Data Retention

We retain data only for as long as it serves a documented purpose: to deliver the service, to keep an auditable trail of what was submitted on a merchant's behalf, to comply with financial- recordkeeping and tax obligations, or to satisfy a legal hold. When the purpose ends, the data is deleted or anonymized.

We retain dispute records (reason, amount, timestamps, status, outcome) and the evidence packs we generated for them for seven (7) years after the dispute is resolved. This window aligns with the financial-recordkeeping practices most merchants must satisfy and lets you demonstrate dispute history if challenged by a card network or regulator.

Audit events (who took which action, when, against which resource) are retained alongside the dispute they reference and deleted on the same schedule. Personal identifiers inside an audit event are removed if the underlying customer record is redacted; the audit trail itself remains as proof that the action occurred.

Files merchants upload as evidence (receipts, screenshots, customer communication, signed contracts) are stored in private object storage scoped to the owning shop and the owning pack. Files are retained on the same seven-year window as the dispute they belong to. Files orphaned by a deleted pack are removed by a maintenance job.

Merchant account records (email, password hash, plan, language preference) are retained while the account is active. After account closure, account records are deleted within ninety (90) days unless an active legal hold applies.

Our managed database provider takes encrypted backups for disaster recovery. Backups are retained for a rolling window consistent with the provider's standard policy and are not used for any other purpose. Data deleted from the live database may persist in backups until those backups age out of the rolling window; restoration from backup is reserved for genuine recovery scenarios and is logged.

Two paths produce deletions:

• Scheduled. Records that have aged past their retention window are removed by maintenance jobs. The job logs what was deleted and when.
• On request. Merchant deletion requests and Shopify GDPR redact webhooks both trigger an immediate cascade. The cascade is idempotent — running it twice produces the same end state.

Merchants can request deletion of their account and all associated data by emailing privacy@disputedesk.app from the address on file. We confirm the request, run the deletion cascade across our database, and confirm completion within thirty days. Operational backups age out on the provider's standard rotation.

Forty-eight hours after a merchant uninstalls DisputeDesk from a store, Shopify sends our endpoint a shop/redact webhook. On receipt:

• We verify the request signature against our Shopify webhook secret. Unsigned or invalid requests are rejected with HTTP 401.
• We resolve the shop record in our database and delete all data associated with that shop in dependency order: evidence files, evidence packs, disputes, jobs, audit events, sessions, and finally the shop record itself.
• We acknowledge the webhook with HTTP 200 and a count of rows removed per table.

Re-delivery is a no-op. Operational backups age out on the standard rotation.

When Shopify sends a customers/redact webhook for a customer of one of your stores, we anonymize that customer's identifying fields across our database for that store:

• customer_email and customer_display_name on matching dispute rows are set to null.
• JSON snapshots inside evidence packs are recursively scrubbed: email and name fields that match the redact target are replaced with a redacted marker.
• A compliance audit row records that the redaction occurred. That row deliberately does not contain the customer's email or name.

Where GDPR applies, we process personal data only for the purposes documented in our Privacy Policy and only for as long as those purposes require. Where retention is required by law (for example, financial recordkeeping obligations on the merchant), we keep the minimum dataset necessary to satisfy the obligation and remove identifying fields where possible.

Questions about retention, deletion, or how a particular dataset is handled: privacy@disputedesk.app.