Privacy Policy

Last updated: May 2, 2026

LeakSentry ("the App", "we", "us") provides revenue trend analysis, coupon-abuse detection, refund-fraud risk scoring, abandoned-checkout monitoring, and win-back campaign tools to merchants who install it on their Shopify store. This policy explains what we collect, why, how we protect it, and how to have it deleted.

1. Information we collect

When you install LeakSentry on your Shopify store, we access — through the Shopify Admin API and webhooks, using the scopes you approve at install — the following:

• Order data — order ID, total price, currency, creation date, line items, and the associated customer ID. Used for period-over-period revenue trend analysis and campaign attribution.
• Customer data — for win-back campaigns we read customer email, first/last name, and lifetime amount spent. This is protected customer data under Shopify's data protection requirements. We use it only to segment inactive customers and generate recovery offers at your request.
• Refund data — refund ID, amount, reason, and date, used to risk-score customers for refund-fraud patterns.
• Checkout data — checkout token, email, cart total, and completion status, used to compute abandoned-checkout rates.
• Discount codes — the codes attached to orders, scanned against known browser-extension patterns (Honey, Capital One Shopping, Piggy, Rakuten) for coupon-abuse detection.
• Store + plan metadata — your myshopify.com domain, plan tier, and sync timestamps.
• Integration credentials — if you connect Klaviyo, your Klaviyo Private API Key, stored encrypted at rest (AES-256-GCM).

We do not collect payment card numbers, passwords, or any buyer payment credentials.

2. How we use AI

LeakSentry uses Anthropic's Claude model to generate plain-English explanations of detected findings. We send aggregated metrics and finding summaries only — never individual customer names, emails, or other personal identifiers. Anthropic does not train on data submitted through its API.

3. How we store and protect data

Data is stored in a PostgreSQL database hosted on Railway (US region) and transmitted over TLS. The Klaviyo API key is encrypted at rest. Access is limited to the App's own service processes.

4. Data sharing

We do not sell your data. We share data only with the infrastructure and service providers required to operate the App: Railway (hosting + database), Anthropic (AI explanations, aggregated data only), Resend (weekly report emails), and — only if you connect it — Klaviyo (customer segments you choose to push).

5. Data retention and deletion

We honor Shopify's mandatory GDPR webhooks:

• Customer data request — we compile and log the order data we hold for that customer.
• Customer redaction — we remove the customer's identifying link from our records.
• Shop redaction — when you uninstall, we purge all data tied to your store (orders, line items, products, campaigns, scan reports, refunds, checkouts, sessions, and rate-limit records) within 30 days.

You can request deletion at any time by uninstalling the App or emailing admin@stackedboost.com.

6. Your rights

Depending on your jurisdiction (including GDPR and CCPA), you may have the right to access, correct, or delete personal data we hold. Contact us at admin@stackedboost.com to exercise these rights.

7. Changes to this policy

We may update this policy as the App evolves. Material changes will be reflected by the "Last updated" date above.

8. Contact

Questions about this policy? Email admin@stackedboost.com.