Privacy Policy

Support Beam ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Shopify application.

1. Information We Collect

1.1 Information from Your Shopify Store

When you install Support Beam, we collect and process the following data from your Shopify store:

Customer Information: Names, email addresses, and contact details of your customers
Order Data: Order numbers, order history, financial status, fulfillment status, line items, and total amounts
Product Information: Product names, descriptions, and images from orders
Store Information: Your Shopify store domain and configuration details

1.2 Information You Provide

Account Information: Email address and authentication details
Support Tickets: Content of support tickets, messages, and internal notes
Email Settings: Custom email templates, branding, and configuration

1.3 Automatically Collected Information

Usage Data: How you interact with the application
Technical Data: Browser type, IP address, and access times

2. How We Use Your Information

We use the collected information for the following purposes:

Provide Support Services: Enable you to manage customer support tickets and communications
Display Order Context: Show relevant order and customer information alongside support tickets
Email Integration: Process inbound customer emails and send support responses
Sync Order Data: Keep order information up-to-date for support context
Improve Our Services: Analyze usage patterns to enhance functionality and user experience
Security: Detect and prevent fraud, abuse, and security incidents
Compliance: Comply with legal obligations and enforce our terms

3. Data Storage and Security

3.1 Where We Store Your Data

Your data is stored securely on Supabase infrastructure, which uses industry-standard encryption and security measures. All data is encrypted at rest and in transit.

3.2 Security Measures

End-to-end encryption for all data transmission
Secure OAuth 2.0 authentication with Shopify
HMAC signature verification for all webhook communications
Row-level security policies ensuring complete tenant isolation
Regular security audits and updates
Access controls and authentication for all user actions

3.3 Data Retention

Active Stores: Data is retained while your store is connected to Support Beam
After Disconnection: Store credentials are deleted immediately upon disconnection
Support Data: Tickets and messages are retained for 90 days after disconnection to allow for data export
Backups: Encrypted backups are retained for 30 days for disaster recovery

4. Data Sharing and Disclosure

4.1 Third-Party Services

We use the following third-party services to operate Support Beam:

Supabase: Database and authentication infrastructure (data hosting)
Mailgun: Email delivery service for sending and receiving support emails
Shopify: Your store platform (we only request the minimum necessary API access)

4.2 We Do NOT Share Your Data

We do not sell, rent, or trade your data to third parties for marketing purposes. Your customer data, orders, and support tickets are never shared with other merchants or external parties except as required by law.

4.3 Legal Compliance

We may disclose your information if required by law, court order, or government regulation, or if we believe disclosure is necessary to:

Comply with legal obligations
Protect our rights, property, or safety
Prevent fraud or security threats
Respond to legitimate law enforcement requests

5. Your Rights and Choices

5.1 Access and Control

Access Your Data: You can access all your data through the Support Beam dashboard
Export Your Data: Request a complete export of your data by contacting support
Update Your Data: Modify your account settings and email preferences at any time
Delete Your Data: Disconnect your store to trigger automatic data deletion (see retention policy)

5.2 GDPR Rights (European Users)

If you are located in the European Economic Area (EEA), you have additional rights under GDPR:

Right to Access: Request a copy of your personal data
Right to Rectification: Correct inaccurate or incomplete data
Right to Erasure: Request deletion of your personal data
Right to Restriction: Limit how we process your data
Right to Portability: Receive your data in a machine-readable format
Right to Object: Object to certain data processing activities
Right to Withdraw Consent: Withdraw consent at any time

5.3 CCPA Rights (California Users)

If you are a California resident, you have rights under CCPA:

Right to know what personal information is collected
Right to know if personal information is sold or disclosed
Right to say no to the sale of personal information (we do not sell data)
Right to access your personal information
Right to equal service and price

6. Cookies and Tracking

Support Beam uses essential cookies and local storage for:

Authentication: Maintaining your login session
Preferences: Remembering your settings and preferences
Security: CSRF protection and secure communication

We do not use third-party tracking cookies or analytics that identify individual users.

7. Children's Privacy

Support Beam is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us immediately.

8. International Data Transfers

Your data may be transferred to and processed in countries other than your country of residence. We ensure appropriate safeguards are in place for international transfers, including:

Using service providers that comply with GDPR and other data protection regulations
Implementing standard contractual clauses
Ensuring encryption and security measures during transfer

9. Data Breach Notification

In the unlikely event of a data breach that affects your personal information, we will:

Notify you within 72 hours of becoming aware of the breach
Describe the nature of the breach and data affected
Explain the steps we are taking to address the breach
Provide recommendations to protect your information
Notify relevant regulatory authorities as required by law

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by:

Updating the "Last Updated" date at the top of this policy
Sending an email notification to your registered email address
Displaying a prominent notice in the application

Your continued use of Support Beam after changes are posted constitutes acceptance of the updated policy.

11. Shopify-Specific Provisions

11.1 OAuth Access

Support Beam requests the following Shopify API access scopes:

read_customers: To display customer information in support tickets
read_orders: To provide order context for support inquiries
read_products: To display product images and details

11.2 Webhooks

We subscribe to Shopify webhooks to receive real-time updates for:

Order updates (orders/paid, orders/updated, orders/cancelled)
GDPR compliance (customers/data_request, customers/redact, shop/redact)

11.3 Data Deletion

When you uninstall Support Beam or disconnect your Shopify store:

OAuth access tokens are immediately revoked
Store credentials are deleted from our system
Support tickets and messages are retained for 90 days for data export
All data is permanently deleted after the retention period