Ridgeline GDPR Mailchimp Sync
A Shopify Compliance App

Privacy Policy

Last updated: May 20, 2026

Ridgeline GDPR Mailchimp Sync acts strictly as a data processor on behalf of Shopify merchants. We do not collect, sell, or share customer personal data for any purpose other than fulfilling mandatory privacy compliance obligations.

1. Who We Are

Ridgeline GDPR Mailchimp Sync ("the App", "we", "our") is a Shopify application that automates merchant compliance with data-deletion requests under GDPR, CCPA, and other applicable privacy regulations. The merchant who installs the App is the data controller; we operate solely as their data processor in accordance with their instructions.

2. Data We Process

We process the following categories of data only to fulfil compliance obligations:

3. How We Use Data

We use the data we receive exclusively for the following purposes:

4. Data We Do Not Store

We do not store raw customer personal data (names, email addresses, phone numbers, or purchase history) in permanent storage at any point. Webhook payloads are processed in memory and immediately discarded after the Mailchimp API call resolves. Only the anonymised SHA-256 hash and outcome status are persisted to our audit database.

5. Data Transmission & Security

All data in transit — including Shopify webhook deliveries, Mailchimp API calls, and browser sessions — is encrypted using industry-standard TLS 1.2 or higher. Shopify webhooks are authenticated using HMAC-SHA256 signature verification on the raw request body before any processing occurs. Merchant credentials are stored encrypted at rest in our provisioned PostgreSQL database and are never exposed in logs or API responses.

6. Merchant Token Retention & Uninstall

When a merchant uninstalls Ridgeline GDPR Mailchimp Sync from their Shopify store, their Shopify access token and Mailchimp credentials are automatically scheduled for deletion. All merchant integration tokens are permanently purged from our systems within 48 hours of an uninstall event being received. Anonymised audit log entries are retained for the 12-month audit period and then deleted.

7. Third-Party Services

The App integrates with the following third-party platforms on the merchant's behalf:

We do not share merchant or customer data with any other third parties, do not use data for advertising or profiling, and do not sell data under any circumstances.

8. Your Rights

If you are a customer of a merchant who uses this App and wish to exercise your rights under GDPR (access, rectification, erasure, portability, objection) or CCPA (know, delete, opt-out), please contact the merchant directly. They are the data controller responsible for responding to your request. We will process any legitimate erasure instruction received via the merchant's Shopify store automatically.

9. Cookies & Tracking

The App uses a single, cryptographically signed HttpOnly session cookie to maintain a merchant's authenticated browser session on the settings dashboard. No third-party tracking cookies, analytics pixels, or advertising trackers are used.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to merchants via the App's dashboard. Continued use of the App after the effective date of any update constitutes acceptance of the revised policy.

11. Contact Us

Questions about this policy?
If you have questions about how we handle data or wish to raise a privacy concern, please contact us at:

Ridgeline GDPR Mailchimp Sync — Privacy Enquiries
Email: privacy@gdpr-redactor.replit.app