orders - order number, line items, shipping status, price, date - only for orders involved in a return.
  • Customers - shopify_customer_id, name, email, phone (if provided) - only when a customer requests a return.
  • Products - title, image, price, vendor, product type, status.
  • Theme - detection of our app block in the active theme (for automatic customer portal detection).

3. Processing purpose

Collected data is used exclusively for:

  • Service execution - managing return requests, generating shipping labels, processing refunds and exchanges.
  • Rule-based automation - applying merchant-defined auto-approval rules.
  • Optional AI scoring - return scoring via artificial intelligence (Claude, Anthropic) - can be disabled at any time.
  • Notifications - sending transactional emails to customers (return validation, shipping label, refund) via Resend.
  • Analytics - anonymized aggregation to measure service performance (auto-approval rate, processing time).

4. Data retention

Data related to an active return is retained for the duration of the merchant's use of the app.

After app uninstallation, data is automatically deleted within 48 hours via the Shopify shop/redact webhook.

Technical logs (audit, security) are kept 90 days then purged. Encrypted backups have a maximum retention of 7 days.

5. User rights (GDPR)

In accordance with GDPR articles 15 to 22, you have the following rights:

  • Access - obtain a copy of your personal data in a structured format.
  • Rectification - correct inaccurate or incomplete data.
  • Erasure - request deletion of your data ("right to be forgotten").
  • Portability - receive your data in a machine-readable format (JSON).
  • Objection - object to data processing, in particular AI scoring.

To exercise these rights, write to privacy@getrevert.cloud. We respond within 30 days maximum (GDPR legal deadline).

6. Shopify compliance (GDPR webhooks)

Revert implements all three mandatory Shopify GDPR webhooks:

  • customers/data_request - when a customer requests their data, we provide a complete export within 30 days.
  • customers/redact - when a customer requests data deletion, we remove it from our database within 30 days.
  • shop/redact - 48 hours after app uninstallation, all shop data is automatically deleted.

7. Data sharing (sub-processors)

Your data is NEVER sold to third parties. It is shared only with the following technical sub-processors, bound by confidentiality agreements and GDPR-compliant:

  • Hostinger International Ltd (Cyprus) - VPS infrastructure hosting (EU).
  • Resend (AWS Ireland, eu-west-1) - transactional email delivery.
  • Anthropic (USA) - Claude API for return AI scoring - only if the merchant enables this feature. No data is used to train models (Anthropic zero retention policy).
  • Sendcloud (Netherlands) - shipping label generation - only for returns involving a carrier.

8. AI processing

Revert uses the Claude API by Anthropic to analyze returns and apply merchant-defined rules. Some specifics:

  • Data sent to Anthropic - return metadata (reason, amount, delay, aggregated customer history). No email, phone, or full name is transmitted.
  • No training - data sent to Anthropic is not used to train their models (zero data retention policy).
  • Optional - AI features can be disabled anytime in app settings. Static rules continue to work without AI.

9. Hosting and security

Infrastructure is hosted on a Hostinger VPS in the EU. All communications are encrypted with TLS 1.3, data is encrypted at rest (AES-256), and Shopify API credentials are encrypted with rotating keys.

Administrator access is protected by strong passwords and 2FA. Daily backups are encrypted and retained for 7 days.

10. Cookies

The getrevert.cloud website uses a limited number of cookies:

Analytics cookies (Umami self-hosted, no third-party cookies) - no personal data, IP anonymization. Microsoft Clarity (heatmaps) - can be disabled via Do Not Track.

The Shopify embedded admin app only uses JWT session cookies necessary for operation (Shopify App Bridge).

11. Contact

For any question regarding this policy or your personal data, contact:

  • General support - support@getrevert.cloud
  • GDPR / DPO request - privacy@getrevert.cloud
  • Security - security@getrevert.cloud

In case of unresolved dispute, you can file a complaint with your country's data protection authority (CNIL in France, ICO in UK, etc.).