Privacy Policy — Replish

1. Introduction

Replish ("we", "our", "us") is a Shopify application that helps merchants generate and publish social media content from their product catalog. This Privacy Policy explains how we collect, use, store, and protect your information when you use our application and website.

2. Information We Collect

2.1 Shopify Store Data

When you install Replish, we access the following from your Shopify store:

Product information (titles, descriptions, images, prices, tags)
Order data (for revenue attribution only — order ID, total, landing page URL)
Store domain and basic store information

2.2 Social Platform Data

When you connect a social media account, we store:

OAuth access tokens (encrypted at rest) to publish content on your behalf
Basic profile information (username, account ID)
Post performance metrics (impressions, clicks, engagement)

2.3 Generated Content

AI-generated text (titles, descriptions, hashtags)
AI-generated and processed images, stored in our cloud storage
Publishing history and scheduling data

2.4 Usage Data

Pages visited, features used, and actions taken within the app
Error logs for debugging and improvement

3. How We Use Your Information

Content generation: We send product data to AI services (OpenRouter, Google Gemini) to generate text and images for your social media posts.
Publishing: We use your social platform tokens to publish content on your connected accounts (Pinterest, Instagram, TikTok, Facebook).
Analytics: We collect post performance data and match it with Shopify orders to provide revenue attribution.
Billing: We use Shopify's built-in billing system to manage your subscription. We do not collect or store credit card information.
Improvement: We use aggregated, anonymized usage data to improve our product.

4. Third-Party Services

We share data with the following services to provide our features:

OpenRouter — AI text generation (product data sent as context)
Google Gemini API — AI image generation
Pinterest API — Publishing pins and fetching analytics
Meta Graph API — Publishing to Instagram and Facebook
TikTok Content Posting API — Publishing to TikTok
Cloudflare R2 — Cloud storage for generated images

Each service has its own privacy policy. We only share the minimum data necessary for each service to function.

5. Data Storage & Security

All data is stored in encrypted databases (PostgreSQL with encryption at rest).
OAuth tokens are encrypted before storage and never logged or exposed.
Images are stored in Cloudflare R2 with restricted access.
All communication uses HTTPS/TLS encryption.
We validate Shopify webhooks using HMAC to prevent tampering.

6. Data Retention

We retain your data for as long as the app is installed on your store. When you uninstall Replish:

We receive a webhook from Shopify and mark your store data for deletion.
Your data (products, generated content, images, tokens) is permanently deleted within 30 days.
Anonymized, aggregated analytics may be retained for product improvement.

7. Your Rights

You have the right to:

Access your data — contact us for an export of all data we hold about your store.
Delete your data — uninstall the app, or contact us for immediate deletion.
Disconnect social accounts — revoke OAuth access at any time from Settings.
Opt out of analytics data collection by contacting us.

8. Cookies

The Replish app runs inside Shopify Admin and does not use cookies directly. Our marketing website may use essential cookies for analytics (no third-party tracking).

9. Children's Privacy

Replish is a B2B service for Shopify merchants. We do not knowingly collect data from children under 16.

10. Changes to This Policy

We may update this policy from time to time. We will notify you of significant changes via the app or email. Continued use of the app after changes constitutes acceptance.

11. Contact Us

If you have questions about this Privacy Policy or want to exercise your data rights, contact us at:

[email protected]