Privacy Policy

Last updated: May 8, 2026

1. Introduction

BrightLayer Lab LLC ("we," "us," "our") operates the Return Wise application ("App"), a Shopify application that helps merchants manage product returns by offering customers store credit with optional bonus incentives. This Privacy Policy explains how we collect, use, store, and protect personal data when you use our application.

2. Data Controller and Processor Roles

Under the General Data Protection Regulation (GDPR) and similar data protection laws:

For merchant customer return data, the merchant who installs Return Wise is the data controller. They determine the purposes and means of processing their customers' personal data.
BrightLayer Lab LLC (Return Wise) acts as a data processor for that merchant customer return data when we process it to provide the return management service.
For merchant account, session, support, security, and compliance-contact data relating to use of the App itself, BrightLayer Lab LLC acts as an independent data controller.

3. Data We Collect

3.1 From Merchants (via Shopify)

Shop domain and Shopify store identifier
Merchant/admin account information made available by Shopify, such as user email, first name, last name, locale, and account status
Merchant notification email address (if configured)
Merchant-designated compliance contact email address
App configuration and settings

3.2 From Customers (via Merchant's Store)

When a customer looks up an order or initiates a return through a merchant's store, we collect or process:

Order lookup information: Order number and email address submitted in the return portal
Order information: Order number, order ID, line items, product titles, variant details, item prices, and currency
Customer contact information: Email address
Customer identifier: Shopify customer ID (if available)
Return details: Selected items, return reasons, reason notes, quantities
Fulfillment data: Fulfillment dates associated with returned items
Customer tags: Retrieved from Shopify for rule evaluation (e.g., loyalty status)
Security and request metadata: IP address and related request metadata used for rate limiting, abuse prevention, and operational security

3.3 Data We Generate

Return request records (status, timestamps, idempotency keys)
Native store credit references, including Shopify refund IDs, store credit account IDs, and bonus store credit transaction IDs
Abuse detection flags
Rule evaluation and audit records
Analytics aggregates (return volumes, savings metrics)

3.4 Data We Do NOT Collect

Payment card numbers or bank account details
Passwords or authentication credentials
Customer browsing behavior or tracking cookies
Customer physical addresses

4. How We Use Data

We process personal data solely to provide the return management service:

Processing returns: Creating and managing return requests, evaluating rules, issuing store credit
Fraud prevention: Detecting unusual return patterns to protect merchants from abuse
Notifications: Sending transactional emails (return confirmation, credit issuance, rejection notices)
Guest customer support: Creating or locating a minimal Shopify customer record and attaching it to an order when needed to issue native Shopify store credit
Analytics: Providing merchants with aggregated return statistics (no individual customer profiling)
Native store credit issuance: Creating Shopify store credit refunds for eligible return amounts and optional bonus store credit transactions
Security and reliability: Rate limiting request flows, validating sessions, and monitoring the service
Compliance handling: Delivering privacy and data-rights communications to the merchant-designated compliance contact email on file

We do not use customer data for marketing, advertising, or cross-context behavioral profiling, or for any purpose unrelated to the return management service. We may use limited automated analysis of return history and refund values for fraud and abuse prevention as described below.

5. Legal Basis for Processing (GDPR)

For customer return data, the merchant — as the data controller — determines and documents the legal basis for processing under Article 6 of the GDPR. Common legal bases that may apply, depending on the merchant's policies and customer relationship, include:

Performance of a contract (Art. 6(1)(b)) — for processing return requests and sending transactional emails about a return
Legitimate interest of the merchant (Art. 6(1)(f)) — for fraud and abuse prevention and for aggregated return analytics

Merchants are responsible for confirming and documenting the legal basis applicable to their store and informing customers in their own privacy notice. The limited categories of data Return Wise processes as an independent controller (merchant account, support, security, and compliance-contact data) are described in Section 2.

