WinbackIQ

Protected customer data & privacy

What we access

WinbackIQ requests read_orders and read_customers so it can compute an RFM (Recency / Frequency / Monetary) segmentation of your customers from your own order history. This makes it a Protected Customer Data Level 2 app at the access boundary.

What we store

We do not store customer PII. The analysis worker reads orders and customer identifiers transiently, derives the aggregate scores, and then discards everything except:

• an opaque Shopify customer ID (the GID — used only to let you open the customer in your own admin and to write back a segment tag);
• numeric aggregates: recency (days), order count, total spend, the R/F/M scores 1–5, the lifecycle segment, and the revenue at risk.

No names, emails, phone numbers, addresses, payment details or individual line items are ever written to our database or logs.

Data lifecycle & GDPR

• customers/data_request — we hold only an opaque ID and aggregate scores for a customer; there is no PII to assemble.
• customers/redact — we delete that customer's aggregate rows by opaque ID.
• shop/redact — when you uninstall, we cascade-delete every row for your shop ~48 hours later.

Write-back

The optional Pro tag-sync uses write_customers only to add a non-destructive WinbackIQ:<Segment> tag to your customers, so you can target each cohort in Klaviyo or email. It never reads or modifies any other customer field.