Back to Home

Privacy Policy

Last updated: February 16, 2026

1. Introduction

Aurah Commerce LLC ("we", "us", "our") operates the Ecombone suite of Shopify applications (collectively, the "Services"), including Ecombone Returns & Exchanges, Ecombone Warranty Claims, Ecombone Inventory Manager, Ecombone Profit Tracker, and any future applications published under the Ecombone brand. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use any of our Services.

2. Information from Shopify

When you install any of our apps, we collect and store the following information from your Shopify store. The specific data accessed depends on which app(s) you install:

  • Store Information (all apps): Store name, domain, email address, currency, and timezone
  • Order Data (Returns & Exchanges, Warranty Claims, Profit Tracker): Order numbers, customer names, customer email addresses, order totals, line items (product names, SKUs, prices, quantities, variants), shipping addresses, order status, fulfillment status, discount codes, and discount allocations
  • Product Data (all apps): Product titles, images, variants, prices, tags, and collections
  • Inventory Data (Inventory Manager): Inventory levels, locations, stock quantities, and fulfillment history
  • Authentication Data (all apps): Shopify access tokens (stored securely and never shared)

3. Information You Provide

We also collect information that you provide directly, depending on which Services you use:

  • Branding Settings: Brand name, logo URLs, and color preferences
  • Return & Exchange Settings: Return window, return reasons, return locations/addresses, status workflow preferences, email notification preferences
  • Return Requests: Customer-submitted return information including items, reasons, and exchange selections
  • Warranty Settings: Warranty rules, coverage periods, resolution preferences, and claim reasons
  • Warranty Claims: Customer-submitted claims including item details, issue descriptions, and photo evidence (JPEG, PNG, WebP)
  • Inventory Settings: Supplier information, lead times, reorder thresholds, packaging material rules, raw material allocations, and demand forecasting preferences
  • Profit Tracker Settings: COGS data, shipping costs, advertising spend, and fee configurations
  • Team Member Information: Names, email addresses, and role assignments for team accounts

4. Automatically Collected Information

Certain information is collected automatically when you use the Services:

  • Usage Data: IP addresses (for rate limiting), browser type, operating system, timestamps
  • Session Data: Authentication tokens (stored in secure HTTP-only cookies)

5. How We Use Your Information

We use the collected information to:

  • Provide the Services: Process return requests, warranty claims, refunds, exchange orders, inventory tracking, profit calculations, and send email notifications
  • Improve the Services: Analyze usage patterns, troubleshoot issues, develop new features
  • Security: Prevent fraud, enforce rate limits, protect against malicious activity
  • Communication: Send service-related emails (return confirmations, warranty updates, inventory alerts, status notifications)
  • Compliance: Meet legal obligations and Shopify Partner Program requirements

6. Data Storage and Security

All data is stored in Supabase (PostgreSQL) with row-level security enabled. Data is stored in EU Ireland. Data is encrypted in transit (TLS 1.3) and at rest (AES-256). We implement the following security measures:

  • Shopify access tokens are encrypted and stored securely
  • HTTP-only cookies with Secure and SameSite flags
  • HMAC-SHA256 signed session tokens
  • PBKDF2 password hashing for team member accounts
  • Rate limiting to prevent abuse
  • Row-level security (RLS) for multi-tenant isolation
  • Read-only Shopify API access where applicable (e.g., Inventory Manager never writes to your store)
  • Regular security audits and dependency updates

7. Data Retention

We retain your data according to the following schedule:

  • Active Stores: Data retained while the app is installed
  • Uninstalled Apps: Data retained for 30 days after uninstallation, then permanently deleted
  • Operational Records (returns, warranty claims, inventory history): Retained for as long as the respective app is installed for record-keeping and compliance
  • Photo Uploads (Warranty Claims): Retained for as long as the app is installed; deleted within 30 days of uninstallation

8. Data Sharing and Third Parties

We share data with the following essential service providers:

  • Shopify: We access your Shopify store data via the Shopify API to provide app functionality
  • Supabase: Database hosting and storage provider
  • Resend: Email delivery service for notifications across all apps

9. What We Don't Do

We are committed to responsible data practices:

  • We do NOT sell your data to third parties
  • We do NOT use your data for advertising
  • We do NOT share your data with competitors
  • We do NOT train AI models on your customer data
  • We do NOT share data between different merchants' accounts

10. Legal Basis for Processing (GDPR)

We process your personal information based on the following legal grounds:

  • Contract Performance: Processing necessary to provide the Services you requested (e.g., managing returns, processing warranty claims, tracking inventory)
  • Legitimate Interest: Processing necessary for our legitimate business interests (e.g., improving the Services, preventing fraud, ensuring security)
  • Legal Obligation: Processing necessary to comply with applicable laws (e.g., tax regulations, Shopify Partner requirements)
  • Consent: Where required by law, we process data based on your explicit consent, which you may withdraw at any time

11. Your Rights (GDPR)

If you are located in the European Economic Area (EEA), you have the following rights:

  • Right to Access: Request a copy of your data
  • Right to Rectification: Correct inaccurate data
  • Right to Erasure: Request deletion of your data
  • Right to Restriction: Limit how we use your data
  • Right to Portability: Receive your data in a structured format
  • Right to Object: Object to data processing
  • Right to Withdraw Consent: Withdraw consent at any time

12. Your Rights (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

  • Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you
  • Right to Delete: Request deletion of your personal information
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Opt-Out: Opt out of the sale or sharing of your personal information (note: we do not sell your data)
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

13. Data Protection Officer

To exercise your GDPR or CCPA rights, or for data protection inquiries, contact us at info@ecombone.com or uninstall the app from your Shopify admin. For dedicated data protection inquiries, email dpo@ecombone.com or write to 30N Gould St, Sheridan, WY 82801, US. We will respond to verifiable requests within 30 days (GDPR) or 45 days (CCPA).

14. Data Breach Notification

In the event of a data breach that affects your personal information, we will notify affected parties and relevant supervisory authorities within 72 hours of becoming aware of the breach, as required by GDPR Article 33. Notification will include the nature of the breach, the categories and approximate number of records affected, the likely consequences, and the measures taken or proposed to address the breach. We will communicate directly with affected merchants via their store email address.

15. Children's Privacy

Our Services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children.

16. International Data Transfers

If you are located outside the United States, your data may be transferred to and processed in the United States. We ensure appropriate safeguards are in place for such transfers in compliance with GDPR Article 46.

17. Cookies

We use the following cookies across our Services:

  • Session Cookies: admin_session_{store-slug} (authentication, HTTP-only, expires after 24 hours)
  • OAuth Cookies: shopify_oauth_nonce (CSRF protection, expires after 10 minutes), auth_redirect (post-login redirect, expires after 10 minutes)

18. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by updating the "Last Updated" date, posting a notice in the app, and sending an email to your store's email address. Continued use of the Services after changes constitutes acceptance of the updated policy.

19. Shopify App Store Compliance

All Ecombone apps comply with Shopify's API Terms of Service and Partner Program Agreement. We:

  • Only access data necessary for each app's functionality
  • Use Shopify OAuth for authentication
  • Verify webhook signatures
  • Delete merchant data within 48 hours of uninstallation (or within 30 days if legally required to retain)

20. Contact Us

If you have questions about this Privacy Policy, contact us at info@ecombone.com or visit https://ecombone.com. Mailing Address: 30N Gould St, Sheridan, WY 82801, US.

21. Data Processing Addendum (DPA)

For customers requiring a Data Processing Addendum under GDPR Article 28, please contact info@ecombone.com to request our DPA template.

← Back to Home