Privacy Policy
Last updated: April 5, 2026
Rekindly ("we", "us", "our") is a SaaS platform operated by an individual founder. We connect to Shopify stores via webhooks and process customer data on behalf of merchants to deliver automated email and SMS recovery sequences. This Privacy Policy explains how we collect, use, and protect information.
1. Information We Collect
Merchant account data: When you install Rekindly from the Shopify App Store, we collect your Shopify store domain and request access to your store data via Shopify OAuth. We store a Shopify OAuth access token, which is used to register webhooks and communicate with your store on your behalf. This token is stored securely and is cleared immediately if you uninstall the app. If you subscribe to a paid plan, payment information is collected and processed by Stripe — we do not store your credit card details.
Customer data processed on behalf of merchants: When a Shopify store connects to Rekindly, we receive webhook data including customer names, email addresses, phone numbers, cart contents, and order details. This data is processed solely to deliver the service on the merchant's behalf.
Win-Back data: For merchants using the Win-Back feature, we additionally store the date of each customer's most recent purchase, the number of days since that purchase, and a record of whether a win-back email has been sent to that customer.
ReplyPulse data: For merchants using the ReplyPulse feature, we store a customer's full order history with the merchant (number of orders, total spend, individual order values, and purchase frequency) in order to infer post-purchase sentiment. The inferred sentiment classification (happy, neutral, or unhappy), Claude's one-sentence reasoning for that classification, and — where applicable — a flagged customer record are also stored. Flagged records are created only when a customer is classified as unhappy and are visible to the merchant on their dashboard. Unhappy customers are never contacted by Rekindly.
2. How We Use Your Data
We use the data we collect solely to deliver and improve the Rekindly service. Specifically:
- To send abandoned cart recovery emails and SMS messages on behalf of merchants
- To send first-order follow-up sequences
- To send Win-Back emails to customers who have not purchased within a merchant-configured time window
- To send ReplyPulse post-purchase follow-up emails and SMS to customers after order delivery, routed according to their inferred sentiment — happy customers receive a review and referral request, neutral customers receive a discount offer
- To analyse a customer's purchase history using the Anthropic Claude API to infer post-purchase sentiment (happy, neutral, or unhappy), for the purpose of routing the appropriate ReplyPulse message
- To generate AI-written, personalised email and SMS content
- To process payments and manage subscriptions
- To provide merchants with analytics and reporting on their dashboard
3. Third-Party Services
We share data with the following third-party services, strictly as needed to operate Rekindly:
- Resend — for email delivery
- Twilio — for SMS delivery
- Anthropic — for AI-powered email and SMS copy generation, and for ReplyPulse sentiment analysis. For sentiment analysis, only aggregated purchase behaviour data (order counts, values, and frequency) is sent — no additional personally identifiable information beyond what is required to generate personalised content is transmitted.
- Stripe — for payment processing and subscription management (used for non-Shopify merchants only). Shopify merchants are billed directly via the Shopify Billing API, and their payment details are handled entirely by Shopify — we do not receive or store payment card information for Shopify merchants.
- Railway — for application hosting and infrastructure
We do not sell, rent, or trade personal data to any third party for marketing purposes.
GDPR compliance: Rekindly complies with Shopify's mandatory GDPR webhook requirements. We respond to customer data requests, customer redact requests, and shop redact requests as required by Shopify's partner program.
4. Data Retention
We retain merchant account data for as long as the account is active. Customer data received via webhooks (including cart and order data) is retained for up to 90 days after the associated event to allow recovery and follow-up sequences to complete, after which it is automatically deleted. Win-Back send records and ReplyPulse send records are retained for 90 days on the same schedule. ReplyPulse flagged customer records are retained until the merchant marks them as reviewed, after which they are deleted within 90 days. Merchants may request earlier deletion of any customer data at any time.
5. Merchant and Customer Rights
Merchants: You may access, update, or delete your account data at any time. You may also request a full export or deletion of all customer data we process on your behalf by contacting us.
Customers: If you are a customer of a Shopify store using Rekindly, you may contact the store directly or reach out to us at contact@rekindly.shop to request access to or deletion of your data.
6. Cookies
Rekindly uses essential cookies to maintain session state and authentication. We do not use tracking cookies or third-party advertising cookies.
7. Security
We take reasonable measures to protect your data, including encryption in transit (HTTPS), hashed passwords, and secure infrastructure. However, no method of transmission over the Internet is 100% secure, and we cannot guarantee absolute security.
8. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Continued use of the service after changes constitutes acceptance of the revised policy.
9. Contact
If you have questions about this Privacy Policy or your data, contact us at contact@rekindly.shop.
10. Data Loss Prevention
Rekindly uses Railway's managed PostgreSQL database which includes automated daily backups and point-in-time recovery. Customer and merchant data is retained for a maximum of 90 days after account deletion. Access to production data is restricted to the application only — no direct database access is exposed publicly.
11. Security Incident Response
In the event of a security incident or data breach affecting merchant or customer data, Rekindly will: (1) investigate and contain the incident within 24 hours of discovery, (2) notify affected merchants within 72 hours via email, (3) take immediate steps to secure affected systems, and (4) provide a full incident report to affected parties within 30 days.