Privacy Policy

Last updated: May 12, 2026

TauRewards is a loyalty-program platform for Shopify merchants. This Privacy Policy explains what data we collect, why we collect it, how we store it, who else processes it on our behalf, and what rights you have to access or delete it.

"We," "us," and "TauRewards" refer to TauRewards. "Merchant" means a Shopify store owner who installs and uses TauRewards. "Customer" means a shopper of that merchant's store who interacts with the loyalty program (earning, redeeming, or viewing points).

1. Data we collect

From merchants

When you install TauRewards on your Shopify store, we receive and store:

Shop domain (e.g. your-store.myshopify.com), shop name, currency, country, timezone, and your Shopify plan tier.
An encrypted Shopify access token authorizing TauRewards to read orders, customers, products, and inventory and to write discounts on your behalf — within the scopes you approved at install.
Account email and a randomly-generated API key used for any custom integrations you build against TauRewards.
Loyalty-program settings you configure: program name, earn rate, point value, minimum redemption threshold, welcome bonus, SKU rules, promotions you create.

From your customers

When your customers shop on your Shopify store and interact with the loyalty program, we receive and store:

Email address, first and last name (when provided to Shopify), Shopify Customer ID.
Order references (Shopify order ID, subtotal, line items, SKU, quantity, unit price), promotion applied (if any), and the points awarded.
Points balance, lifetime points earned, redemption history, and any pending redemption codes.

We do not receive payment card numbers, billing addresses, shipping addresses, IP addresses, or any other customer data Shopify hasn't sent to us through our subscribed webhooks and granted scopes. We do not deploy tracking pixels.

2. How we use the data

Operate the loyalty program: credit points on orders, accept and process redemptions, apply discounts at checkout, refund held points when redemptions expire.
Power the AI campaign agent: when you ask the in-app agent to design or simulate a promotion, we send aggregated and segmented data from your store to our AI sub-processor (see Section 5) to draft the recommendation. We do not share customer-identifying data with the agent unless strictly necessary for the operation you requested.
Show you the merchant dashboard: render customers, transactions, promotions, redemptions, and analytics.
Service notifications: we may email merchants about service-critical events (your install, security notices, billing). We will not send marketing emails without an explicit opt-in.

3. How we store data

All application data is stored in a managed PostgreSQL database hosted by Neon, located in the United States.
Your Shopify access token is encrypted at rest using libsodium authenticated encryption with a key held outside the database.
Loyalty data is retained for as long as your TauRewards installation is active on your Shopify store. When you uninstall, your data enters a 48-hour grace window after which Shopify's shop/redact webhook triggers a full deletion of every row we hold for your shop.

4. Customer data subject requests

TauRewards honors GDPR-style data subject requests via Shopify's mandatory compliance webhooks:

customers/data_request: when one of your customers requests their data, we log the request, compile the customer's loyalty record (enrolled date, points balance, transactions, redemptions), and make it available to you to fulfill within 30 days.
customers/redact: when a customer requests deletion, we delete their loyalty record (consumer row, transactions, redemptions) within 30 days of receiving the webhook.
shop/redact: when your shop is fully uninstalled and the 48-hour grace window elapses, all shop-level data is deleted permanently and is not recoverable.

If you or your customers want to make a request outside Shopify's automated channels, contact privacy@taurewards.com.

5. Sub-processors

TauRewards relies on the following sub-processors. Each receives only the data necessary to perform its function and operates under its own data-protection commitments.

Sub-processor list

Shopify — platform host; provides webhooks, OAuth, the Admin API, and the storefront surfaces our extensions render on.
Vercel — application hosting for app.taurewards.com.
Neon — managed PostgreSQL hosting for our application database.
Cloudflare — DNS and content delivery for taurewards.com.
xAI — large-language-model provider for the AI campaign agent (Grok). We send the merchant's prompt and the aggregated business context required to fulfill the request.

6. Cookies

TauRewards uses a single first-party session cookie (__Secure-next-auth.session-token) in the merchant admin to keep you signed in. It is HttpOnly, Secure, and scoped to app.taurewards.com. We do not use third-party tracking cookies, ad retargeting, or analytics that profile individual visitors.

7. International transfers

Data is processed and stored in the United States. If you or your customers are located outside the United States, your data will be transferred to the United States for processing in accordance with the applicable data-protection frameworks.

8. Security

We implement reasonable technical and organizational measures to protect the data we hold, including TLS in transit, encrypted access tokens at rest, principle-of-least-privilege scope requests against Shopify, idempotent webhook processing with replay protection (HMAC verification), and audit logging of significant events. No system is perfectly secure; we encourage merchants to use strong passwords and to rotate API keys if compromise is suspected.

9. Your rights

Depending on your jurisdiction, you may have the right to:

Access the personal data we hold about you
Request correction of inaccurate data
Request deletion of your data
Object to or restrict certain processing
Withdraw consent for any processing based on consent
Lodge a complaint with your local data protection authority

To exercise any of these rights, contact privacy@taurewards.com. Merchants can also delete all of their data instantly by uninstalling TauRewards from their Shopify admin.

10. Children's privacy

TauRewards is a B2B product designed for merchants and the customers they serve through their Shopify stores. We do not knowingly collect data from anyone under the age of 16. If you believe we have inadvertently collected data from a minor, contact us and we will delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated to active merchants via email or through the in-app dashboard with at least 14 days' notice before taking effect.

12. Contact

Questions, requests, or concerns about this policy or how we handle data: privacy@taurewards.com.