← Back to Reorbit

Privacy Policy

Last updated: 2026-05-16

1. Who we are

Reorbit ("we", "us") is an app installed by Shopify merchants to send AI-generated post-purchase upsell and win-back communications. This policy describes how we handle data we receive from Shopify and from merchants using our service. Contact: privacy@reorbit.dev.

2. Data we collect

From the connected Shopify store, with the merchant's consent:

  • Shop domain, shop email, plan, currency, installed Shopify scopes.
  • Order data: order number, total, currency, financial status, fulfillment status, line items, customer ID, customer email, order timestamps.
  • Product catalogue used to generate recommendations.

From end-customers receiving our emails: email address, unsubscribe status, basic delivery telemetry (sent, bounced, complained).

3. How we use it

  • To generate personalised upsell and win-back emails on the merchant's behalf.
  • To send those emails from the merchant-configured sending domain.
  • To measure attributed revenue and surface it in the merchant dashboard.
  • To operate, secure, and improve the service.

We do not sell personal data. We do not use it to train third-party AI models.

4. Sub-processors

  • Supabase (database + storage, EU region).
  • Cloudflare (edge compute + CDN).
  • Resend (email delivery).
  • OpenAI / Google (model inference; data not retained for training).

5. Retention

Order and customer data is retained while the app is installed. On uninstall the shop is marked inactive; 48 hours later, on receipt of Shopify's shop/redact webhook, we permanently delete all shop and customer data. Individual customers can be redacted earlier via Shopify's customers/redact webhook.

6. Your rights (GDPR / CCPA)

Merchants and their customers can request access, correction, export, or deletion of personal data by emailing privacy@reorbit.dev. Customers can also use the one-click unsubscribe link in every email.

7. Security

All traffic is encrypted with TLS. Shopify access tokens and API keys are stored encrypted at rest. Access to production data is limited to authorised personnel and audited.

8. Changes

We will post any updates to this policy on this page and, for material changes, notify merchants by email.