6. Data Sharing

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising (within the meaning of the California Consumer Privacy Act, as amended by the California Privacy Rights Act). We disclose personal data only to the service providers and sub-processors listed below, who process data on our behalf to operate the return management service:

Shopify: Data is read from and written to Shopify via their Admin API. Reads include order lookups, customer records, and customer tags (used as inputs to rule evaluation only). Writes include native store credit refunds, bonus store credit transactions, return summary details added to Shopify order notes, and order tags applied for merchant record-keeping (e.g., "ReturnWise-Credit"); for guest orders, the App may also create or locate a minimal customer record and attach it to the order so native store credit can be issued. The App does not write customer tags. Data written to Shopify's platform is governed by Shopify's own privacy policy and persists independently of Return Wise.
Hosting provider: The application and database are hosted on Render (render.com), which acts as a sub-processor. Render's privacy policy and data processing terms apply to infrastructure-level data handling.
Email delivery: Transactional emails are sent via Resend (resend.com), a transactional email provider configured and operated by Return Wise. Resend receives recipient email addresses and message content (order numbers, return details, store credit amounts, and links) in order to deliver the email. Return Wise does not persist email body content after handoff, but Resend may retain message data, delivery events, and logs under its own privacy policy and Data Processing Addendum. GDPR data export payloads are deliberately excluded from email content — those snapshots are retrieved by the merchant from the authenticated app admin.
As required by law: We may disclose data to comply with legal obligations, court orders, or government requests.

Website infrastructure (visitors to the public site): The public Return Wise marketing and legal pages on returnwise.app are served via Cloudflare (cloudflare.com), which provides edge delivery, DNS, and DDoS protection. Cloudflare processes standard request metadata for visitors to the public site (IP address, User-Agent, request timing) at the network edge. Cloudflare is not a sub-processor for the App and does not process merchant or customer personal data submitted through the App; the App's data flows and sub-processor list are governed by Section 4.4 of the Data Processing Agreement.

7. Data Retention

Return request data is retained according to the merchant's configured retention period (default: 12 months, configurable from 1 to 60 months).
Terminal return records (completed, rejected, or failed) older than the retention period are removed by our scheduled retention cleanup process, which is ordinarily run daily.
GDPR data export snapshots compiled in response to customers/data_request webhooks are retained inside the authenticated app admin and auto-purged 30 days after the request is received, regardless of fulfillment status.
Merchants can adjust their retention period at any time in the app settings.
Upon app uninstallation, Shopify sends an app/uninstalled webhook and (ordinarily 48 hours later, under Shopify's compliance schedule) a shop/redact webhook. Return Wise marks the shop on app/uninstalled and preserves its configuration during a short reinstall grace period (approximately 48 hours), so a merchant who reinstalls within that window does not lose their settings. After the grace period elapses, Return Wise's scheduled cleanup permanently deletes all shop data. If shop/redact arrives, Return Wise deletes all shop data immediately, without waiting for the grace period. Note that data previously written to Shopify (such as order notes and order tags) is managed by Shopify and is not affected by this deletion.

8. Data Subject Rights (GDPR / UK GDPR / Australian Privacy Act)

Customers may exercise the following rights by contacting the merchant (data controller):

Under GDPR / UK GDPR:

Right of access: Request a copy of personal data we hold
Right to rectification: Request correction of inaccurate data
Right to erasure: Request deletion of personal data
Right to data portability: Receive data in a structured, machine-readable format (JSON)
Right to object: Object to processing based on legitimate interest
Right to restrict processing: Request limitation of processing
Right to lodge a complaint: File a complaint with a data protection supervisory authority in your country of residence

Under the Australian Privacy Act 1988:

Right of access: Request access to personal information we hold about you (APP 12)
Right to correction: Request correction of inaccurate, out-of-date, incomplete, or misleading personal information (APP 13)
Right to complain: Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) if you believe your privacy has been breached

When a merchant receives a data subject request, we support them by:

Data export: Upon Shopify's customers/data_request webhook, Return Wise automatically compiles the customer's data and stores the snapshot inside the authenticated app admin (the Compliance page). A short notification email is sent to the merchant-designated compliance contact with a link to the admin; the customer's identifying details and the compiled payload are never included in the email subject or body. Snapshot access is logged for compliance review, and snapshots are auto-purged 30 days after the request is received, regardless of fulfillment status.
Data deletion: Fully deleting all customer data stored by Return Wise (return requests, items, rule evaluation logs, abuse flags) upon Shopify's customers/redact webhook. Note that data previously written to Shopify's own systems (such as order notes and tags) is not affected by this deletion and is managed by Shopify.

