Legallast updated 07 jul 2026

Your data rights.

GDPR and CCPA give you real control over your personal data. This page sets out those rights plainly, and shows exactly how a merchant or a shopper exercises them with Retrics — including the Shopify requests we honor automatically.

01

Two roles, two paths

Under privacy law, a Retrics merchant is the controller of its customers' data — it decides why the data is collected and how it is used. Retrics is a processor: we read a store's orders, customers, and products through Shopify's API, read-only, only to compute retention analytics on the merchant's behalf.

That distinction decides who you contact. If you run a Shopify store using Retrics, exercise your rights directly with us. If you are a shopper who bought from a store that uses Retrics, the store is your first point of contact — it holds your relationship and instructs us. We honor the requests it passes to us automatically.

02

Your rights under GDPR

Access: obtain confirmation of whether we process your personal data and receive a copy of it.

Rectification: correct personal data that is inaccurate or incomplete.

Erasure: have your personal data deleted (the right to be forgotten), subject to lawful retention exceptions.

Portability: receive the personal data you provided in a structured, commonly used, machine-readable format, and have it transmitted to another controller where technically feasible.

Restriction: ask us to limit how we process your data while a request is being resolved.

Objection: object to processing based on legitimate interests, and withdraw any consent you previously gave, without affecting processing already carried out.

03

Your rights under CCPA/CPRA

Know: request the categories and specific pieces of personal information collected about you, and how it is used and disclosed.

Delete: request deletion of the personal information collected from you, subject to lawful exceptions.

Correct: request correction of inaccurate personal information.

Opt out of sale or sharing: California law gives you the right to opt out of the sale or sharing of personal information. Retrics does not sell or share your data, or your customers' data, or any derived audiences — so there is nothing to opt out of. We also do not use protected-customer data for cross-context behavioral advertising.

Non-discrimination: you will not be denied service, charged a different price, or given a lower quality of service for exercising any of these rights.

04

If you are a merchant

Handle most requests yourself, instantly, in the app: open Settings → Data & privacy to export your workspace data, correct account details, or delete your workspace. Deleting a workspace removes your store's data from our production systems within 30 days.

For anything you would rather we handle — an access report, a specific correction, or a question about what we hold — email hello@retrics.ai from the address on your account. We confirm your identity through your account and respond within 30 days.

05

If you are a shopper

Contact the store you purchased from. As the controller, it owns your customer relationship and decides how your data is handled; it can action most requests directly and instruct us on the rest.

You can also use Shopify's built-in data-request and deletion flow. When a merchant or Shopify triggers it, Shopify sends the store's apps a customers/data_request or customers/redact webhook. Retrics receives these and acts on them automatically — see below.

06

How Shopify requests are honored

customers/data_request: Shopify notifies us when a customer asks a merchant for their data. We compile the personal data Retrics holds for that customer — which for us is limited, since we store hashed email identifiers rather than raw addresses wherever possible — and return it to the merchant to fulfill the request.

customers/redact: when a customer's data must be erased, Shopify sends this webhook (typically 10 days after a request, or when a store is closed). We delete or irreversibly anonymize that customer's records in our systems.

shop/redact: when a store uninstalls Retrics, Shopify sends this webhook 48 hours later and we erase the store's data from our production systems.

These webhooks are mandatory for Shopify apps and we honor them as a matter of course, independent of any manual request — they are part of respecting Shopify's protected-customer-data requirements.

07

Response times

We acknowledge and complete verified requests within 30 days, as GDPR and CCPA require. If a request is unusually complex or you have made several, we may extend this by a further period and will tell you why before the first 30 days are up.

We may ask for enough information to verify who you are before we act — this protects you from someone else requesting your data. We do not charge a fee for a reasonable request.

08

Complaints & contact

If you believe we have mishandled your data or your request, tell us at hello@retrics.ai and we will work to put it right. You also have the right to lodge a complaint with your local supervisory authority (in the EU/UK) or the California Privacy Protection Agency.

These rights and our handling of them are governed by the laws of the State of Delaware, USA, without prejudice to the mandatory protections of your local law.