GuardIA

Privacy Policy

Last updated: June 13, 2026

This Privacy Policy explains how GuardIA (“GuardIA”, “we”, “us”, or “our”), operated by GuardIA Anti-Fraud Solutions, handles information when a merchant installs and uses the GuardIA application (the “App”) on the Shopify platform.

GuardIA is a fraud-prevention and chargeback-representment tool for Shopify merchants. We have designed the App around the principle of data minimization: we collect only what is strictly necessary to provide the service, and we never sell or rent personal data. By installing the App, the merchant (“you”) agrees to the practices described below.

1. Who is the data controller

For the personal data of your customers that the App processes on your behalf, you (the merchant) are the data controller and GuardIA acts as a data processor within the meaning of the EU General Data Protection Regulation (GDPR). We process this data solely to provide the App’s functionality to you, under your instructions. For data we collect about you as our merchant customer (account and billing information), GuardIA is the data controller.

2. What data we access and process

GuardIA connects to your Shopify store exclusively through the Shopify Admin GraphQL API (we do not use the legacy REST API). Through this connection, and strictly limited to the permissions you grant at installation (read_orders, write_orders), the App accesses:

a) Order and fraud-signal data (real-time scanning)

  • Order identifiers, amounts, currency, and creation date.
  • Shipping and billing address indicators used for risk scoring.
  • Customer order history indicators (e.g. number of previous orders).
  • Network and transaction metadata used for fraud analysis.

b) Transaction and delivery metadata (chargeback evidence)
When a dispute (chargeback) is opened, the App collects, via the GraphQL Admin API, the metadata required to build a representment evidence package, including:

  • Payment verification results (AVS, CVV, and 3-D Secure outcomes).
  • Proof-of-delivery and shipment tracking information.
  • Transaction and customer history relevant to the dispute.

c) Merchant account data

  • Your store domain, contact email, and billing/subscription status.

We do not access payment card numbers, and we do not store full card data. Card-verification results (e.g. “AVS match: yes”) are metadata, not card numbers.

3. Data minimization and SHA-256 hashing

Personal data that directly identifies a customer (such as email address, IP address, and shipping address) is never stored in clear text by GuardIA. Before storage, these identifiers are transformed into irreversible SHA-256 cryptographic fingerprints (hashes).

These hashes are used only to correlate signals (for example, to detect that two orders share the same hashed shipping fingerprint) and to certify the analysis at the time of the order. Because hashing is one-way, the original personal values cannot be reconstructed from what we store. Access tokens issued by Shopify are stored encrypted and are used only by our secure server-side environment, never exposed to the browser.

4. How we use the data

We process the data described above only to:

  • Score incoming orders for fraud risk in real time.
  • Apply, at your configured thresholds, automated actions on risky orders (adding a tag and a note, placing an order on hold, or cancelling it).
  • Automatically compile an audit-ready PDF representment evidence package when a chargeback is opened.
  • Provide your dashboard, analytics, and account/billing management.

We do not use customer personal data for advertising, profiling unrelated to fraud prevention, or any purpose beyond providing the App. We do not sell, rent, or trade personal data.

5. Legal bases (GDPR)

Where GDPR applies, processing is based on:

  • Performance of a contract — to provide the App you subscribed to.
  • Legitimate interests — fraud prevention and the defense of legal claims (chargeback representment), balanced against the rights of data subjects.
  • Legal obligation — where we must retain or disclose data to comply with applicable law.

6. Data sharing and sub-processors

We share data only with infrastructure providers strictly necessary to operate the App, acting as sub-processors under appropriate data-protection terms:

  • Shopify — the platform on which your store and the App run.
  • Vercel — application hosting and serverless execution.
  • Supabase — database, authentication, and storage (hosted Postgres).
  • Google (Gemini API) — AI processing used to generate representment argumentation from de-identified dispute metadata.

We do not transfer personal data to any party for its own independent use. Where data is transferred outside the EEA, we rely on appropriate safeguards such as Standard Contractual Clauses.

7. Data retention

We retain data only as long as necessary to provide the App and to support the defense of disputes (representment), after which it is deleted or remains in irreversibly hashed form. Generated PDF evidence packages are retained for the period needed to submit and resolve the related dispute. When you uninstall the App, or upon a valid erasure request (see Section 9), the associated store data is deleted as described below.

8. Authentication and cookies

GuardIA authenticates exclusively through Shopify Session Tokens issued by Shopify App Bridge. The App does not set third-party tracking cookies and does not use advertising or analytics cookies to track customers across sites.

9. Shopify mandatory compliance webhooks (data subject rights)

GuardIA implements the mandatory Shopify GDPR compliance webhooks, each verified with an HMAC signature (requests with an invalid signature are rejected):

  • customers/data_request — when a customer requests their data, we make available the information associated with that customer that the App holds.
  • customers/redact — we erase the data associated with the specified customer from our systems.
  • shop/redact — when a store is uninstalled and its data must be redacted, we erase the store’s data, including stored disputes and any generated evidence PDFs.

Because most directly identifying data is stored only as irreversible SHA-256 hashes, redaction removes the associated records and any residual identifiers. Under GDPR, data subjects have the rights of access, rectification, erasure, restriction, portability, and objection. As these requests concern data you control, please direct them to you (the merchant) as data controller; we will assist you in fulfilling them.

10. Security & incident response

We apply industry-standard safeguards: encryption of access tokens, server-side isolation of privileged credentials (service-role keys are never exposed to the browser), tenant isolation, HMAC verification of inbound webhooks, and the hashing of personal identifiers described in Section 3. Data is encrypted at rest (including backups), access to personal data is restricted to authorized operators and logged, and we maintain a data-loss-prevention strategy through automated backups and version control.

Incident response. In the event of a security incident, we (1) revoke compromised credentials and access tokens, (2) assess the impact on affected data, (3) notify affected merchants and, where legally required, the relevant supervisory authority within 72 hours in line with GDPR, and (4) remediate the root cause and document the incident.

11. Children

The App is intended for use by merchants and is not directed to children. We do not knowingly process the personal data of children.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be reflected by updating the “Last updated” date above and, where appropriate, by notifying merchants through the App.

13. Contact

For any privacy question or request, contact us at:

  • Email: guardia.ia.contact@gmail.com
  • Data controller: GuardIA Anti-Fraud Solutions, France.

GuardIA Anti-Fraud Solutions · France · This policy describes the actual data practices of the GuardIA Shopify application.