Privacy Policy

Last updated: 2 April 2026

1. About this Policy

This Privacy Policy explains how ReturnCover ("we", "us", "our") collects, uses, stores, and protects personal information when you use our platform. ReturnCover is a shipping protection and returns management application for Shopify merchants, operated by Selah and Stone Pty Ltd (ABN [insert ABN]), based in Victoria, Australia.

This policy applies to:

  • Merchants who install and use ReturnCover on their Shopify store
  • Customers (also referred to as "shoppers" or "buyers") whose personal information is processed through ReturnCover when they submit a return or exchange request through a merchant's returns portal
  • Visitors to the ReturnCover website (returncover.com)

2. Our Role

When processing customer return requests, ReturnCover acts as a data processor on behalf of the merchant. The merchant is the data controller -- they determine why and how customer personal data is collected and processed. We process customer data only as instructed by the merchant and in accordance with this policy.

When merchants interact with us directly (signing up, contacting support, managing their account), we act as a data controller for the merchant's own information.

3. Information We Collect

3.1 From Merchants

  • Business name and contact details (name, email address, phone number)
  • Shopify store URL and store information
  • Billing information (processed via Shopify's billing system -- we do not store payment card details)
  • AusPost eParcel credentials (API keys, account numbers -- stored encrypted)
  • Return policy configuration and preferences

3.2 From Customers (via the merchant's returns portal)

  • Name and email address (from the Shopify order)
  • Shipping address (from the Shopify order)
  • Order details (order number, items purchased, prices, discounts applied)
  • Return request details (items being returned, return reason, sub-reason, item condition)
  • Photos uploaded as part of the return process
  • Exchange item selections and pre-order acknowledgements
  • IP address and browser information (collected automatically for security and fraud prevention)

3.3 From Website Visitors

  • Information submitted through our contact form (name, email, store URL, message)
  • Basic analytics data (pages visited, referral source) -- we use minimal, privacy-respecting analytics
  • We do not use tracking cookies for advertising purposes

3.4 From Shopify

When a merchant installs ReturnCover, we access certain data through Shopify's APIs as authorised by the merchant. This includes order data, product data, customer data (limited to what is needed for processing returns), and fulfilment data. We request only the minimum Shopify API scopes required to provide our service.

4. How We Use Information

4.1 Customer Data (processed on behalf of merchants)

  • Processing and managing return and exchange requests
  • Generating return shipping labels via Australia Post (eParcel)
  • Calculating fees, store credit, and exchange values
  • Communicating with customers about their return status (on behalf of the merchant)
  • Storing return request photos for merchant review
  • Detecting and preventing fraudulent return activity

4.2 Merchant Data

  • Providing and maintaining the ReturnCover service
  • Account administration and billing
  • Communicating with merchants about their account, service updates, and support
  • Improving our platform and developing new features

4.3 Website Visitor Data

  • Responding to enquiries
  • Basic website analytics to improve our site

5. How We Share Information

We do not sell, rent, or trade personal information to third parties. We share personal information only in the following circumstances:

With the merchant: Customer return data is shared with the merchant who installed ReturnCover. The merchant is the data controller and determines how customer data is used within their business.

With Australia Post: When generating return shipping labels, we share the customer's name and shipping address with Australia Post via their eParcel API. This is necessary to create the return label and is done on behalf of the merchant.

With Cloudflare: We use Cloudflare R2 for secure storage of return photos and documents. Cloudflare processes this data in accordance with their privacy policy and data processing agreement.

With Shopify: ReturnCover operates on the Shopify platform. Shopify may process data in accordance with their own privacy policy and data processing agreements.

As required by law: We may disclose personal information if required by law, regulation, legal process, or governmental request.

6. Data Security

We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. Our security measures include:

  • Encryption in transit: All data transmitted between customers, merchants, and our servers is encrypted using TLS/HTTPS
  • Encryption at rest: Sensitive data, including carrier API credentials, is encrypted at rest in our database
  • Access controls: Access to personal data is restricted to authorised personnel who need it to provide the service
  • Secure infrastructure: Our application is hosted on Fly.io with automated security updates. File storage uses Cloudflare R2 with access controls
  • Shopify session tokens: We use Shopify's recommended session token authentication -- we do not rely on third-party cookies

7. Data Retention

Customer return data: Retained for the period configured by the merchant, with a default of 24 months from the date of the return request. After this period, data is deleted or anonymised. Merchants may request earlier deletion.

Merchant account data: Retained for the duration of the merchant's use of ReturnCover, plus 12 months after account closure for record-keeping and legal compliance purposes.

Return photos: Retained for the same period as the associated return request. Stored securely in Cloudflare R2.

Website contact form submissions: Retained for up to 12 months.

8. Your Rights

8.1 For Customers

If you are a customer who has submitted a return through a store using ReturnCover, your personal data is controlled by the merchant (the store). To exercise your data rights (access, correction, deletion), please contact the store directly. If the store is unable to assist, you may contact us at privacy@returncover.com and we will work with the merchant to address your request.

8.2 For Merchants

You may access, update, or delete your account information at any time through the ReturnCover admin dashboard. To request a complete export or deletion of all data associated with your account, contact us at privacy@returncover.com.

8.3 Under the Australian Privacy Act 1988

If you are in Australia, you have the right to:

  • Access the personal information we hold about you
  • Request correction of inaccurate information
  • Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) if you believe your privacy has been breached

8.4 Under the GDPR (for EU/UK individuals)

If you are in the European Economic Area or the United Kingdom, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Request erasure of your data
  • Restrict or object to processing
  • Data portability
  • Lodge a complaint with your local data protection authority

9. International Data Transfers

ReturnCover is based in Australia. Data may be processed and stored in Australia and in other jurisdictions where our service providers operate (including the United States, where Cloudflare and Shopify have infrastructure). Where data is transferred internationally, we ensure appropriate safeguards are in place as required by applicable law.

10. Shopify Compliance Webhooks

ReturnCover subscribes to Shopify's mandatory compliance webhooks:

  • customers/data_request: When a customer requests their data, we compile and provide all return-related data we hold for that customer
  • customers/redact: When a customer requests deletion, we delete all personal data associated with that customer from our systems
  • shop/redact: When a merchant uninstalls ReturnCover, we delete all data associated with that store within 48 hours

11. Cookies and Tracking

ReturnCover uses only functional cookies necessary for the operation of the service (such as session management). We do not use advertising cookies, tracking pixels, or third-party analytics that track individual users across websites. The ReturnCover website uses minimal, privacy-respecting analytics that do not collect personally identifiable information.

12. Children's Privacy

ReturnCover is not directed at children under the age of 16. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us at privacy@returncover.com.

13. Changes to this Policy

We may update this Privacy Policy from time to time. We will notify merchants of material changes via email or through the ReturnCover admin dashboard. The "Last updated" date at the top of this policy indicates when it was last revised.

14. Contact Us

If you have questions about this Privacy Policy or our data practices:

Email: privacy@returncover.com
Postal address: Selah and Stone Pty Ltd, [insert address], Victoria, Australia

For privacy complaints, you may also contact the Office of the Australian Information Commissioner at www.oaic.gov.au.