← Winback IQ

Winback IQ — Privacy Policy

Last updated: 2026-06-28

Winback IQ ("the App", "we", "us") is a Shopify embedded app that computes an RFM

(Recency / Frequency / Monetary) segmentation of a merchant's customers from the

merchant's own Shopify order history, and — for paying merchants — writes a

segment tag back to Shopify customers. This policy explains exactly what the App

accesses, what it stores, and your rights. It is grounded in what this specific

app does — not a generic template.

1. Who this applies to

This policy applies to the Shopify merchant who installs Winback IQ ("you") and

to the merchant's customers whose order data the App processes on the merchant's

behalf. For that processing, the merchant is the data controller and Winback

IQ is a data processor.

2. What the App accesses (scopes)

Winback IQ requests the minimum Shopify Admin API scopes it needs:

| Scope | Why |

|---|---|

| read_orders | Read the order history (each order's creation date, the customer's opaque ID, and the order total in the shop's currency) to compute Recency, Frequency and Monetary signals. |

| read_customers | Resolve the opaque Shopify customer ID attached to each order (the key the worklist and segments are built on). |

| write_customers | Pro only. Add a single non-destructive tag (WinbackIQ:<Segment>) to a customer so the merchant can target each cohort in Klaviyo / Shopify Email / SMS. It never reads or modifies any other customer field. |

The App is GraphQL-only on Admin API version 2026-04. It does not use the

REST API and requests no other scopes.

3. Protected Customer Data (PCD) level

Because the App requests read_customers and read_orders, Shopify classifies

it as a Protected Customer Data — Level 2 (customer identity) app at the

access boundary, and a Protected Customer Data review is completed in the Shopify

Partner Dashboard before listing. In practice the App reads only the **opaque

customer ID** (never name, email, phone or address fields), and the storage

boundary is "aggregate-and-discard" (section 4) — so no protected personal

fields are ever retained.

4. What we store (and what we never store)

The analysis worker reads orders and customer identifiers transiently,

derives the aggregate scores, and then discards everything except:

• an opaque Shopify customer ID (the GID) — used only to let you open the

customer in your own Shopify admin and, on Pro, to write back the segment tag;

• numeric aggregates per customer: recency (days since last order), order

count, total spend (shop currency), the R/F/M scores 1–5, the lifecycle

segment, and the revenue at risk;

• run-level aggregates: counts, total revenue at risk, the shop currency, and

the deterministic "as of" date;

• standard operational records: your shop domain, the encrypted offline access

token (AES-256-GCM at rest), billing/subscription status, and an idempotency

ledger of inbound webhook IDs.

We never store, log, or transmit to any third party: customer names, email

addresses, phone numbers, shipping or billing addresses, payment details, or

individual order line items.

5. How we use the data

Solely to provide the App's functionality to you: compute the RFM segmentation,

render the dashboard / worklist / insights, and (on Pro) write the segment tag

back to your Shopify customers and produce a CSV export you request. We do not

sell data, do not use it for advertising, and do not combine it across merchants.

6. Sub-processors

• Hosting: a dedicated server operated for this app (EU/Contabo-class VPS),

running PostgreSQL and Redis. Data stays on this host.

• Shopify: the source of the order/customer data and the billing platform.
• Anthropic (AI): not used. Winback IQ's engine is 100% offline

arithmetic — no large-language-model or other AI sub-processor is involved, and

no data is sent to any AI provider.

We will keep this list current; we do not add a sub-processor that receives

customer data without updating this policy.

7. Data retention & deletion

• Aggregates persist while the App is installed so your dashboard and trend stay

available across runs.

• Uninstall: on app/uninstalled we mark your shop inactive. On Shopify's

shop/redact request (~48 hours after uninstall) we cascade-delete every row

for your shop.

• Customer redaction: on customers/redact we delete that customer's

aggregate rows by opaque ID.

• Customer data request: on customers/data_request we confirm that we hold

only an opaque ID and aggregate scores for the customer — there is no personal

data to assemble.

8. GDPR / privacy rights

For EU/UK data subjects, the merchant (as controller) can exercise access,

rectification, erasure, restriction and portability rights via Shopify's

mandatory compliance webhooks above, which the App honours automatically. Because

we hold no personal identifiers beyond an opaque ID, most requests resolve to "no

personal data held" or a targeted aggregate deletion.

9. Security

Offline access tokens are encrypted at rest (AES-256-GCM). Transport is HTTPS

only. Webhooks are HMAC-verified and de-duplicated. The database runs behind a

connection pooler with least-privilege credentials.

10. Changes

We will update this policy as the App changes and revise the "Last updated" date.

11. Contact

Questions or a data request: privacy@syncerp.work.

The in-app disclosure lives at https://winbackiq.syncerp.work/docs/protected-customer-data.