EvidenceBuilder

Privacy Policy

Effective date: June 26, 2026

1. Who we are

EvidenceBuilder ("we", "us", "our") is a software-as-a-service tool that helps Shopify merchants prepare chargeback evidence packets. This policy explains what personal data we collect, how we use it, and your rights under applicable law — including Brazil's Lei Geral de Proteção de Dados (LGPD) and the EU General Data Protection Regulation (GDPR).

2. Roles: controller and processor

EvidenceBuilder acts as a data processor with respect to your customers' personal data. You, the merchant, are the data controller — you instruct us to process your customers' order data for the purpose of building chargeback evidence.

With respect to your own account data (email address, password hash), EvidenceBuilder is the data controller.

3. What data we collect and why

Account data

Your email address and a bcrypt hash of your password. Used to authenticate you and send important service messages (e.g. email verification).

Shopify order data (your customers' data)

When you create an evidence case, we fetch and store a snapshot of the order from your Shopify store. This snapshot may include: customer name, email address, shipping and billing address, order line items, fulfillment details, tracking numbers, and payment summary. This data is used solely to generate your chargeback evidence packet.

Generated PDFs

Evidence packets we generate are stored so you can re-download them at any time. PDFs contain the same order data listed above. They are accessible only through your authenticated account — they are never publicly reachable by URL.

Shopify access token

We store your Shopify access token encrypted at rest with AES-256-GCM so we can fetch order data on your behalf. We never expose this token to the frontend or to third parties.

Session data

We issue a session token (stored as a cookie) when you log in. Sessions are stored in our database and expire after 7 days of inactivity.

4. Legal basis for processing

  • Contract performance — processing your account data and order snapshots is necessary to provide the service you signed up for.
  • Legitimate interest — storing your encrypted Shopify access token is necessary to retrieve order data on your behalf without requiring re-authentication on every request.
  • Legal obligation — we may retain certain records if required by applicable law.

5. Data retention

We retain your account data for as long as your account is active. Order snapshots and generated PDF packets are retained for as long as the associated evidence case exists in your account. Deleting a case permanently removes its snapshot and PDF from our storage. Disconnecting a Shopify store removes all associated cases, snapshots, and PDFs. Deleting your account removes all data we hold about you.

6. Sub-processors

We share data with the following sub-processors to operate the service:

  • Google Cloud Platform — infrastructure (compute, managed database, object storage for PDFs). Data is stored in the region specified during account setup.
  • Resend — transactional email. Your email address is transmitted to Resend solely to deliver verification and service messages.
  • Shopify — we read order data via the Shopify API using the access you grant during store connection.

7. Security

Shopify access tokens are encrypted with AES-256-GCM. Passwords are hashed with bcrypt. All data in transit is protected by TLS. PDFs are stored in Google Cloud Storage with server-side encryption enabled and access restricted to authenticated API requests.

8. Your rights

Under LGPD and GDPR you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct inaccurate data.
  • Erasure — request deletion of your account and all associated data.
  • Portability — receive your data in a machine-readable format.
  • Objection — object to processing based on legitimate interest.

To exercise any of these rights, email privacy@evidencebuilder.io. We will respond within 15 business days.

9. Your customers' data subject requests

If one of your customers asks you to delete their data, you can fulfill the request within EvidenceBuilder by deleting the relevant evidence case — this permanently removes the order snapshot and PDF. To disconnect a store and remove all associated customer data in bulk, use the "Remove" option on the dashboard. If you need our assistance responding to a data subject request, contact us at the address below.

10. Cookies

We use a single session cookie to keep you logged in. No third-party tracking or advertising cookies are used.

11. Changes to this policy

We will notify you by email if we make material changes to this policy. The effective date at the top of this page always reflects the most recent revision.

12. Contact

Privacy questions or rights requests: privacy@evidencebuilder.io