Draft — last updated 2026-05-13. Not yet reviewed by legal counsel. Subject to material changes before merchant signup goes live.

Privacy Policy

Last updated: 2026-05-13

Introduction

Do The Proof (“we,” “our,” or “us”) operates a chargeback dispute management service for Shopify merchants. We help merchants assemble evidence from their Shopify and Stripe accounts and generate draft rebuttal letters for submission to their payment processors. This Privacy Policy explains how we collect, use, share, and protect data in connection with that service.

By installing our Shopify app or creating an account, you agree to the practices described in this policy. If you are a merchant using Do The Proof, you are also a data controller for your customers’ personal data — this policy describes how we act as your processor for that data.

Definitions

Controller:
The entity that determines the purposes and means of processing personal data. Merchants are controllers of their customers’ data.
Processor:
An entity that processes data on behalf of a controller. Do The Proof acts as a processor when handling your customers’ data on your instruction.
Personal Data:
Any information that identifies or can identify a natural person — including names, email addresses, postal addresses, and IP addresses.
Sub-processor:
A third-party service we use to process data on your behalf. See §8 for the full list.

What We Collect

From merchants (account data)

  • Shopify store domain and OAuth access token (encrypted at rest)
  • Stripe account identifier and secret key (encrypted at rest)
  • Merchant email address (sourced from the Shopify store owner profile)
  • Store settings: currency, timezone, policy URL

From your customers (via dispute processing)

When a chargeback dispute is filed on a transaction processed through your Shopify store, we retrieve the following from your Shopify and Stripe accounts to assemble evidence:

  • Customer name and email address
  • Billing and shipping addresses
  • Order details: items purchased, amount, date, fulfilment status
  • Tracking numbers and carrier information
  • Prior order history for the same customer
  • Checkout IP address (from Shopify)
  • Refund records (from Stripe)

This data is sourced from your accounts — we do not collect it independently from shoppers. When you receive a GDPR or CCPA data deletion request via Shopify’s compliance webhooks, we scrub all PII evidence items from our records within the applicable timeframe.

From service usage (analytics and error tracking)

  • Page views and in-app navigation events (PostHog, with your store ID as the identifier — never your email)
  • JavaScript errors and server exceptions (Sentry, with PII patterns automatically redacted before transmission)
  • No session recordings, no keystroke logging, no autocapture

Why We Collect It

  • Dispute evidence assembly: To retrieve order and customer data from your Shopify and Stripe accounts for the purpose of assembling chargeback evidence on your behalf.
  • AI rebuttal generation: To send assembled evidence to Anthropic’s API for generation of a draft rebuttal letter. You review and submit this draft — we do not submit anything to a payment processor without your explicit action.
  • Service operation: To authenticate your account, manage webhooks, and operate the application.
  • Error monitoring: To detect and fix bugs that affect service reliability.
  • Product analytics: To understand which features merchants use, measured at store level without individual tracking.

AI-generated content — how we label it

When we generate a rebuttal draft for you, it is labeled as AI-generated directly in your dashboard. That label stays visible until you make your first edit to the draft, and reappears if you regenerate. You can edit, replace, or regenerate any AI-drafted content at any time before submission. We do not submit any content to a payment processor on your behalf — submission is always a separate, explicit step that you take.

Legal Basis (GDPR Article 6)

  • Contract performance (Art. 6(1)(b)): Processing your account data and executing the dispute evidence service is necessary to perform our contract with you as a merchant.
  • Legitimate interest (Art. 6(1)(f)): Assembling chargeback evidence from data you have already collected from your customers as part of their purchase. Our legitimate interest is helping you defend against fraudulent or erroneous disputes. We minimise the data used to what is strictly necessary for each dispute.
  • Analytics (Art. 6(1)(f)): Aggregated, store-level analytics for product improvement. We have implemented privacy controls (no autocapture, no email as identifier, PII scrubbing) to minimise the data footprint. You may opt out by contacting us.

