Privacy Policy

ProofBoost · Last updated: July 8, 2026

1. Overview

ProofBoost ("we", "our", or "us") is a Shopify application that helps merchants collect, moderate, and display product reviews on their online store. This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data.

By installing ProofBoost, you ("Merchant") agree to this Privacy Policy. Your customers ("Reviewers") are informed of data collection through your own store's privacy notice.

2. Data We Collect

From Merchants (store owners)

  • Shopify store domain and access token (for API access)
  • App settings (widget colors, email templates, SMTP credentials)
  • Order data used to queue review request emails (order ID, product ID, customer email)

From Customers (reviewers)

  • Name and email address submitted with a review
  • Review content: star rating, title, body text, and optional photos
  • Whether the review was submitted via a purchase-verified link

Automatically collected

  • Server logs (IP addresses, request timestamps) — retained for 30 days

3. How We Use Data

  • Display approved reviews on your storefront via the ProofBoost widget
  • Send automated post-purchase review request emails to customers
  • Provide moderation tools so merchants can approve, reject, and reply to reviews
  • Maintain app settings and session authentication

We do not sell, rent, or share personal data with third parties for marketing purposes.

4. Data Storage and Security

Data is stored in a PostgreSQL database hosted on Railway.app (USA). We use industry-standard encryption in transit (TLS) and at rest. SMTP passwords are stored encrypted.

Access to production data is restricted to authorised personnel only.

5. Data Retention

  • Reviews — retained as long as the app is installed. Deleted within 48 hours of a shop uninstall request (GDPR shop/redact webhook).
  • Customer PII in reviews — anonymised within 10 days of a customer data deletion request (GDPR customers/redact webhook).
  • Email queue entries — deleted upon customer redact or shop redact.
  • Session tokens — deleted upon shop redact or app uninstall.

6. GDPR Compliance

ProofBoost supports Shopify's mandatory GDPR webhooks:

  • customers/data_request — we log the request. Merchants are responsible for providing customers with their data within 30 days.
  • customers/redact — we anonymise all personal data tied to the customer's email address within 10 days of the request.
  • shop/redact — we permanently delete all store data within 48 hours of receiving this webhook (sent when a shop uninstalls the app).

7. Cookies

The ProofBoost admin panel (embedded in Shopify) uses session cookies for authentication. The storefront widget does not set any cookies.

8. Third-Party Services

  • Railway.app — hosting and database provider. Railway Privacy Policy
  • Shopify — platform provider. ProofBoost operates under the Shopify API Terms of Service.
  • SMTP provider — merchants configure their own email server. We do not have access to third-party email accounts.

9. Your Rights

Depending on your location, you may have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data
  • Object to processing of your data

To exercise any of these rights, contact us at support@proofboost.app.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify merchants of material changes by updating the "Last updated" date at the top of this page. Continued use of ProofBoost after changes constitutes acceptance of the updated policy.

11. Contact

For privacy questions or data requests, contact us at: support@proofboost.app

ProofBoost · https://proofboost.app