Privacy Policy

1. Introduction

GreenCommerce ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Shopify application and related services (the "Service").

By installing our app or creating an account, you agree to the collection and use of information as described in this policy.

2. Information We Collect

2.1 Account Information

When you create a GreenCommerce account, we collect:

• Email address
• Password (stored as a bcrypt hash — we never store plaintext passwords)
• Store name (optional)

2.2 Shopify Store Data

When you connect your Shopify store via OAuth, we request the following scopes:read_orders, read_products, and read_shipping. We access:

• Order data: Order numbers, prices, line items, shipping addresses (city and country only), shipping methods, and fulfillment details
• Product data: Product titles, SKUs, weights, and categories
• Shipping data: Carrier names, service levels, and shipping costs
• Store metadata: Your Shopify store domain

We do not access customer email addresses, full street addresses, payment details, or any data beyond the scopes listed above.

2.3 Payment Information

Subscription payments are processed securely by Stripe. We do not store your credit card number, CVC, or billing address. Stripe's privacy policy governs their handling of your payment data.

2.4 Automatically Collected Information

We collect minimal technical information necessary to operate the Service:

• IP address (used for rate limiting and security only)
• Browser type and version (from standard HTTP headers)

We do not use third-party analytics, advertising trackers, or any non-essential tracking technologies.

3. How We Use Your Information

We use the data we collect to:

• Calculate carbon emissions for your shipping and orders
• Display sustainability analytics on your dashboard
• Generate PDF reports and AI-powered insights (when you opt in)
• Compare shipping providers by cost, speed, and carbon footprint
• Process your subscription payments via Stripe
• Send password reset emails (when requested)
• Protect our Service from abuse via rate limiting

We do not use your data for advertising, profiling, or any purpose unrelated to providing the Service.

4. Data Sharing and Disclosure

We share your information only with the following third parties, and only to the extent necessary to operate the Service:

• Stripe: Payment processing for subscriptions
• Vercel: Application hosting and infrastructure
• Supabase: Database hosting (PostgreSQL)
• OpenAI: AI insights generation (only when you explicitly request AI insights; we send aggregated order data, not personal information)
• Resend: Transactional emails (password resets only)

We may disclose your information if required by law, court order, or governmental regulation, or to protect our rights, property, or the safety of our users.

5. Data Security

We implement the following security measures to protect your data:

• All data is transmitted over HTTPS/TLS encryption
• Passwords are hashed using bcrypt with 12 salt rounds
• Shopify OAuth uses cryptographically secure state parameters to prevent CSRF attacks
• Shopify webhook payloads are verified via HMAC-SHA256 signatures
• Authentication endpoints are rate-limited to prevent brute-force attacks
• Session-based access control on all API endpoints
• Database hosted on Supabase with row-level encryption at rest

6. Data Retention

We retain your data according to the following schedule:

• Active accounts: Your data is retained for as long as your account is active and the app is installed on your Shopify store
• App uninstall: When you uninstall GreenCommerce from your Shopify store, your Shopify access token is immediately revoked and your account is deactivated. All store data is permanently deleted within 48 hours via our automated data erasure process
• Account deletion: You may request complete deletion of your account and all associated data at any time by contacting us
• Billing records: Retained for 7 years as required by applicable financial regulations
• Password reset tokens: Automatically expire after 1 hour

7. Cookies

GreenCommerce uses only essential cookies required for the application to function. We do not use any advertising, analytics, or tracking cookies.

• next-auth.session-token: Keeps you signed in (session duration)
• next-auth.csrf-token: Prevents cross-site request forgery (session duration)
• shopify_oauth_state: Validates the Shopify OAuth flow (10-minute expiry, set only during store connection)

For more details, see our Cookie Policy.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Right of access: Request a copy of all personal data we hold about you
• Right to rectification: Request correction of inaccurate or incomplete data
• Right to erasure: Request deletion of your personal data (also triggered automatically when you uninstall the app)
• Right to data portability: Receive your data in a machine-readable format
• Right to restrict processing: Request that we limit how we process your data
• Right to object: Object to processing based on our legitimate interests
• Right to withdraw consent: Withdraw consent at any time for optional features like AI insights

To exercise any of these rights, contact us at privacy@greencommerce.io. We will respond within 30 days.

9. Shopify GDPR Compliance

GreenCommerce fully supports Shopify's mandatory GDPR webhooks:

• Customer data request: When a customer requests their data, we compile all order and emission records associated with them
• Customer data erasure: When a customer requests deletion, we redact all personally identifiable information from their order records
• Shop data erasure: When you uninstall the app, all merchant data including orders, emissions records, and account information is permanently deleted

For more details, see our GDPR Compliance page.

10. International Data Transfers

Your data may be processed in the United States, where our hosting infrastructure is located. If you are located outside the United States, your data will be transferred to and processed in the United States. We rely on standard contractual clauses and our service providers' compliance frameworks (including SOC 2 certifications) to ensure adequate protection of your data during international transfers.

11. Children's Privacy

Our Service is designed for business use and is not intended for children under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected data from a child under 16, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. For significant changes, we will also notify you via the email address associated with your account. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

13. Contact Us

For questions about this Privacy Policy, to exercise your data rights, or to report a privacy concern:

Email: privacy@greencommerce.io