Privacy Policy — ShieldDesk

Operated by Approid Tech · Last updated: 12 May 2026

ShieldDesk is a Shopify app that helps merchants triage and respond to customer-support enquiries submitted through their storefront contact form. This policy explains what data the app collects, how it is used, who it is shared with, how long it is kept, and how merchants and their customers can exercise their rights.

1. Who we are

Approid Tech ("we", "us") operates the ShieldDesk Shopify app. Contact for privacy and data-protection matters: privacy@approidtech.com.

2. Data we collect

Category	What	Source
Merchant data	Shopify store domain, OAuth access token (offline, expiring), refresh token, current billing plan, app usage counters	Provided by Shopify when the merchant installs the app
End-customer data	Name, email address, and the free-text message body the customer submitted through the merchant's storefront contact form	Submitted directly by the customer on the merchant's storefront
Order context	Order number, dates, fulfilment status, financial status, tracking number/URL/carrier, line-item titles and quantities, total price and currency	Retrieved from the Shopify Admin API (`read_orders` scope) at the time we process a customer message

We do not collect payment card details, government identifiers, phone numbers, shipping or billing addresses, date of birth, or any special-category personal data.

3. How we use the data

Triage: classifying messages (spam, shipping issue, refund request, product question, complaint, general enquiry) and scoring spam likelihood.
Auto-resolution: for order-status questions, looking up the customer's recent orders and generating a draft reply with tracking details.
Draft replies: generating a suggested first-response message that the merchant reviews and may send.
Display: showing messages, classifications, and order context to the merchant inside the ShieldDesk inbox in Shopify Admin.

We do not use customer or order data for marketing, advertising, profiling for behavioural targeting, or training general-purpose AI models. AI inference is performed by Anthropic and is governed by Anthropic's commercial terms, which prohibit using customer inputs to train models.

4. Sub-processors

Sub-processor	Purpose	Location
Supabase (PostgreSQL)	Encrypted storage of merchant + customer message data	United States / EU regions
Anthropic (Claude API)	AI classification and reply drafting (transient — inputs not retained beyond the API request)	United States
Render	Application hosting	United States
Shopify	Source of merchant identity, order data, and OAuth	Per Shopify's policy

5. Security

All data is transmitted over TLS (HTTPS).
Data at rest in Supabase is encrypted with AES-256.
Supabase backups are encrypted.
Access to the production database is restricted to named operators with strong, unique credentials and two-factor authentication.
Shopify session tokens (JWTs) are verified on every authenticated API request using HS256 with the app's API secret.
Access to customer data is logged at the database and application level.
We follow a documented incident-response procedure (see "Security incidents" below).

6. How long we keep the data

While the app is installed: messages and merchant configuration are retained so the merchant can review their support history.
When a customer requests deletion: data is deleted on receipt of Shopify's customers/redact compliance webhook.
When the merchant uninstalls: the merchant's OAuth token is revoked immediately on Shopify's app/uninstalled webhook. All of the merchant's data is then deleted on receipt of Shopify's shop/redact compliance webhook, which Shopify sends 48 hours after uninstall.

7. Your rights (merchants and end-customers)

Subject to applicable law (including GDPR and CCPA), you may request access to, correction of, deletion of, or a portable copy of your personal data. End-customers should typically exercise these rights through the merchant whose store they interacted with; the merchant in turn relays the request to ShieldDesk via Shopify's compliance webhooks. Direct requests are also accepted at privacy@approidtech.com and will be responded to within 30 days.

8. International transfers

Personal data may be processed in countries outside the customer's or merchant's country of residence, including the United States. Where required by law, transfers are made under appropriate safeguards (such as the EU Standard Contractual Clauses or equivalent).

9. Cookies

ShieldDesk authenticates merchants using Shopify-issued session tokens (JWTs) carried in request headers. It does not set first-party cookies for tracking or analytics, and it does not embed third-party tracking pixels.

10. Security incidents

If we become aware of a personal-data breach affecting your data, we will notify Shopify within 72 hours and affected merchants and regulators as required by applicable law. Our incident-response process is documented and available on request.

11. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top of this page reflects the most recent change. Material changes will be communicated to active merchants by email.

12. Contact

Approid Tech — privacy@approidtech.com