9. Automated Decision-Making

Return Wise includes an optional abuse detection feature that may automatically flag or block customers based on return frequency or return value thresholds configured by the merchant. Specifically:

Customers exceeding a merchant-configured number of returns within a defined time window may be flagged or automatically blocked from submitting further returns.
Customers exceeding a merchant-configured return value threshold within a defined time window may be similarly flagged or blocked.

These thresholds are set entirely by the merchant (data controller). Merchants can review flagged customers, manually unblock them, and adjust or disable the automatic blocking feature at any time in the app settings.

In accordance with Article 22(3) of the GDPR, customers affected by this automated decision-making have the right to:

Obtain human intervention — request that a human, rather than the automated system, review the block decision
Express their point of view — provide context or information the merchant should consider
Contest the decision — dispute the block and request it be reversed

These rights are exercised by contacting the merchant (data controller) directly, using the support contact information the merchant provides. Merchants are required to review and respond to such requests, and can reverse an automatic block at any time from the app settings.

10. Data Security

We implement the following security measures:

Encryption in transit: All data is transmitted over HTTPS/TLS
Authentication: Customer portal sessions use signed session tokens; merchant admin endpoints require Shopify session authentication
Rate limiting: Customer-facing endpoints are rate-limited to prevent abuse
Input validation and output encoding: User inputs are validated and sanitized, and user-supplied content is encoded to prevent XSS
Duplicate-prevention controls: Return creation includes controls to prevent duplicate processing of the same request

11. International Data Transfers

Return Wise is hosted on Render (render.com) with servers located in the United States. If you are located in the European Economic Area (EEA), United Kingdom, or other jurisdictions with data transfer restrictions, your data will be transferred to and processed in the United States. We rely on appropriate safeguards under Chapter V of the GDPR for such transfers, including:

The European Commission's Standard Contractual Clauses (Module Two — Controller to Processor) and the UK International Data Transfer Addendum (where data is transferred from the United Kingdom), incorporated into our Data Processing Agreement with each merchant
The Standard Contractual Clauses and Data Processing Addenda published by our sub-processors (Render and Resend) for transfers to and from those providers

12. Cookies and Tracking

Return Wise does not use advertising, analytics, or tracking cookies, tracking pixels, or any client-side tracking technologies. The Shopify OAuth installation flow may set essential cookies required to complete authentication; these are not used for advertising or analytics. Customer portal sessions are managed via JWT tokens transmitted in form data, not stored in cookies.

13. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including:

Right to know: Request disclosure of the categories and specific pieces of personal information we have collected.
Right to delete: Request deletion of your personal information.
Right to opt out of sale/sharing: We do not sell or share personal information for cross-context behavioral advertising.
Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise these rights, California residents should contact the merchant (data controller) directly. Merchants may contact us for assistance in fulfilling these requests.

14. Children's Privacy

Return Wise is a B2B service provided to Shopify merchants. We do not knowingly collect personal data from children under 16. If a merchant's store serves minors, the merchant is responsible for ensuring compliance with applicable children's privacy laws.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will update the effective date above when changes are posted. Where required by law, we will provide additional notice through the Shopify App Store listing, email, the app interface, or another appropriate channel. Continued use of the app after changes take effect constitutes acceptance of the revised policy.

16. Contact

For privacy-related inquiries:

Email: support@returnwise.app
Website: https://www.returnwise.app/

BrightLayer Lab LLC · 13344 Franklin Farm RD STE A, #702, Herndon, VA 20171

For data subject requests, customers should contact the merchant (data controller) directly. Merchants can reach us at the email above for assistance with data requests.