How Long We Keep Data

  • Active merchant accounts: Retained for the duration of your subscription plus a 30-day grace period after uninstallation.
  • Dispute records: Retained for 90 days after a dispute reaches a terminal state (won, lost, or withdrawn), then permanently deleted.
  • Customer PII in dispute records: Deleted immediately upon receipt of a valid GDPR/CCPA erasure request via Shopify’s compliance webhooks.
  • Database backups: 7-day rolling physical backups (Supabase Pro plan).
  • Error events (Sentry): 30 days.
  • Analytics events (PostHog): Configurable; reviewed annually.
  • Erasure requests: When you or your customers exercise the right to erasure, we replace identifying fields (names, emails, addresses, IP addresses, and order signatures) with [REDACTED] sentinel values while preserving non-identifying dispute metadata for service analytics. The original PII is permanently unrecoverable from our systems.

Sub-processors

We use the following third-party services to operate Do The Proof. Each receives only the data necessary for its specific function.

ServicePurposeData category
AnthropicAI rebuttal generationDispute evidence (contains customer PII). Retained 7 days for abuse monitoring, then deleted. Never used for model training (contractual, not an opt-in).
SupabaseDatabase hostingAll application data (sensitive fields encrypted)
VercelApplication hostingRequest logs (no raw bodies)
InngestBackground job processingDispute and store IDs (no customer PII)
StripeDispute data sourceRead-only access to your Stripe account
ShopifyOrder data sourceRead-only access to your Shopify store
SentryError monitoringStack traces (PII scrubbed before sending)
PostHogProduct analyticsStore-level events (no customer PII, no email)
ResendOperational emailInternal compliance notifications only

International Transfers

Our sub-processors are primarily located in the United States. If you are located in the European Economic Area (EEA), your data is transferred to the US under Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms, as required by GDPR Chapter V. Specific transfer mechanisms for each sub-processor are available on request at hello@dotheproof.com.

Security Measures

  • Encryption at rest: Shopify access tokens and Stripe secret keys are encrypted with AES-256-GCM before database storage. The encryption key is stored separately from the database.
  • Encryption in transit: All connections use TLS 1.2 or higher.
  • Analytics scrubbing: PII patterns (email addresses, phone numbers) are automatically redacted from error reports before they leave your browser or our servers.
  • Access control: Merchant data is scoped to the authenticated store session. No cross-merchant data access is possible through the application layer.

Your Rights

GDPR rights (EEA/UK merchants and their customers)

  • Access: Request a copy of the data we hold about you or your customers.
  • Rectification: Request correction of inaccurate data.
  • Erasure: Request deletion of data. For customer data, Shopify routes erasure requests to us automatically via the customers/redact compliance webhook.
  • Restriction: Request that we pause processing while a dispute is resolved.
  • Portability: Request your data in a machine-readable format.
  • Objection: Object to processing based on legitimate interests.

CCPA rights (California merchants)

  • Know: Request disclosure of the personal information we collect and how it is used.
  • Delete: Request deletion of your personal information.
  • Opt-out of sale: We do not sell personal information.

To exercise any of these rights, email hello@dotheproof.com. We will respond within 30 days.

Cookies

We use a session cookie to maintain your authenticated state (set by Auth.js, marked HttpOnly and Secure). PostHog uses a localStorage+cookie persistence strategy for analytics with no cross-site tracking. No advertising cookies or third-party tracking pixels are present. You can disable cookies in your browser settings; this will require you to log in again on each visit.

Children

This service is directed at businesses and is not intended for individuals under the age of 16. We do not knowingly collect personal data from minors.

Changes to This Policy

We will notify you of material changes to this policy by email at least 14 days before they take effect. Continued use of the service after the effective date constitutes acceptance of the updated policy.

Contact

Questions about this policy or data requests: hello@dotheproof.com