Privacy Policy

Last updated: March 11, 2026

InboxShield ("we", "our", "us") is a Shopify application that helps merchants reduce unwanted contact form spam. This Privacy Policy explains what data we collect from merchants and their store visitors, how we use it, how long we keep it, and your rights. This policy complies with Shopify's privacy requirements for apps and the General Data Protection Regulation (GDPR).

1. Data We Collect

From Merchants (Shopify Store Owners)

• Shop domain (e.g. your-store.myshopify.com) — used to identify your store within our system.
• Shopify session data — OAuth tokens for authentication, managed through Shopify's standard app authorization flow.
• App settings and preferences — your chosen filtering level, custom keywords, and allowed sender lists.
• Subscription/billing plan status — to determine which features are available to your store.

From Store Visitors (Contact Form Submitters)

• Email address — used to check against disposable email domain lists and merchant-configured whitelist rules.
• Email domain — extracted from the email address for domain-level spam checks.
• IP address — used to detect repeat submissions and suspicious activity patterns.
• Message preview — the first 100 characters only of the submitted message, used for keyword-based spam scoring. The full message body is never stored by InboxShield.
• Spam score and filtering reasons — the calculated score and which rules triggered, stored for the merchant's review.

We do not collect payment information, passwords, or other sensitive personal data. We do not access or store products, orders, or customer lists from your Shopify store.

2. How We Use Data

All data collected from store visitors is used exclusively for spam filtering purposes:

• Email, IP, and message preview are scored against 7 rule-based checks: URL detection, keyword matching, short message detection, number-heavy content, suspicious email patterns, honeypot field verification, and repeat submission detection.
• No AI or machine learning processing — InboxShield uses purely rule-based filtering. You can see exactly which rules triggered for every submission.
• If a message is scored as clean, it is forwarded to Shopify's native contact form handler and delivered to the merchant's inbox as normal.
• If a message is blocked, the submission is logged in the merchant's InboxShield dashboard for review.

3. Data Storage and Retention

• All data is stored in PostgreSQL (hosted on Render, US region).
• Message previews are truncated to 100 characters — the full message body is never persisted in our database.
• All submission data (email, IP, message preview, spam scores) is automatically purged after 90 days.
• Merchants can also manually delete individual submissions from the message log at any time.
• Merchants may request earlier bulk deletion by contacting our support team.

4. Data Deletion on Uninstall

When a merchant uninstalls InboxShield from their Shopify store, all associated data is permanently deleted from our systems. This includes:

• All submission logs and spam scores
• All app settings, custom keywords, and allowed sender lists
• All stored email addresses, IP addresses, and message previews
• Session tokens and shop configuration

This deletion is triggered automatically via Shopify's mandatory app uninstall webhook.

5. Data Sharing

We do not sell, rent, share, or transfer personal data to any third parties for marketing, advertising, or any other purpose.

• Clean (non-spam) submissions are forwarded to Shopify's native /contact endpoint — this is standard Shopify contact form behavior, not a third-party transfer.
• No third-party analytics, tracking pixels, advertising SDKs, or data brokers are used in the app.

6. GDPR Compliance

InboxShield is designed to be fully compliant with the General Data Protection Regulation (GDPR). We handle all three of Shopify's mandatory GDPR webhooks:

Customer Data Request

We can export all stored data associated with a specific customer email address upon request. This is handled via Shopify's customers/data_request webhook.

Customer Data Deletion

We delete all submissions and associated data for a specific customer email upon request. This is handled via Shopify's customers/redact webhook.

Shop Data Deletion

All shop data is fully and permanently deleted upon request or app uninstall. This is handled via Shopify's shop/redact webhook.

GDPR Principles

• Lawful basis: We process data based on the merchant's legitimate interest in preventing spam on their contact forms.
• Data minimization: We collect only the minimum data necessary for spam scoring — email, 100-character message preview, and IP address.
• Purpose limitation: Data is used exclusively for spam filtering and merchant dashboard reporting.
• Right to erasure: Data is automatically deleted after 90 days, and all data is deleted upon app uninstall or GDPR request.
• Right of access: Merchants can view all collected data through their InboxShield dashboard.
• Data portability: Merchants can export their submission data from the dashboard.

If you are a store visitor whose data was processed by InboxShield and wish to exercise your GDPR rights, please contact the Shopify store owner directly, or reach out to us using the contact information below.

7. Merchant Controls

Merchants have full control over InboxShield's behavior and their data:

• Enable or disable spam filtering at any time via the app dashboard or theme editor.
• View and manage the complete spam log, including spam scores and triggered rules.
• Delete individual submissions from the message log.
• Configure allowed senders (whitelist) to bypass filtering for trusted contacts.
• Adjust filtering strictness level (Low, Medium, or High).
• Uninstall the app at any time to trigger full and permanent data deletion.

8. Shopify API Access

InboxShield requests the minimum Shopify API scopes necessary to function:

• read_themes — used only to check whether the InboxShield theme app embed is active on the storefront.

We do not read or modify store content, products, orders, customer lists, or any other Shopify data beyond what is listed above.

9. Cookies and Tracking

• InboxShield does not set any cookies on store visitors' browsers.
• No tracking pixels, browser fingerprinting, or analytics scripts are loaded on the storefront.
• The app only activates when a contact form is submitted — it does not monitor browsing behavior.

The Crisp chat widget on this marketing website (inboxshield.acrosoft.tech) may set its own cookies — refer to Crisp's Privacy Policy for details. This does not affect any Shopify storefront.

10. Data Security

We use industry-standard security measures to protect all data we process:

• All data transmission is encrypted via HTTPS/TLS.
• Database access is restricted and authenticated.
• OAuth tokens are stored securely and scoped to minimum required permissions.
• Infrastructure is hosted on Render with built-in security controls.

11. Children's Privacy

InboxShield is a B2B service for Shopify merchants. We do not knowingly collect data from children under the age of 13. If you believe a child has submitted data through a contact form protected by InboxShield, please contact us and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Continued use of InboxShield after changes constitutes acceptance of the revised policy.

13. Contact Us

If you have questions about this Privacy Policy, your data, or wish to exercise any of your rights, you can reach us through:

• The Crisp chat widget on this website
• The in-app support channel within InboxShield
• Email: inboxshield@acrosoft.tech