Privacy Policy

Last updated: 2026-05-04

This Privacy Policy describes how AuditRay ("we", "our", "the App") collects, uses, and protects information when you install and use the App on your Shopify store.

1. What we collect

When you install the App, Shopify provides us with limited information about your store (domain, store ID, access token, installation timestamps). We do not request access to customer personal data beyond what is necessary to operate the App's audit log functionality.

The App processes Shopify webhooks for products, orders, and inventory changes. From these webhooks, we extract and store only operational fields required for change tracking: titles, prices, status, tags, SKUs, inventory counts, line item quantities, and similar non-PII metadata.

We do not store customer personal data such as names, email addresses, phone numbers, shipping addresses, or payment information. PII fields are filtered out at webhook ingestion before any data is written to our database.

2. How we use information

• To provide the App's audit log functionality to you
• To deliver alert notifications (email, Slack, Discord, custom webhooks) you configure
• To enforce plan limits and billing
• To respond to support requests

We do not sell, rent, or share your data with third parties for marketing purposes.

3. Sub-processors

The App relies on the following third-party services:

• Shopify — provides the platform and webhooks
• Resend (resend.com) — email delivery for alerts, if you configure email alerts
• Cloudflare — network and DDoS protection
• Time4VPS — server hosting (data center located in the European Union, Lithuania)

4. Data retention

We retain audit events according to your subscription plan:

• Free plan — 7 days
• Basic plan — 30 days
• Pro plan — 365 days

Events older than the retention window are automatically deleted from our database.

Upon app uninstallation, we mark your shop as inactive. Per Shopify's GDPR webhook framework, all your shop data is permanently deleted within 48 hours after receiving the shop/redact webhook from Shopify.

5. Data security

• All data in transit is encrypted via HTTPS / TLS 1.2+.
• Data at rest is encrypted using LUKS (Linux Unified Key Setup) disk-level encryption. The Postgres database files reside on an encrypted partition decrypted only at boot.
• Customer PII (names, emails, addresses, phone numbers, payment information) is filtered out at webhook ingestion before any record is written to our database, so we hold none of it.
• Production server access is limited to the App's maintainer via SSH key authentication; password authentication is disabled.

6. Your rights (GDPR)

The App fully supports Shopify's GDPR compliance webhooks:

• customers/data_request — handled (we hold no customer PII; we respond confirming this)
• customers/redact — handled
• shop/redact — triggers full data deletion

For any other data subject request, contact us at the email below.

7. International data transfers

All data is hosted in the European Union (Time4VPS data center in Lithuania). For merchants outside the EU, Standard Contractual Clauses apply where required by applicable data protection laws.

8. Changes to this policy

We may update this Privacy Policy. We will notify merchants by email if changes are material.

9. Contact

For privacy questions or data requests, contact: [email protected]

App: audit.contextray.com