Privacy Policy
Last updated: June 30, 2026
This Privacy Policy explains how Hiro Holdings LLC, the company that provides OriginProof, handles information when a Shopify merchant installs and uses the OriginProof application (the "Service").
1. Who we are and how to reach us
Operating entity: Hiro Holdings LLC, a Massachusetts limited liability company. OriginProof is a product of Hiro Holdings LLC.
Contact: hello@originproof.co
Mailing address: 82 Wendell Ave. Ste 100, Pittsfield, MA 01201, USA
In this Policy:
- "Merchant," "you," "your" means the Shopify store that installs and uses the Service.
- "Substantiation File" means the dated "Made in USA Substantiation File" (a PDF plus a structured record) the Service generates from information the Merchant supplies.
What OriginProof is — and is not. OriginProof organizes evidence that the Merchant supplies. It does not verify, certify, audit, adjudicate, or guarantee any claim, and it does not make a Merchant's claim lawful under the FTC standard or otherwise lawful. It is not legal advice and not a compliance guarantee. Whether a "Made in USA" or qualified-origin claim is lawful under the FTC standard depends on the Merchant's own facts and on the Federal Trade Commission; the Merchant is solely responsible for their claim and for substantiating it. This Policy describes data handling only; it does not change that framing.
2. Scope, and what we do NOT collect
This Policy covers the information processed when a Merchant installs and uses the OriginProof app inside the Shopify admin, together with the public storefront badge and public proof page the Service renders.
We collect NO buyer or shopper personal data. The Service reads only product data and information the Merchant enters. It never accesses, requests, receives, or stores any Shopify Customer or Order object — no buyer names, emails, addresses, phone numbers, payment data, or order history. Under Shopify's customer-data classification framework, OriginProof is Level 0 (PCD Level 0): it processes none of the customer-data categories Shopify designates as sensitive.
Our OAuth permissions are deliberately minimal:
- read_products — read product data only.
- write_app_proxy — a configuration permission that lets the public proof page be served on your store's domain. This is not a data-write permission.
We request no permission to write to products, themes, customers, or orders.
3. The data categories we DO process, and why
We process only the categories below. Each is tied to a specific purpose: operating the Service for you.
| Data category | What it is | Why we process it |
|---|---|---|
| Shop domain | Your Shopify store domain (e.g. store.myshopify.com). It tags every record we store and is the tenant key that isolates your data from every other store's. | To identify and isolate your account's data, and to scope deletion on uninstall. |
| Shopify OAuth access token | The token Shopify issues so the app can read your product data. Stored only in Shopify's session record (via the Prisma session store); never written to logs or to our source repository. | To authenticate the app's read-only calls to the Shopify Admin API on your behalf. |
| Selected product identifiers | For products you choose, the product/variant identifier (GID), handle, and title. | To attach a claim to the right product and to render the badge and proof page for it. |
| Merchant-entered claim information | The claim wording you advertise, the claim type, and where the claim appears (e.g. product page, hang tag, packaging, ads). Captured verbatim; never parsed for a verdict. | To assemble the Substantiation File and the proof page from your own description of your claim. |
| Merchant-entered origin evidence | Bill-of-materials components and their countries of origin; component cost figures; a derived U.S.-content cost percentage; final-assembly and processing locations; and free-text notes explaining sourcing. | To organize the evidence you supply into the dated Substantiation File. |
| Supplier names and attestor/signer names + attestation statements | The names of suppliers and of the person(s) who attest to or sign off on the evidence, plus their attestation text and date. | To record who supplied or attested to the evidence and when. |
| Generated-file metadata | A timestamp, a content hash, a version number, and an unguessable proof-page token. No PDF file is stored — the Substantiation File is regenerated on demand. | To date and version the file, detect changes, and serve the public proof page at an unguessable URL. |
| Billing/entitlement status | A cached copy of your subscription status (active / trialing / lapsed) sourced from Shopify's billing system. Shopify is the source of truth; we keep a mirror. | To gate access to paid features and to keep public surfaces live only while your subscription is active. |
Possible personal data — supplier and attestor names. Supplier and attestor/signer names are Merchant-supplied and are usually those of a company. However, they may identify an individual (for example, a sole proprietor), in which case they constitute personal data. The same is true of free-text fields you type (notes, attestation statements, sign-off names). You control what you enter here.
Store-owner contact details (Shopify-populated). Shopify's session record may include certain store-owner account fields — such as the store owner's name and email — that Shopify populates as part of the standard app-session record. We do not collect these for our own use, and we do not use them for marketing; they are deleted together with the rest of the session when the app is uninstalled (see Section 8).
4. Our role: processor / service provider
For the information you enter, we act as your service provider / processor — we process it on your behalf and on your instructions, to operate the Service. You are the controller of your own information and of the supplier/attestor information you choose to enter; you are responsible for having the right to provide it to us.
5. How we use the data (and our basis for it)
We use the data only to provide the Service to you, specifically to:
- generate and maintain your dated Substantiation File;
- render the storefront badge and the public proof page for claims you publish;
- detect and flag potentially stale claims (for example, when the underlying Shopify product's title, handle, status, or variants change after a file was generated);
- bill you for the Service through Shopify's billing system and gate paid features accordingly.
Where a lawful-basis framework applies, our processing is grounded in the performance of our contract with you (our Terms) and in our legitimate interest in operating and securing the Service. We do not use your data for advertising, profiling, or sale, and we do not sell or “share” it for cross-context behavioral advertising.
