Data Security
Zero PII Stored. By Design.
RefundSentry detects return fraud without storing customer names, emails, or addresses. We use one-way hashes for pattern matching and discard raw data at scoring time.
Hash-Only Identity Matching
We never store customer names, emails, or phone numbers. Instead, we compute one-way SHA-256 hashes for fraud detection. Hashes cannot be reversed into the original data.
- Email and phone are hashed at scoring time, then the raw value is discarded
- Hashes are deterministic — the same email always produces the same hash, enabling pattern detection
- No salt is used, so hashes are consistent across scoring events for the same customer
What We Store
Only the minimum data required for fraud scoring and analytics. No raw PII in our general-purpose tables.
- Shopify resource IDs (order, customer, product, return)
- Return metadata: reason codes, refund amounts, timestamps
- Aggregate statistics: return counts, refund totals, risk scores
- Country/region codes (for policy matching, not full addresses)
- SHA-256 hashes of email and phone (for fraud ring detection)
GDPR Erasure Webhooks
We implement all three Shopify mandatory compliance webhooks. When Shopify sends an erasure request, we delete everything.
- customers/data_request — we export what we hold (IDs and hashes, no PII)
- customers/redact — we delete the customer profile and all associated hashes
- shop/redact — we delete all store data within 48 hours of app uninstall
Encryption Everywhere
Data is encrypted in transit and at rest. OAuth tokens get an extra layer of AES-256-GCM encryption.
- TLS 1.3 for all data in transit
- AES-256 encryption at rest (database and backups)
- OAuth access tokens encrypted with AES-256-GCM before storage
- Standalone session cookies: AES-256-GCM encrypted, HttpOnly, SameSite=Lax
Isolated Per Merchant
Your store data is never shared with other merchants. Each store's fraud scoring uses only its own data.
- No cross-merchant data sharing or pooling
- Scoring models are per-store — your signal weights are yours alone
- Data deletion is complete and isolated — removing one store affects no others
EU-Ready by Design
RefundSentry was built for GDPR compliance from day one, not retrofitted. The architecture makes non-compliance structurally difficult.
- No raw customer PII in the database means nothing to breach
- GDPR Article 22: risk scores are advisory — merchants make final decisions, not the algorithm
- Data minimization: we only access Shopify scopes needed for scoring
- Right to erasure: deleting a customer profile cascades to all related data including hashes
What We Access vs. What We Store
| Data | Read from Shopify | Stored in RefundSentry |
|---|---|---|
| Customer email | Yes | Hash only |
| Customer phone | Yes | Hash only |
| Customer name | Yes | Never |
| Shipping address | Yes | Country code only |
| Order totals | Yes | Yes |
| Return reason | Yes | Yes |
| Risk score | No | Yes (computed) |
| Payment method | Yes | Category only |
Questions about data handling? Contact us or read the full Privacy Policy.