Privacy Policy

Last updated: June 11, 2026

Woven Reach (“the App”) is a Shopify application operated by Solidstone, Inc. (“we”, “us”) that helps merchants recover abandoned carts with on-brand email. This policy describes what we collect from merchants who install the App and from their customers, why we collect it, and the choices available.

Information we collect from merchants

• Store details Shopify shares on install: store domain, store name, locale, currency, and plan name.
• Onboarding details you provide: business name, contact email, and email sender name.
• Public storefront content: when you run brand extraction, we crawl your public storefront pages and capture page content and screenshots to derive your brand’s colors, typography, voice, and catalog style.
• Billing state: your selected plan and subscription status via the Shopify Billing API. We never see or store payment card details — Shopify processes all charges.

Information we process about your customers

To recover abandoned carts on your behalf we process, as your service provider:

• Cart and checkout contents (items, quantities, totals, currency) from Shopify webhooks.
• Customer email addresses associated with carts and checkouts.
• Email marketing consent state from Shopify. We only send recovery email to customers who have opted in to marketing (Shopify marketing state SUBSCRIBED); the consent decision is recorded with each cart.
• Email delivery and engagement events (sent, delivered, bounced, complained, opened, clicked) for emails the App sends.
• Unsubscribe requests, kept on a suppression list so we never email that address for your store again. Suppression records are retained as required by CAN-SPAM even after other data is deleted.

We do not collect or store customer payment information, government identifiers, or precise location data.

How we use this information

• Detect abandoned carts and send the recovery emails you configure.
• Generate on-brand email copy using AI (Google Gemini). Cart context and your brand profile are sent to the model to draft copy; outputs and generation metadata are logged for quality and audit.
• Show you dashboards: recovery rates, recovered revenue, send health, and suppression counts.
• Operate, secure, and improve the App (aggregate product analytics via PostHog).

We do not sell personal information, and we do not use your customers’ data to market to them on anyone else’s behalf.

Subprocessors

• Shopify — platform, webhooks, billing.
• Neon — managed Postgres database (data at rest, encrypted).
• Resend — email delivery.
• Google (Gemini API) — AI copy generation.
• PostHog — product analytics and experimentation.
• Hetzner / Cloudflare — application hosting and network.

Data retention & deletion

• Customer data deletion (GDPR Art. 17): when Shopify sends a customer redaction request, we delete that customer’s carts, outbound emails, engagement events, and stored data-request snapshots for your store. Suppression entries are retained as legally required so the customer is never emailed again.
• Customer data access (GDPR Art. 15): data-request webhooks produce a snapshot you can deliver to your customer from the App’s Privacy Requests page.
• Store deletion: 48 hours after you uninstall, Shopify sends a shop-redaction request and we delete all data for your store — sessions, carts, campaigns, emails, brand profiles, crawls, billing records, and settings.

Security

Data is encrypted in transit (TLS) and at rest. Access to production data is restricted to authorized operators, authenticated via SSO, and logged. Webhook payloads are verified with Shopify HMAC signatures before processing.

Your choices & contact

Merchants can uninstall the App at any time, which triggers the deletion flow above. Customers can use the unsubscribe link in every email we send, or contact the merchant to exercise data rights — we honor all requests relayed through Shopify’s privacy webhooks.

Questions or requests: [email protected].