Data Security
No Raw PII Stored. By Design.
RefundSentry detects return fraud without storing customer names, raw emails, or full addresses. We use one-way SHA-256 hashes for pattern matching and never persist the raw values after scoring.
Hash-Only Identity Matching
We never store customer names, emails, or phone numbers. Instead, we compute one-way SHA-256 hashes for fraud detection. Hashes cannot be reversed into the original data.
- Email and phone are hashed at scoring time, then the raw value is discarded
- Hashes are deterministic — the same email always produces the same hash, enabling pattern detection
- No salt is used, so hashes are consistent across scoring events for the same customer
What We Store
Only the minimum data required for fraud scoring and analytics. No raw PII in our general-purpose tables.
- Shopify resource IDs (order, customer, product, return)
- Return metadata: reason codes, refund amounts, timestamps
- Aggregate statistics: return counts, refund totals, risk scores
- Country/region codes (for policy matching, not full addresses)
- SHA-256 hashes of email and phone (for fraud ring detection)
GDPR Erasure Webhooks
We implement all three Shopify mandatory compliance webhooks. When Shopify sends an erasure request, we delete everything.
- customers/data_request — we export what we hold (IDs and hashes, no PII)
- customers/redact — we delete the customer profile and all associated hashes
- shop/redact — we delete all store data within 48 hours of app uninstall
Encryption Everywhere
Data is encrypted in transit and at rest. OAuth tokens get an extra layer of AES-256-GCM encryption.
- TLS 1.3 for all data in transit
- AES-256 encryption at rest (database and backups)
- OAuth access tokens encrypted with AES-256-GCM before storage
- Standalone session cookies: AES-256-GCM encrypted, HttpOnly, SameSite=Lax
Network Signals Without Raw PII Sharing
RefundSentry can use hash-based network signals without exposing your customer lists or raw identifiers to other merchants.
- Cross-store signals use hashes, fingerprints, counts, timestamps, and aggregate outcomes
- Other merchants cannot see your customer list, raw identifiers, order details, or store name
- Scoring models are per-store — your signal weights are yours alone
- Data deletion removes your store's rows and network-signal contributions without affecting other stores' data
EU-Ready by Design
RefundSentry was built for GDPR compliance from day one, not retrofitted. The architecture makes non-compliance structurally difficult.
- No raw customer PII in the database means nothing to breach
- GDPR Article 22: risk scores are advisory — merchants make final decisions, not the algorithm
- Data minimization: we only access Shopify scopes needed for scoring
- Right to erasure: deleting a customer profile cascades to all related data including hashes
What We Access vs. What We Store
| Data | Read from Shopify | Stored in RefundSentry |
|---|---|---|
| Customer email | Yes | Hash only |
| Customer phone | Yes | Hash only |
| Customer name | Yes | Never |
| Shipping address | Yes | Country code only |
| Order totals | Yes | Yes |
| Return reason | Yes | Yes |
| Risk score | No | Yes (computed) |
| Payment method | Yes | Category only |
Questions about data handling? Contact us or read the full Privacy Policy.