Security & trust.
Retrics reads your store's history to help you keep your customers. We treat that access as a responsibility, not a convenience. Here is exactly how we protect it — the connection, the data at rest, and the limits we hold ourselves to.
How we protect your data
Read-only Shopify access
Retrics requests only three scopes: read_customers, read_orders, and read_products. We cannot edit, create, or delete anything in your store, and we never request write access.
We do not request access to Shopify checkout, payment, or fulfillment scopes. What we can see is the minimum needed to compute retention, cohort, and lifecycle analytics — nothing more.
Verified connections
The Shopify install runs through OAuth with a signed, single-use state parameter, so the authorization callback can't be forged or replayed (CSRF protection).
Every incoming Shopify webhook is verified with a timing-safe HMAC comparison against the shared secret. Requests that fail verification are rejected before any handler runs.
Encryption in transit and at rest
All traffic to and from Retrics is served over TLS. There is no unencrypted path to the application or its APIs.
Shopify access tokens are encrypted at rest with AES-GCM (authenticated encryption) and are never written to logs. They are decrypted only in memory, at the moment a request to Shopify is made.
Emails hashed, not exposed
Customer email addresses are hashed with SHA-256 before they are used as join keys for analytics. Our cohort and lifecycle computations operate on hashes, not raw addresses.
This keeps identity linkage possible for retention math while limiting where plaintext customer contact data needs to travel.
Least privilege, by default
Production access is restricted to a small number of operators, scoped to what their role requires, and audited. Secrets are held in a managed secret store, not in source control.
Subprocessors (hosting, database, email delivery) are vetted and bound by data-processing agreements. We isolate each workspace's store data.
Shopify data rules, honored
Retrics complies with Shopify's Protected Customer Data requirements: we collect the minimum, use it only to provide the service, and don't retain it beyond what the product needs.
We implement Shopify's mandatory compliance webhooks — customers/redact, shop/redact, and customers/data_request — so redaction and data-access requests flow through to us and are honored.
Billing you can trust
Paid plans are billed through Shopify's billing system. Card and payment details are handled by Shopify — Retrics never sees, stores, or processes your card data.
We never sell your data
We do not sell your data, your customers' data, or any audience derived from it — to anyone, ever. Your store's data is used to run your workspace and nothing else.
Model inputs and outputs from your store are not used to train models for other customers.
What we're building next
We are honest about what is in place today versus what is on the way. The items below are commitments in progress, not claims of things already achieved.
Formal audits
SOC 2 Type II is on our roadmap. We are building the control documentation and evidence collection toward a formal audit; we will publish the report here when it is complete, and we won't claim certifications we don't yet hold.
Ongoing hardening
We are expanding automated dependency and secret scanning, tightening access reviews, and formalizing our incident-response runbook. Security is maintained continuously, not treated as a one-time checkbox.
Report a vulnerability
If you believe you've found a security issue in Retrics, please tell us before disclosing it publicly. Email security@retrics.ai with the details and steps to reproduce. We investigate every credible report, act in good faith, and will keep you updated as we resolve it.