Privacy Policy
This policy explains what personal data RefillKit processes, why, who we share it with, how long we keep it, and the choices you have — for merchants, their customers, and visitors to this site.
01Who we are & what this covers
RefillKit (“RefillKit,” “we,” “us”) provides a subscription and replenishment application for Shopify stores. This Privacy Policy explains how we handle personal data across two surfaces: this marketing website, and the RefillKit application that a merchant installs on their Shopify store.
For data belonging to a merchant’s customers (subscribers), the merchant is the data controller and RefillKit acts as a data processor on the merchant’s behalf. Our processing of that data is also governed by our Data Processing Agreement. For data about the merchant themselves and for visitors to this website, RefillKit acts as a controller.
We are an app built on Shopify. Shopify has its own privacy practices for the data it controls. This policy covers only RefillKit; it does not replace Shopify’s privacy policy or your merchant agreement with Shopify.
02The data we process
We keep what we collect to the minimum needed to run the service.
From merchants
- Store identity: shop domain, store name, plan, currency, and timezone.
- Contact details: the name and email of the staff who install and configure the app.
- Configuration you enter: plans, dunning settings, save-offers, and email templates.
- An encrypted Shopify access token used to call the Admin API on your store.
From your customers (protected customer data)
To run subscriptions, dunning, and the customer portal, we process the following on the merchant’s behalf, accessed through Shopify’s APIs:
- Name and email address (for the portal and transactional emails).
- Shipping and billing address, where a subscription requires it.
- Subscription contract data: products, quantities, prices (in integer cents), billing frequency, and next billing date.
- Billing outcomes: whether a charge succeeded or failed, and the failure class — never card numbers.
- Payment method references (Shopify identifiers only). We never receive, store, or log raw card data — when a customer updates their card, they do so on Shopify’s secure hosted form, and we never see the details.
- During a migration you ask us to run, the contents of the CSV you upload (customer and subscription details). Staged migration data is held only to validate it, show you a report, and run a dry run, then deleted after you activate, roll back, or ask us to remove it.
From website visitors
- Basic, privacy-respecting analytics (pages viewed, approximate region, device type) and anything you submit through a contact link. See Cookies.
03How we use data
We use personal data only for the purposes it was collected for:
- To create and bill subscription contracts on the schedule the merchant configures.
- To recover failed payments through the retry ladder and card-update emails.
- To power the self-service customer portal (skip, swap, pause, cancel, update payment).
- To report MRR, churn, recovered revenue, and other metrics back to the merchant.
- To migrate subscriptions from another app when a merchant asks us to.
- To provide support, secure the service, prevent abuse, and meet legal obligations.
We do not sell personal data, and we do not use a merchant’s customer data to build profiles, train models, or for advertising.
04Legal bases (GDPR/UK GDPR)
Where the GDPR or UK GDPR applies, we rely on these legal bases:
- Contract: to provide the service to a merchant under our Terms of Service.
- Legitimate interests: to secure, maintain, and improve the service, and to communicate about it — balanced against your rights.
- Legal obligation: to keep records and respond to lawful requests.
- Consent: for any non-essential cookies or optional communications, where required.
For a merchant’s customer data, the merchant determines the legal basis as controller; we process it under their documented instructions.
05Protected customer data & Shopify
Customer data accessed through Shopify is “protected customer data” under Shopify’s requirements, and we handle it accordingly:
- Minimization: we request only the API scopes the features need, and process only the fields listed above.
- Purpose limitation: we use the data only to deliver the features the merchant turned on.
- Transparency: this policy and our in-app disclosures explain what we process and why.
- Encryption: data is encrypted in transit (TLS) and access tokens are encrypted at rest.
- Retention & deletion: we honor Shopify’s mandatory data-request, customer-redact, and shop-redact webhooks. See Data retention.
- Access control: staff access is limited to those who need it, and logged.
07International transfers
Our providers may process data in countries other than yours. Where personal data is transferred out of the EEA, the UK, or other regulated regions, we rely on the European Commission’s Standard Contractual Clauses (Module Two, controller-to-processor) and the UK International Data Transfer Addendum, together with supplementary safeguards — encryption in transit and of tokens at rest, and the access controls described in Security. The transfer mechanism for our processing of your customers’ data is set out in our Data Processing Agreement.
08Data retention
We keep personal data only as long as we need it:
- While the app is installed: we retain the subscription mirror and settings so the service can run.
- On uninstall: Shopify sends a shop-redact request, after which we delete the store’s data within the period Shopify requires.
- On a customer-redact request: we erase that customer’s personal data (including any staged migration rows), keeping only what we are legally required to retain.
- On a data-request: we compile the personal data we hold for that customer so the merchant can provide it.
09Security
We protect personal data with measures appropriate to the risk, including:
- TLS encryption in transit and encryption of access tokens at rest (AES-256-GCM).
- A strict rule against ever storing, logging, or handling raw card data.
- Tenant isolation: every record is scoped to a single store, with no cross-store access.
- Least-privilege access for staff, structured logging that redacts tokens and PII.
- Dependency scanning and secret scanning in our build pipeline.
No system is perfectly secure, but if a breach affects your personal data we will act promptly, notify Shopify and affected parties as required, and tell you what happened and what we are doing about it.
10Your rights & choices
Depending on where you live, you may have the right to access, correct, delete, port, restrict, or object to the processing of your personal data, and to withdraw consent.
- If you are a subscriber (a merchant’s customer): contact the store you subscribed to — they are the controller. We will support their request, including through Shopify’s data-request and redact flows.
- If you are a merchant or website visitor: email us and we will help you exercise your rights.
You also have the right to lodge a complaint with your local data protection authority.
12Children
RefillKit is a business tool and is not directed to children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us data, contact us and we will delete it.
13Changes to this policy
We may update this policy as the product or the law changes. We will revise the “last updated” date above and, for material changes, give notice in the app or by email. Your continued use after an update means you accept the revised policy.
14Contact us
For privacy questions or to exercise your rights, contact our privacy team at privacy@refillkit.website, or our support team at support@refillkit.website.
See also our Terms of Service and Data Processing Agreement.