Effective Date: June 17, 2026
Last Updated: June 17, 2026
ReturnSage is a Shopify application developed and operated by CGN Media Group LLC ("we," "us," or "our"). Our registered address is 5036 3rd Ave S, St Petersburg FL 33707. You can reach our privacy team at chad@tide-flow.com.
ReturnSage is an AI-powered returns decisioning tool for Shopify merchants. When a customer submits a return request on a merchant's store, ReturnSage evaluates the request against the merchant's return policy, the customer's order history, and the specific order involved, then recommends or automatically executes a decision (approve, exchange, store credit, deny, or escalate). This policy explains how ReturnSage collects, uses, stores, and protects personal data in the course of providing that service.
This policy applies to:
ReturnSage accesses data through the Shopify Admin API when a merchant installs the app and when a return request is processed. We request only the data strictly necessary to evaluate each return. We do not perform bulk exports, engage in marketing or advertising, build independent customer profiles, or sell any data to third parties.
What we access: Order ID, line items (product title, variant, quantity, price), order date, order value, fulfillment status, delivery information (carrier, tracking status), and refund history associated with the specific order tied to a return request.
Why: The AI decision engine must understand exactly what the customer purchased, what they paid, when the order was placed, and whether it has already been refunded, in order to evaluate policy compliance — for example, whether the request falls within the permitted return window, or whether the item is categorized as final-sale.
Scope used: read_orders, read_fulfillments
Data minimization: Only the single order referenced by the return request is fetched. We do not enumerate or export orders in bulk.
What we access: Customer ID (Shopify GID), customer name, email address, lifetime order count, lifetime order value, and prior return history for the customer attached to the open return request.
Why: Customer history is a primary input to the decision engine. A first-time customer asserting a product defect is evaluated differently from a customer with a documented pattern of high-frequency returns. Name and email are used to personalize the merchant-facing draft reply generated by the AI. We do not use this data for marketing, retargeting, or any purpose outside the returns decisioning workflow.
Scope used: read_customers
Data minimization: Only the single customer attached to the open return is fetched. No customer list exports or marketing segmentation.
What we access: Return request ID, reason code selected by the customer, the customer's written explanation, line items included in the return, and any photos attached to the request.
Why: The return request is the triggering event for the entire workflow. Without the return details we cannot run the decisioning process at all.
Scope used: read_returns
Data minimization: Fetched on-demand per individual request; not stored in bulk.
What we access: Product title, variant name, price, tags, and metafields for products appearing in the open return's line items.
Why: Certain policy clauses reference product categories or attributes — for example, "personal-care items that have been opened may not be returned." The AI needs product metadata to apply these clauses correctly.
Scope used: read_products
Data minimization: Only products appearing in the specific return's line items are fetched.
What we store: For every return request processed, ReturnSage writes a Decision record to our database. This record includes:
contextSnapshot field: a JSON snapshot of exactly what the AI model received at the time of the decision — the return request details, the customer record (name, order history summary), and the order data. This snapshot is stored for reproducibility, audit, and dispute evidence.Why: The contextSnapshot is the authoritative record of what the AI saw. This supports merchant dispute resolution ("why was this return denied?"), flywheel accuracy improvement, and regulatory audit if a customer or merchant contests a decision.
Retention: The contextSnapshot field (which contains PII) is purged — replaced with a redacted placeholder — 12 months after the decision is created, or sooner if a customers/redact webhook fires for the relevant customer (see Section 6). The non-PII analytics fields in the Decision record are retained indefinitely to support accuracy improvement.
What we store: The Shopify access token issued to ReturnSage after OAuth (stored in the Session table), the merchant's shop domain, and the merchant's ReturnSage configuration (return policy JSON, brand voice, autonomy mode settings). The Session table may also store the merchant account owner's first name, last name, email, and locale if provided by Shopify during the OAuth handshake.
Why: The access token is required to call the Shopify Admin API on the merchant's behalf. Configuration data persists the merchant's policy settings between sessions.
Retention: Session and configuration data are deleted when the app is uninstalled (handled by the app/uninstalled webhook) and permanently deleted within 48 hours of the shop/redact webhook firing.
We use the data described above exclusively to:
1. Evaluate return requests — apply the merchant's configured return policy to each incoming request and produce a decision recommendation.
2. Generate draft replies — produce a merchant-branded, customer-facing reply that the merchant can send or edit.
3. Log decisions — maintain an auditable record for merchants to review, override, or dispute.
4. Improve decision accuracy — analyze aggregate patterns (confidence scores, override rates, outcomes) across a merchant's decision history to improve policy configuration recommendations.
