RightReviewsRightReviews
Install on Shopify

Privacy Policy

Last updated: May 25, 2026

RightReviews ("we", "us", "our") operates out of Saskatoon, Saskatchewan, Canada. This Privacy Policy explains how we collect, use, store, and share information when you install and use the RightReviews Shopify app ("the App"), visit rightreviews.app, or interact with us as a merchant or as an end-customer of a merchant who uses the App.

If you have questions, email support@rightreviews.app.

1. Who this policy applies to

  • Merchants — Shopify store owners who install the App on their store.
  • End-customers — shoppers on a merchant's store who submit a product review, upload a review photo, or click a review-request email.
  • Visitors — anyone who visits rightreviews.app.

2. Information we collect

From merchants (via Shopify OAuth)

When you install the App, Shopify shares the following with us under the scopes you approve:

  • Shop domain, shop name, owner email, billing country, plan type
  • Products, variants, product images, collections (for binding reviews to products)
  • Orders and order line items (only to send post-purchase review-request emails to customers who opted in)
  • Customer email addresses tied to those orders (review-request emails only)
  • Theme information (to install the review-display widget)

We never receive payment card data, passwords, or admin login credentials.

From end-customers

When an end-customer submits a review on a merchant's store, we collect:

  • Their name (as they provide it — can be a first name, initials, or pseudonym)
  • Their email address (optional, used only to contact them about their review if the merchant replies)
  • Review text and star rating
  • Optional photos they upload with the review (stored in Cloudflare R2)
  • The merchant store and product the review is attached to
  • IP address and user-agent (for spam prevention only; retained 30 days then deleted)

From visitors to rightreviews.app

  • Standard web analytics: pages viewed, referrer, anonymized IP, browser type
  • Form submissions if you contact us (name, email, message)
  • We do not use third-party advertising trackers or behavioral ad networks.

3. How we use the information

  • Operate the App: display reviews on storefronts, sync orders, send review-request emails on behalf of merchants
  • Respond to merchant support requests
  • Bill merchants for paid plans via Shopify's billing API
  • Detect and prevent spam, fraud, and abuse
  • Improve the App (aggregated, non-identifying analytics)
  • Comply with legal obligations

We do not sell personal information. We do not use end-customer data for our own marketing.

4. Subprocessors

We rely on these third parties to operate the App. Each is bound by data-processing terms:

Subprocessor Purpose Region
Shopify Inc. Platform, OAuth, billing Global
Vercel Inc. App hosting United States
Supabase (Supabase Inc.) Database, auth United States
Cloudflare, Inc. (R2 + CDN) Image storage, image delivery Global
Resend (Resend.com Inc.) Transactional email (review requests, support) United States

If we add or replace a subprocessor we will update this list.

5. Data retention

  • Active merchants: review data is retained for as long as the App is installed.
  • Uninstalled merchants: review data is retained for 30 days after uninstall, then permanently purged. If you reinstall within 30 days your data is restored.
  • End-customer review content: retained for as long as the merchant retains the App and the review is published. Merchants can delete individual reviews at any time.
  • IP / user-agent spam logs: 30 days.
  • Billing records: 7 years (legal/tax requirement).
  • Support emails: 2 years from last interaction.

6. Shopify Protected Customer Data

The App processes Protected Customer Data (customer email addresses tied to orders) only for the purpose of sending review-request emails that the merchant has explicitly enabled. We comply with Shopify's Protected Customer Data requirements, including:

  • Minimum necessary access (we only read orders, not write)
  • Annual data-protection review
  • Customer redaction within 30 days of a Shopify GDPR webhook
  • No use of Protected Customer Data for any purpose other than the merchant's stated use

7. Your rights (GDPR, CCPA, PIPEDA)

If you are a merchant or end-customer, you may:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Delete your data ("right to be forgotten")
  • Export your data in a portable format (JSON)
  • Object to processing or restrict it
  • Withdraw consent at any time

To exercise any of these, email support@rightreviews.app. We respond within 30 days.

Merchants can also trigger deletion by uninstalling the App; uninstall purges all data after the 30-day grace period.

8. Shopify GDPR webhooks

We respond to the three mandatory Shopify webhooks:

  • customers/data_request — within 30 days we provide all data we hold for the requested customer
  • customers/redact — within 30 days we delete all data for the requested customer
  • shop/redact — within 30 days of uninstall we delete all shop data (after the 30-day grace window)

9. Security

  • All data transmitted to and from the App is encrypted with TLS 1.2+
  • Database access is restricted by service-role keys held only by RightReviews infrastructure
  • Image uploads are scanned for size/type validation; only image MIME types are accepted
  • Access logs are reviewed regularly
  • We will notify affected merchants within 72 hours of confirming a personal-data breach

10. International transfers

Data may be processed in the United States, Canada, and other regions where our subprocessors operate. Where required, we rely on Standard Contractual Clauses or equivalent safeguards.

11. Children

The App is not directed at anyone under 16. If we learn we have collected data from a child under 16, we will delete it.

12. Changes to this policy

If we make a material change, we will email registered merchants and update the "Last updated" date above. Continued use of the App after a change constitutes acceptance.

13. Contact