Privacy Policy
Resurface — Last updated: June 2026
Resurface (“we”, “our”, “the app”) is a Shopify app that shows a cart recovery modal to shoppers who go idle on a merchant’s storefront. This policy explains what data we collect, how we use it, and your rights.
1. Data We Collect
We collect only the minimum data needed to operate the app:
- Shop domain — the
.myshopify.com domain of the merchant’s store (e.g. my-store.myshopify.com). - Modal settings — inactivity timeout, headline text, and accent color configured by the merchant.
- Impression events — each time the modal is shown, we record the shop domain, product ID, product title, and timestamp. We do not record the shopper’s identity, IP address, email, or any personally identifiable information.
- OAuth session tokens — stored to maintain the merchant’s authenticated session with Shopify.
2. Data We Do Not Collect
- Shopper names, email addresses, or contact details
- Shopper IP addresses or device fingerprints
- Payment or financial information
- Browsing history outside of cart state
- Any data from stores where the app is not installed
3. How We Use Data
- Shop domain & settings — to serve the correct modal configuration to the storefront script.
- Impression events — to display the dashboard impression count to the merchant and enforce the free plan limit (500 impressions/month).
- Session tokens — to authenticate the merchant in the Shopify admin.
We do not sell, rent, or share any data with third parties.
4. Data Retention
- When a merchant uninstalls the app, their OAuth session is immediately deleted. Settings and impression history are retained temporarily so the merchant’s data is preserved if they reinstall.
- Approximately 48 hours after uninstall, Shopify sends a
shop/redact webhook. At that point we permanently delete all remaining data for that shop (settings, impression records, and session tokens).
5. GDPR & Data Subject Rights
Resurface complies with the General Data Protection Regulation (GDPR) and Shopify’s mandatory privacy requirements:
- Customer data request — Resurface stores no customer PII, so there is no personal data to return for a data subject access request.
- Customer data erasure — Resurface stores no customer PII, so there is no personal data to erase for a customer erasure request.
- Shop erasure — all merchant data is permanently deleted within 48 hours of app uninstall via the Shopify
shop/redact webhook.
6. Security
All data is stored in a managed PostgreSQL database. Data in transit is encrypted via HTTPS/TLS. We do not store Shopify API credentials in the database — they are managed via environment variables and Shopify’s OAuth flow.
7. Changes to This Policy
We may update this policy as the app evolves. Material changes will be communicated to merchants via the Shopify admin or email. Continued use of the app after changes constitutes acceptance of the updated policy.
8. Contact
For privacy questions or data deletion requests, contact us at mehedi.hasan2724@gmail.com.
Resurface is an independent Shopify app. It is not affiliated with or endorsed by Shopify Inc.
© 2026 Resurface. All rights reserved.