1. Overview

Damage Control ("we," "our," or "us") is a Shopify app that monitors merchant store data to assess suspension risk, detect compliance issues, and generate remediation guidance. We are committed to protecting the privacy of our users and their customers. This Privacy Policy explains what data we collect, how we use it, and how we handle it.

2. Data We Collect

2.1 Data Accessed via Shopify API

When you install Damage Control, we request access to the following Shopify Admin API scopes solely to calculate your risk score and provide alerts:

• read_orders - To analyze order volume, refund rates, cancellation rates, and fulfillment timelines.
• read_products - To scan product titles and descriptions for Acceptable Use Policy compliance.
• read_customers - To detect address mismatch patterns between billing and shipping.
• read_fulfillments - To evaluate fulfillment speed and identify delayed shipments.
• read_shopify_payments_disputes - To track chargeback rates, dispute velocity, and card network program exposure.
• read_shopify_payments_payouts - To monitor payout status and reserve indicators.
• read_shopify_payments_accounts - To verify Shopify Payments account standing.
• read_content - To check for required compliance pages (privacy policy, refund policy, terms of service, shipping policy, contact page).

2.2 Data We Store

We store only the minimum data necessary to provide our service:

• OAuth tokens - Your Shopify access token and refresh token (encrypted at rest) to maintain your connection and perform scheduled scans.
• Risk assessments - Calculated risk scores, signal breakdowns, and recommendations generated from your store data.
• Alert history - Notifications about risk escalations and critical signal spikes.
• Shop domain - Your myshopify.com domain to associate data with your account.

2.3 Data We Do NOT Collect

We do not collect, store, or process any of the following:

• Customer personally identifiable information (names, emails, addresses, phone numbers)
• Payment card numbers or financial account details
• Customer order contents or purchase histories
• Any data unrelated to risk assessment and compliance monitoring

3. How We Use Your Data

We use the data accessed through the Shopify API exclusively to:

• Calculate your store's suspension risk score and signal breakdowns
• Evaluate your standing against Visa, Mastercard, and Shopify compliance thresholds
• Generate actionable recommendations to reduce your risk
• Send you alerts when your risk level escalates or critical signals are detected
• Generate appeal letters and risk reports at your request
• Perform scheduled automated scans (every 6 hours) to keep your risk score current

We do not use your data for advertising, marketing, profiling, or any purpose unrelated to the core functionality of Damage Control.

4. Data Storage and Security

Your data is stored in a secure, encrypted MongoDB database hosted on Railway with the following protections:

• OAuth tokens are encrypted at rest
• Database access is restricted to authenticated application servers only
• All data in transit is encrypted via TLS 1.2 or higher
• Access to production infrastructure is limited to authorized personnel

5. Data Retention

We retain your data only for as long as your Damage Control app is installed:

• Risk assessments - Retained for the lifetime of your app installation to provide historical trend data.
• Alert history - Retained until you dismiss individual alerts or clear all alerts.
• OAuth tokens - Retained until you uninstall the app, at which point they are immediately deleted.

6. Data Deletion

When you uninstall Damage Control from your Shopify store, the following happens automatically:

• All OAuth tokens and session data are deleted immediately
• All risk assessments and alert history are deleted
• All billing records are deleted
• No data is retained after uninstallation

This automatic cleanup is handled by our GDPR-compliant webhook handlers (shop/redact and app/uninstalled). You do not need to contact us to request data deletion upon uninstall.

7. Data Sharing

We do not sell, rent, trade, or share your data with any third parties. Your store data and risk assessments are visible only to you through the Damage Control dashboard. We do not share risk scores or compliance data with Shopify, payment processors, or card networks.

8. Third-Party Services

Damage Control integrates with the following third-party services:

• Shopify Admin API - To read your store data as described above. Governed by Shopify's API Terms of Service.
• Railway - Our hosting and database provider. Governed by Railway's Privacy Policy.

No other third-party services, analytics platforms, advertising networks, or external APIs receive your data.

9. Your Rights

As a Shopify merchant using Damage Control, you have the right to:

• Access - Request a copy of all data we hold about your store
• Deletion - Request immediate deletion of all your data at any time
• Portability - Export your risk assessment history and alert data
• Objection - Object to specific data processing activities

To exercise any of these rights, contact us at the email address below. We will respond within 30 days.

10. GDPR Compliance

Damage Control is fully compliant with the General Data Protection Regulation (GDPR). We process data only with your consent (granted through Shopify OAuth), for the legitimate purpose of providing our risk monitoring service. We support Shopify's built-in GDPR webhooks:

• customers/data_request - We do not store customer data, so no action is required.
• customers/redact - We do not store customer data, so no action is required.
• shop/redact - We delete all data associated with your store within 48 hours of receiving this webhook.

11. CCPA Compliance

Under the California Consumer Privacy Act, California residents have the right to know what personal information is collected, to request deletion, and to opt out of the sale of personal information. Since we do not sell personal information and collect minimal data as described above, exercising these rights is straightforward through the mechanisms described in Section 9.

12. Children's Privacy

Damage Control is a business-to-business tool designed for Shopify merchants. We do not knowingly collect data from children under 13, and our service is not directed at children.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes through the Damage Control app or by updating the "Last updated" date above. Continued use of the app after changes constitutes acceptance of the updated policy.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your data, please contact us:

• Email: magxaly@gmail.com