We do not use your data to:
ReturnSage relies on the following subprocessors, each of whom may receive personal data in order to provide the service:
Role: AI inference engine.
Data received: The contents of contextSnapshot — order details, customer name, purchase history summary, and the return request — are transmitted to the Anthropic API to generate the AI decision recommendation and draft reply.
Location: United States.
Training opt-out: Anthropic does not use API inputs or outputs to train their models. This is a commitment in Anthropic's API Terms of Service and applies to all API customers, including ReturnSage. Merchants can verify this at [https://www.anthropic.com/legal/privacy](https://www.anthropic.com/legal/privacy). ReturnSage does not opt into any model training program on behalf of merchants or their customers.
Role: Application hosting and managed Postgres database.
Data received: All data stored in the production database, including Decision records (including contextSnapshot), Session records, and ShopSettings.
Location: United States (default). Merchants requiring EU data residency should contact us before installation.
Providers considered: Fly.io, Render, Supabase, or equivalent managed cloud provider. The current production provider is disclosed on our website at [URL]. We update this list when we change providers.
Role: OAuth session broker and API platform.
Data received: The Shopify OAuth flow transmits the app access token and shop domain. Shopify also transmits GDPR webhook payloads to ReturnSage.
Location: Canada / United States.
Shopify's privacy practices are governed by [Shopify's Privacy Policy](https://www.shopify.com/legal/privacy).
We do not use any analytics, error monitoring, or communication subprocessors that receive customer PII at this time. If we add such services (e.g., error monitoring, transactional email for data exports), we will update this section and notify merchants.
| Data | Retention Period | Deletion Trigger |
|---|---|---|
| Decision.contextSnapshot (PII snapshot) | 12 months from creation | 12-month automated purge, or customers/redact webhook, whichever comes first |
| Decision non-PII fields (AI action, confidence, risk flags, outcome) | Indefinite | Deleted with all shop data on shop/redact |
| Session (Shopify access token, optional merchant name/email) | Until app uninstalled | app/uninstalled webhook |
| ShopSettings (policy JSON, autonomy mode) | Until shop redaction | shop/redact webhook (within 48 hours of merchant uninstall) |
When a merchant uninstalls ReturnSage, all session and configuration data is deleted within minutes via the app/uninstalled webhook. All remaining shop data — including all Decision records — is permanently deleted within 48 hours of the shop/redact webhook, which Shopify sends 48 hours after uninstall.
ReturnSage implements all three Shopify-required GDPR compliance webhooks:
customers/data_request — Right of Access
When a Shopify merchant or end customer submits a data access request through Shopify, Shopify sends this webhook to ReturnSage. We will compile and email a human-readable export of all Decision records associated with that customer — including the AI action taken, the date, the order reference, and the final resolution — to the requesting party within 30 days. We do not include PII belonging to other customers in the export.
customers/redact — Right to Erasure
When Shopify instructs ReturnSage to erase a customer's data (typically 10 days after an erasure request), we will locate all Decision records for that customer and replace the contextSnapshot field with a redacted placeholder ({"redacted": true, "reason": "customers/redact", "at": "<timestamp>"}). Non-PII analytics fields are preserved for flywheel analytics. We respond within 48 hours of receiving the webhook.
shop/redact — Merchant Erasure
When a merchant uninstalls ReturnSage and 48 hours elapse, Shopify sends a shop/redact webhook. We permanently delete all Decision, ShopSettings, and Session records associated with that shop. This is already fully implemented.
Merchants may also submit privacy requests directly by emailing chad@tide-flow.com. We will:
We do not sell personal data. End customers on a merchant's Shopify store do not have a direct relationship with ReturnSage — their rights are exercised through the merchant, who can submit a customers/redact request via Shopify's admin or directly to us at chad@tide-flow.com.
If you are located in the European Economic Area, the United Kingdom, or Switzerland, the following applies.
Legal bases for processing:
| Processing activity | Legal basis |
|---|---|
| Evaluating return requests and producing AI decisions | Legitimate interests of the merchant (Article 6(1)(f)) — returns management is a core business operation; processing is proportionate and customer data is not used for any secondary purpose |
| Storing the contextSnapshot for audit and dispute resolution | Legitimate interests of the merchant (Article 6(1)(f)) — merchants have a legitimate interest in maintaining an auditable record of decisions made on their behalf |
| Responding to GDPR data-subject access and erasure requests | Legal obligation (Article 6(1)(c)) |
| Deleting data on app uninstall | Legitimate interests / contractual necessity |
Data Controller / Data Processor distinction: In relation to end-customer data, ReturnSage acts as a data processor on behalf of the merchant (who is the data controller). The merchant's Shopify store collects and controls customer data; ReturnSage processes it solely as instructed by the merchant's return policy configuration. Merchants should ensure their own privacy policy discloses the use of AI-powered returns processing tools.
