Legallast updated July 7, 2026

Security & trust.

Retrics reads your store's history to help you keep your customers. We treat that access as a responsibility, not a convenience. Here is exactly how we protect it — the connection, the data at rest, and the limits we hold ourselves to.

Posture

How we protect your data

01

Read-only Shopify access

Retrics requests only three scopes: read_customers, read_orders, and read_products. We cannot edit, create, or delete anything in your store, and we never request write access.

We do not request access to Shopify checkout, payment, or fulfillment scopes. What we can see is the minimum needed to compute retention, cohort, and lifecycle analytics — nothing more.

02

Verified connections

The Shopify install runs through OAuth with a signed, single-use state parameter, so the authorization callback can't be forged or replayed (CSRF protection).

Every incoming Shopify webhook is verified with a timing-safe HMAC comparison against the shared secret. Requests that fail verification are rejected before any handler runs.

03

Encryption in transit and at rest

All traffic to and from Retrics is served over TLS. There is no unencrypted path to the application or its APIs.

Shopify access tokens are encrypted at rest with AES-GCM (authenticated encryption) and are never written to logs. They are decrypted only in memory, at the moment a request to Shopify is made.

04

Emails hashed, not exposed

Customer email addresses are hashed with SHA-256 before they are used as join keys for analytics. Our cohort and lifecycle computations operate on hashes, not raw addresses.

This keeps identity linkage possible for retention math while limiting where plaintext customer contact data needs to travel.

05

Least privilege, by default

Production access is restricted to a small number of operators, scoped to what their role requires, and audited. Secrets are held in a managed secret store, not in source control.

Subprocessors (hosting, database, email delivery) are vetted and bound by data-processing agreements. We isolate each workspace's store data.

06

Shopify data rules, honored

Retrics complies with Shopify's Protected Customer Data requirements: we collect the minimum, use it only to provide the service, and don't retain it beyond what the product needs.

We implement Shopify's mandatory compliance webhooks — customers/redact, shop/redact, and customers/data_request — so redaction and data-access requests flow through to us and are honored.

07

Billing you can trust

Paid plans are billed through Shopify's billing system. Card and payment details are handled by Shopify — Retrics never sees, stores, or processes your card data.

08

We never sell your data

We do not sell your data, your customers' data, or any audience derived from it — to anyone, ever. Your store's data is used to run your workspace and nothing else.

Model inputs and outputs from your store are not used to train models for other customers.

Roadmap

What we're building next

We are honest about what is in place today versus what is on the way. The items below are commitments in progress, not claims of things already achieved.

09

Formal audits

SOC 2 Type II is on our roadmap. We are building the control documentation and evidence collection toward a formal audit; we will publish the report here when it is complete, and we won't claim certifications we don't yet hold.

10

Ongoing hardening

We are expanding automated dependency and secret scanning, tightening access reviews, and formalizing our incident-response runbook. Security is maintained continuously, not treated as a one-time checkbox.

Disclosure

Report a vulnerability

If you believe you've found a security issue in Retrics, please tell us before disclosing it publicly. Email security@retrics.ai with the details and steps to reproduce. We investigate every credible report, act in good faith, and will keep you updated as we resolve it.