Privacy Policy

Tiburón Agent ("we", "our", or "the App") is a Shopify application that helps merchants recover abandoned carts and monitor inventory through automated notifications. This Privacy Policy explains what data we collect, how we use it, and your rights.

1. Who We Are

Tiburón Agent is operated as an independent Shopify Partner application. For any privacy-related inquiries, contact us at privacy@tiburonagent.com.

2. Data We Collect

When a merchant installs the App, we collect and process the following data:

From Shopify (via OAuth & Webhooks):

• Shop domain and basic store information
• Product catalog: titles, prices, inventory levels, SKUs
• Order data: order IDs, totals, line items (no payment details)
• Refund events (for ROI calculation)

From the Web Pixel (Storefront Behavior):

• Cart activity: cart tokens, product IDs added, timestamps
• Checkout completion events (to confirm a sale was recovered)
• Anonymous session IDs (no personal identifiers collected from shoppers)

Merchant Configuration:

• Phone number provided by the merchant for SMS/WhatsApp alerts
• Notification preferences and channel settings

3. What We Do NOT Collect

• Credit card numbers or payment information
• Shopper names, emails, or addresses (redacted before storage)
• Passwords or authentication credentials
• Browser fingerprinting data

4. How We Use the Data

• Cart abandonment detection: Identify when a shopper adds to cart but doesn't complete checkout within 30 minutes
• Merchant notifications: Send SMS or WhatsApp alerts to the merchant's configured phone number
• Inventory monitoring: Alert merchants when stock falls below a critical threshold
• ROI reporting: Track which abandoned carts were subsequently recovered
• Analytics: Aggregate (non-personal) statistics shown in the merchant dashboard

5. Data Sharing and Third-Party Services

We share limited data with the following third-party providers to operate the App:

• Twilio — SMS and WhatsApp message delivery. Recipient is always the merchant's own phone number. Twilio Privacy Policy
• Google Sheets API — Optional reporting: recovered sales and stock alerts written to the merchant's own Google Spreadsheet. Google Privacy Policy
• Discord — Optional real-time alerts to the merchant's Discord channel via Webhook. Discord Privacy Policy
• Railway — Cloud hosting and database provider. Data is stored in Railway-managed PostgreSQL. Railway Privacy Policy

We do not sell merchant or shopper data to any third party.

6. Data Retention

• Store event data (cart activity): retained for 48 hours after the event
• Price alerts and notifications: retained for 30 days
• Recovery sessions (ROI data): retained for 90 days
• Product and pricing history: retained for the duration of the subscription
• After app uninstall: all data is scheduled for deletion within 7 days

7. GDPR Rights (EU Merchants and Shoppers)

If you are located in the European Economic Area, you have the following rights:

• Right to access: Request a copy of data we hold about your store
• Right to erasure: Request deletion of all store data. Processed automatically when you uninstall the App
• Right to portability: Request your data in machine-readable format
• Right to object: Object to specific data processing activities

We comply with Shopify's mandatory GDPR webhook requirements: customers/data_request, customers/redact, and shop/redact are all implemented with HMAC validation and audit logging.

8. CCPA Rights (California Merchants)

California residents have the right to:

• Know what personal information we collect and why
• Request deletion of personal information
• Opt-out of the sale of personal information (we do not sell data)
• Non-discrimination for exercising CCPA rights

9. Security

All data is encrypted in transit (TLS 1.2+). Shopify API access tokens are stored encrypted and never logged. Webhook authenticity is verified using HMAC-SHA256 signatures on every request. We implement rate limiting and anti-replay protection on all sensitive endpoints.

10. Cookies and Tracking

The App's Web Pixel runs in Shopify's sandboxed environment. It does not set cookies on shoppers' browsers and does not perform cross-site tracking. Session identifiers are anonymous and scoped to the cart session only.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Merchants will be notified of material changes via the App dashboard. Continued use of the App after changes constitutes acceptance of the updated policy.

---