6. Publication: the badge and public proof page
Some surfaces of the Service are intentionally public. When you publish a claim, you authorize us to publish — on your store's domain and at an unguessable URL — a trust badge and a public proof page for that claim. The badge is labeled "U.S. Origin Evidence on File" (with the subtext "Merchant-attested - view evidence") and links to the proof page; the label reflects that the underlying evidence is supplied and attested to by you, the Merchant.
What the public proof page shows vs. what it keeps back. The public proof page is designed to show high-level claim information (such as the claim wording, claim type, the date of the file, and a content hash) and to strip out supplier/attestor names and cost figures, telling visitors that those details are kept in the merchant's downloadable file, not published on the page.
By publishing a claim you acknowledge that the badge, the proof page, and the linked Substantiation File are public and may be viewed or downloaded by anyone with the link until you unpublish, let your subscription lapse, or uninstall. (To reduce search-engine exposure, the public proof page and PDF are served with a noindex instruction; this discourages indexing but does not make a published page private.)
7. Sub-processors and service providers
We use a small set of vendors to run the Service. We do not sell your data to anyone. Our current sub-processors / service providers are:
| Provider | Role | Geography |
|---|---|---|
| Shopify Inc. | The platform: OAuth, the billing rail (Shopify App Pricing), webhooks, and the App Proxy that serves the public proof page on your store's domain. | Per Shopify's infrastructure. |
| Supabase | The managed PostgreSQL database where your records are stored. Accessed only server-side via Prisma; your browser never connects to it directly. | United States (region us-east-2). |
| Render | The Node application host (web service) that runs the app. | Per Render's infrastructure. |
| Namecheap Private Email | Hosts the hello@originproof.co mailbox used for support and contact. | Per Namecheap's infrastructure. |
No object-storage sub-processor. Because the Substantiation File is regenerated on demand and no PDF file is stored at rest, there is no separate file/object-storage provider in our processing chain.
8. Retention and deletion
Retention posture. There is no FTC-mandated retention period for this type of record (16 CFR Part 323 sets none). We retain your records while your subscription is active and your claim is live. You always keep your own downloadable copy of every Substantiation File, so deleting our copy never destroys your ability to substantiate your own claim.
Deletion on uninstall. When you uninstall the app, Shopify immediately notifies us (the app/uninstalled webhook), and we delete the app session for your store. Then, approximately 48 hours after uninstall, Shopify sends us a shop/redact request. This triggers our full purge: every stored row for your shop is hard-deleted — all claim and origin-evidence data, the billing-status mirror, and any remaining Shopify session record — in a single, atomic, shop-scoped database transaction. An automated test derived from our database schema guarantees that no table is missed, so a new data table cannot ship without being included in the purge. Because no PDF is stored and the proof-page token lives on the deleted record, the public proof page and PDF stop resolving once the rows are gone.
How we honor Shopify's mandatory privacy webhooks. We implement all three of Shopify's mandatory privacy/compliance webhooks. Each is HMAC-verified; a request with an invalid signature is rejected with HTTP 401 before any handler runs:
- customers/data_request — a shopper asks what data is held about them. We hold no buyer data, so there is nothing to surface.
- customers/redact — a shopper-deletion request. We hold no buyer data, so there is nothing to redact.
- shop/redact — fires ~48 hours after a Merchant uninstalls. This is the full purge described above.
9. Your rights and how to exercise them
Depending on where you are located, you (and individuals whose information you have entered) may have rights to access, correct, delete, or restrict processing of personal data, or to obtain a copy of it.
How to exercise them. Because we process the information you enter as your service provider, requests are best directed through you, the Merchant — you can view, edit, and delete the claims and evidence you have entered directly in the app, and you can trigger full deletion by uninstalling (which fires shop/redact). For any request you cannot complete in-app, or to ask a question about this Policy, contact us at hello@originproof.co and we will respond consistent with applicable law and our obligations to you.
How the Shopify webhooks map to these rights. A shopper's data-access or deletion request arrives via customers/data_request / customers/redact — and, because we hold no buyer data, results in nothing to surface or redact. A Merchant's deletion right is fulfilled by uninstalling, which triggers the shop/redact purge of all your stored data.
10. Security
We apply a security baseline appropriate to the limited, non-buyer data we process. At a high level:
- Data is encrypted in transit (TLS).
- Secrets (such as database credentials and the Shopify token) live outside our source repository and are not written to logs.
- The database enforces row-level security, and every record is tagged with the shop domain so one store's data is isolated from another's.
- The app uses least-privilege OAuth permissions (read_products plus the app-proxy configuration permission) and reads only product data.
- All Shopify webhooks are HMAC-verified, with invalid signatures rejected.
No method of storage or transmission is perfectly secure, and we do not guarantee absolute security.
11. International transfers, children, changes, and disclaimer
International transfers. The Service is operated from, and stores data in, the United States. If you access the Service from outside the United States, you understand that your information will be processed in the U.S.
Children. The Service is a business-to-business product intended for use by Shopify merchants. It is not directed to children and does not knowingly process children's personal information.
Changes to this Policy. We may update this Policy from time to time. When we do, we will revise the "Last updated" date above and, where appropriate, notify Merchants. Continued use of the Service after an update takes effect constitutes acceptance of the updated Policy.
Disclaimer (load-bearing). OriginProof organizes evidence the Merchant supplies. It does NOT verify, certify, audit, adjudicate, or guarantee any claim, and it does NOT make a Merchant's claim lawful under the FTC standard or otherwise lawful. It is NOT legal advice and NOT a compliance guarantee. Whether a "Made in USA" or qualified-origin claim is lawful under the FTC standard depends on the Merchant's own facts and on the Federal Trade Commission; the Merchant is solely responsible for their claim and for substantiating it.