International transfers: Data is processed in the United States by ReturnSage and its subprocessors (Anthropic, hosting provider). Transfers from the EEA to the United States are conducted under the European Commission's Standard Contractual Clauses (SCCs) where required. Merchants requiring additional transfer safeguards should contact us at chad@tide-flow.com.
Data Protection Officer: CGN Media Group LLC has designated [NAME/EMAIL] as the contact for data protection matters. If you have unresolved concerns, you have the right to lodge a complaint with your local supervisory authority (e.g., the ICO in the UK, or your national data protection authority in the EU).
If you are a California resident, you have the following rights under the CCPA:
To submit a CCPA rights request, email chad@tide-flow.com with "CCPA Request" in the subject line. We will respond within 45 days.
Categories of personal information collected:
| CCPA Category | Examples | Collected? |
|---|---|---|
| Identifiers | Customer name, email, Shopify customer ID | Yes — within contextSnapshot; purged at 12 months |
| Commercial information | Order history, purchase amounts, return history | Yes — within contextSnapshot; purged at 12 months |
| Internet/network activity | Not collected | No |
| Geolocation | Not collected | No |
| Inferences | AI decision recommendation | Yes — non-PII fields retained for flywheel analytics |
Business purposes for collection: Returns decisioning, audit logging, merchant analytics. No advertising, no sale, no third-party sharing beyond disclosed subprocessors.
We take the following measures to protect personal data:
Encryption in transit: All communications between ReturnSage, the Shopify Admin API, and the Anthropic API use HTTPS with TLS 1.2 or higher. HTTP connections are rejected at the application layer. HTTP Strict Transport Security (HSTS) headers are enforced in production.
Encryption at rest: The production database is a managed Postgres instance with encryption at rest enabled. We verify that encryption at rest is active in our provider console before any production deployment. Database backups are also encrypted.
Least-privilege access: The application's database user has only the permissions necessary to read and write its own tables. No superuser or administrative database credentials are used by the application. Direct database access by engineers requires per-person credentials and multi-factor authentication.
API secret management: The Anthropic API key, Shopify API secret, and database connection string are stored as server-side environment variables and secrets. They are never transmitted to the browser, never included in client-side code, and never committed to source control.
Staff access logging: Any direct database access by a developer or support engineer is logged with timestamp, accessor identity, and stated reason.
Incident response: We maintain a written incident response plan covering detection, containment (credential rotation, token revocation), merchant notification within 72 hours per GDPR requirements, and post-incident review. In the event of a breach affecting merchant or end-customer data, we will notify affected merchants and Shopify promptly and comply with all applicable notification requirements.
ReturnSage is a B2B tool for Shopify merchants. We do not knowingly collect personal data from individuals under the age of 13, and the service is not directed at children. If we become aware that we have inadvertently collected data from a child under 13, we will delete it promptly. Merchants are responsible for ensuring their Shopify store complies with applicable children's online privacy laws (e.g., COPPA).
ReturnSage is operated from the United States. If you are accessing the service from outside the United States, your data will be transferred to and processed in the United States, where data protection laws may differ from those in your country. We rely on Shopify's Partner Program terms and, for EEA/UK transfers, Standard Contractual Clauses to legitimize these transfers. Merchants who require specific data residency arrangements should contact us before installing the app.
We may update this Privacy Policy from time to time to reflect changes in the service, legal requirements, or our data practices. When we make material changes, we will:
1. Update the "Last Updated" date at the top of this policy.
2. Post a notice in the ReturnSage app dashboard for at least 30 days before the changes take effect.
3. For changes that materially affect how we process end-customer PII, notify merchants by email at least 30 days in advance.
Continued use of ReturnSage after the effective date of a revised policy constitutes acceptance of the updated terms. If you object to any change, you may uninstall the app before the effective date, at which point all your data will be deleted per the retention schedule in Section 5.
For any privacy-related questions, data access or deletion requests, or concerns about how ReturnSage handles personal data, contact us at:
CGN Media Group LLC
5036 3rd Ave S, St Petersburg FL 33707
Email: chad@tide-flow.com
Website: [URL]
For GDPR-specific inquiries or to exercise your rights as a data subject, please email chad@tide-flow.com with "Privacy Request" in the subject line. We aim to respond within 5 business days of receipt and to fulfill all statutory deadlines.
*ReturnSage is a Shopify app and is not affiliated with or endorsed by Shopify Inc. Shopify's own privacy practices are governed by Shopify's Privacy Policy at shopify.com/legal/privacy.*