Privacy Policy

1. Who we are and how to reach us

Operating entity: Hiro Holdings LLC, a Massachusetts limited liability company. OriginProof is a product of Hiro Holdings LLC.

Contact: hello@originproof.co

Mailing address: 82 Wendell Ave. Ste 100, Pittsfield, MA 01201, USA

In this Policy:

2. Scope, and what we do NOT collect

This Policy covers the information processed when a Merchant installs and uses the OriginProof app inside the Shopify admin, together with the public storefront badge and public proof page the Service renders.

We collect NO buyer or shopper personal data. The Service reads only product data and information the Merchant enters. It never accesses, requests, receives, or stores any Shopify Customer or Order object — no buyer names, emails, addresses, phone numbers, payment data, or order history. Under Shopify's customer-data classification framework, OriginProof is Level 0 (PCD Level 0): it processes none of the customer-data categories Shopify designates as sensitive.

Our OAuth permissions are deliberately minimal:

We request no permission to write to products, themes, customers, or orders.

3. The data categories we DO process, and why

We process only the categories below. Each is tied to a specific purpose: operating the Service for you.

Possible personal data — supplier and attestor names. Supplier and attestor/signer names are Merchant-supplied and are usually those of a company. However, they may identify an individual (for example, a sole proprietor), in which case they constitute personal data. The same is true of free-text fields you type (notes, attestation statements, sign-off names). You control what you enter here.

Store-owner contact details (Shopify-populated). Shopify's session record may include certain store-owner account fields — such as the store owner's name and email — that Shopify populates as part of the standard app-session record. We do not collect these for our own use, and we do not use them for marketing; they are deleted together with the rest of the session when the app is uninstalled (see Section 8).

4. Our role: processor / service provider

For the information you enter, we act as your service provider / processor — we process it on your behalf and on your instructions, to operate the Service. You are the controller of your own information and of the supplier/attestor information you choose to enter; you are responsible for having the right to provide it to us.

5. How we use the data (and our basis for it)

We use the data only to provide the Service to you, specifically to:

Where a lawful-basis framework applies, our processing is grounded in the performance of our contract with you (our Terms) and in our legitimate interest in operating and securing the Service. We do not use your data for advertising, profiling, or sale, and we do not sell or “share” it for cross-context behavioral advertising.

6. Publication: the badge and public proof page

Some surfaces of the Service are intentionally public. When you publish a claim, you authorize us to publish — on your store's domain and at an unguessable URL — a trust badge and a public proof page for that claim. The badge is labeled "U.S. Origin Evidence on File" (with the subtext "Merchant-attested - view evidence") and links to the proof page; the label reflects that the underlying evidence is supplied and attested to by you, the Merchant.

What the public proof page shows vs. what it keeps back. The public proof page is designed to show high-level claim information (such as the claim wording, claim type, the date of the file, and a content hash) and to strip out supplier/attestor names and cost figures, telling visitors that those details are kept in the merchant's downloadable file, not published on the page.

By publishing a claim you acknowledge that the badge, the proof page, and the linked Substantiation File are public and may be viewed or downloaded by anyone with the link until you unpublish, let your subscription lapse, or uninstall. (To reduce search-engine exposure, the public proof page and PDF are served with a noindex instruction; this discourages indexing but does not make a published page private.)

7. Sub-processors and service providers

We use a small set of vendors to run the Service. We do not sell your data to anyone. Our current sub-processors / service providers are:

No object-storage sub-processor. Because the Substantiation File is regenerated on demand and no PDF file is stored at rest, there is no separate file/object-storage provider in our processing chain.

8. Retention and deletion

Retention posture. There is no FTC-mandated retention period for this type of record (16 CFR Part 323 sets none). We retain your records while your subscription is active and your claim is live. You always keep your own downloadable copy of every Substantiation File, so deleting our copy never destroys your ability to substantiate your own claim.

Deletion on uninstall. When you uninstall the app, Shopify immediately notifies us (the app/uninstalled webhook), and we delete the app session for your store. Then, approximately 48 hours after uninstall, Shopify sends us a shop/redact request. This triggers our full purge: every stored row for your shop is hard-deleted — all claim and origin-evidence data, the billing-status mirror, and any remaining Shopify session record — in a single, atomic, shop-scoped database transaction. An automated test derived from our database schema guarantees that no table is missed, so a new data table cannot ship without being included in the purge. Because no PDF is stored and the proof-page token lives on the deleted record, the public proof page and PDF stop resolving once the rows are gone.

How we honor Shopify's mandatory privacy webhooks. We implement all three of Shopify's mandatory privacy/compliance webhooks. Each is HMAC-verified; a request with an invalid signature is rejected with HTTP 401 before any handler runs:

9. Your rights and how to exercise them

Depending on where you are located, you (and individuals whose information you have entered) may have rights to access, correct, delete, or restrict processing of personal data, or to obtain a copy of it.

How to exercise them. Because we process the information you enter as your service provider, requests are best directed through you, the Merchant — you can view, edit, and delete the claims and evidence you have entered directly in the app, and you can trigger full deletion by uninstalling (which fires shop/redact). For any request you cannot complete in-app, or to ask a question about this Policy, contact us at hello@originproof.co and we will respond consistent with applicable law and our obligations to you.

How the Shopify webhooks map to these rights. A shopper's data-access or deletion request arrives via customers/data_request / customers/redact — and, because we hold no buyer data, results in nothing to surface or redact. A Merchant's deletion right is fulfilled by uninstalling, which triggers the shop/redact purge of all your stored data.

10. Security

We apply a security baseline appropriate to the limited, non-buyer data we process. At a high level:

No method of storage or transmission is perfectly secure, and we do not guarantee absolute security.

11. International transfers, children, changes, and disclaimer

International transfers. The Service is operated from, and stores data in, the United States. If you access the Service from outside the United States, you understand that your information will be processed in the U.S.

Children. The Service is a business-to-business product intended for use by Shopify merchants. It is not directed to children and does not knowingly process children's personal information.

Changes to this Policy. We may update this Policy from time to time. When we do, we will revise the "Last updated" date above and, where appropriate, notify Merchants. Continued use of the Service after an update takes effect constitutes acceptance of the updated Policy.