Privacy Policy
Last updated: 2 July 2026
ChargebackWiz ("we", "us", "our") is operated by [LEGAL ENTITY NAME], registered in Udaipur, Rajasthan, India. This policy explains what data we process when a merchant installs the ChargebackWiz app from the Shopify App Store, why we process it, and the rights available to merchants and their customers.
Contact for all privacy matters: privacy@chargebackwiz.com
1. Who we are in the data chain
For personal data of a merchant's customers, the merchant is the data controller and ChargebackWiz is a data processor acting on the merchant's instructions to provide chargeback management services. For merchant account data (store name, contact email, billing), we act as a controller.
2. Data we process and why
We process only the minimum data required to assemble and submit chargeback evidence:
| Data | Source | Purpose |
|---|---|---|
| Store name, domain, contact email | Shopify API | Account setup, notifications, billing |
| Dispute details (amount, reason, deadline, status) | Shopify API webhooks | Core service — tracking and fighting disputes |
| Order data for disputed orders (items, totals, dates) | Shopify API | Evidence assembly |
| Customer name, email, billing/shipping address for disputed orders | Shopify API | Evidence assembly (AVS match, delivery proof) |
| Fulfillment and tracking data for disputed orders | Shopify API | Evidence assembly (proof of delivery) |
| Customer order history counts for disputed customers | Shopify API | Evidence assembly (repeat-customer signal) |
| WhatsApp number (optional, merchant's own) | Provided by merchant | Urgent deadline alerts, only if enabled |
We do not process full payment card numbers, CVVs, passwords, or government IDs. We do not sell, rent, or share personal data with advertisers or data brokers. We do not use customer personal data to train AI models.
Important scope limit: we only retrieve customer data for orders that are actually disputed — not your whole customer base.
3. Where data goes
- Shopify: evidence is submitted back to Shopify, which forwards it to the payment networks and issuing bank deciding the dispute.
- Subprocessors: [HOSTING PROVIDER, e.g. DigitalOcean — region], [DATABASE/BACKUP PROVIDER], [EMAIL PROVIDER], [WHATSAPP PROVIDER if used]. A current list is available on request. All subprocessors are bound by data-processing terms.
- We do not transfer personal data to any other third party.
4. International transfers
Our servers are located in [REGION]. Where data of EU/UK residents is transferred outside the EEA/UK, we rely on Standard Contractual Clauses or an equivalent lawful transfer mechanism.
5. Security
Data is encrypted in transit (TLS) and at rest. Access is restricted to authorized personnel, protected by access controls and audit logging. We follow Shopify's Protected Customer Data requirements (Levels 1 and 2).
6. Retention
- Dispute and evidence data: retained while the app is installed, for the service and for win-rate analytics in aggregate form.
- On app uninstall: personal data associated with the store is deleted within 30 days (Shopify
shop/redactwebhook), except records we must keep for legal, tax, or billing compliance. - Customer redaction requests: honored via Shopify's
customers/redactwebhook within 30 days. - Data access requests: fulfilled via Shopify's
customers/data_requestwebhook.
7. Merchant and customer rights
Depending on jurisdiction (GDPR/UK GDPR, CCPA/CPRA and other US state laws, India's DPDP Act 2023, PIPEDA), individuals may have rights to access, correct, delete, port, restrict, or object to processing of their personal data, and to withdraw consent. Customers should direct requests to the merchant (the controller); we support the merchant in fulfilling them through Shopify's privacy webhooks. Merchants and individuals can also contact privacy@chargebackwiz.com. We respond within one month (GDPR) / 45 days (CCPA) or sooner where local law requires.
California residents: we do not "sell" or "share" personal information as defined by the CCPA/CPRA, and we act as a "service provider" for merchant customer data.
8. Cookies
chargebackwiz.com uses only essential cookies and privacy-respecting analytics [ANALYTICS TOOL, e.g. Plausible — or remove if none]. The embedded Shopify app uses session tokens required for authentication and no advertising trackers.
9. Children
Our services are directed to businesses and not to children under 16. We do not knowingly process children's data.
10. Changes
We will post changes on this page and update the date above. Material changes will be notified to merchants by email.
11. Contact & grievance officer
[LEGAL ENTITY NAME], [ADDRESS, Udaipur, Rajasthan, India]
Email: privacy@chargebackwiz.com
Grievance Officer (DPDP Act, India): [NAME], grievance@chargebackwiz.com