Summary
Drop Sigma is a multi-tenant SaaS that helps Shopify merchants automate email replies, run RMA / refund workflows, coordinate vendors, and chat with their team. We only collect what is necessary to deliver the service, we never sell your data, our AI sub-processor (Anthropic) does not train on your data, and we comply with Shopify's Protected Customer Data requirements, GDPR (EU/UK), and CCPA (California).
1. Introduction
"Drop Sigma", "we", "us" and "our" refer to Drop Sigma, a United States-based service serving merchants globally through dropsigma.com. Drop Sigma is a multi-tenant Django SaaS that provides Shopify merchants with:
- AI email automation — drafting replies to customer emails using Anthropic Claude.
- RMA workflow management — handling returns, refunds, and exchange requests.
- Vendor management — routing fulfillment to your suppliers / dropshippers.
- Team chat — real-time messaging between operators inside your business.
This Privacy Policy explains what data we collect, why we collect it, who we share it with, how long we keep it, and the rights you and your customers have over it. It applies to every visitor to dropsigma.com and every merchant or end customer whose data flows through the Service.
2. Information We Collect
2.1 Information merchants provide directly
- Account details — business name, contact name, email address, password (hashed with PBKDF2), phone number (optional), and time zone.
- Team members — names, emails, and roles you assign to your operators and vendors inside Drop Sigma.
- Billing information — handled by Stripe at dropsigma.com; we store only the customer ID, plan name, and last 4 card digits returned by Stripe. We never see or store raw card numbers.
- Support correspondence — any emails, chat messages, or screenshots you send to our support team.
2.2 Information collected from Shopify (via OAuth)
When you install Drop Sigma on your Shopify store and approve the OAuth scopes we request, Shopify shares the following with us:
- Orders — order ID, line items (title, variant, SKU, quantity), totals, currency, financial status, and fulfillment status.
- Customer data — name, email address, shipping address, billing address, phone number, and the order history tied to your shop. This is treated as Shopify Protected Customer Data.
- Products — product titles, variants, SKUs, prices, and inventory levels of the catalog you sell.
- Fulfillments — tracking numbers, carrier names, and fulfillment events we read or push back to your store.
- Shop metadata — your shop domain, plan, currency, and primary contact email.
2.3 Information collected from connected Gmail accounts (via OAuth)
If you optionally connect a Gmail account so Drop Sigma can draft and send replies on your behalf, Google shares the following with us under the scopes you approve:
- Email subject lines, sender / recipient addresses, and message bodies.
- Attachments (downloaded only when needed to classify or quote in a draft).
- Real-time push notifications via Google Cloud Pub/Sub when new mail arrives.
- Permission to send outbound email from your connected Gmail address.
We use this data only to draft and send replies, classify intent (refund / question / shipping / spam), and trigger workflow automations you have configured. We do not read your inbox for any other purpose, and we do not use Gmail data to train AI models.
2.4 Information collected automatically
- Technical data — IP address, browser type, OS, and approximate location, used for security, abuse detection, and rate limiting.
- Usage events — which features you opened, when you logged in, which buttons you clicked. Used solely to improve reliability and the product.
- Cookies — see Section 7.
3. How We Use This Data
We process the data described above for the following purposes only:
- AI-generated email replies — we send the email content (subject, body, customer name, related order details) to Anthropic's Claude API (model:
claude-haiku-4-5) to generate a draft reply. The draft is shown to you for approval, or sent automatically if you have enabled auto-send.
- RMA / refund workflow processing — matching customer requests to orders, generating return labels, and synchronizing refund status back to Shopify.
- Vendor assignment routing — assigning new orders to the correct vendor / supplier based on rules you configure.
- Team chat and activity logs — storing messages your operators send to each other inside Drop Sigma and audit trails of actions taken on orders.
- Service authentication & security — verifying logins, OAuth callbacks, and webhook HMAC signatures.
- Transactional notifications — sending password resets, vendor invites, billing receipts, and product update emails through Resend.
- Analytics & service improvement — anonymized usage and error reporting to fix bugs and prioritize features.
- Legal compliance — responding to GDPR / CCPA requests, tax invoicing, lawful subpoenas, and Shopify's Protected Customer Data obligations.
We do not use your data, your customers' data, or your email content for advertising, profiling, AI model training, or any purpose unrelated to delivering Drop Sigma.
4. Third-Party Processors
We share data only with the small set of sub-processors needed to run the Service. Each is contractually bound to confidentiality and data-protection terms, including a Data Processing Agreement (DPA) where applicable.
| Sub-processor | Purpose | Region |
|---|
| Anthropic (Claude API) |
AI text generation for email drafts and intent classification. Anthropic does not train on data submitted through their API. |
USA |
| Resend |
Outbound platform transactional email (password resets, vendor invites, billing receipts). |
USA / EU |
| Railway |
Application hosting and managed Postgres database. All merchant data lives here. |
USA |
| Google (Cloud Pub/Sub + Gmail API) |
Real-time email push notifications and outbound send for tenants who connect Gmail. Subject to Google's Privacy Policy. |
Global |
| Stripe |
Subscription payment processing for paying tenants. Billed externally at dropsigma.com — not via Shopify's billing API. |
USA / EU |
| Shopify |
Source platform for order, product, customer, and fulfillment data for the stores you connect. |
Global |
We never sell personal data to advertisers, data brokers, or any third party. We never share Shopify Protected Customer Data with any party other than the sub-processors listed above for the purposes described.
5. Data Retention
- Active accounts — data is retained for as long as you continue to use Drop Sigma.
- App uninstall — when you uninstall Drop Sigma from your Shopify store, all data associated with your shop is deleted within 30 days.
- GDPR
customers/redact webhook — when Shopify forwards this request (48 hours after a customer requests erasure), Drop Sigma anonymizes that customer's data within 30 days, as required by Shopify's policy.
- GDPR
shop/redact webhook — when Shopify forwards this request (48 hours after uninstall), Drop Sigma purges the entire shop dataset within 30 days.
- GDPR
customers/data_request webhook — we respond with the requested customer's data within 30 days.
- Email message history — retained for 90 days rolling, then archived in cold storage for an additional 12 months for audit before permanent deletion.
- Billing records — retained for 7 years to satisfy tax and accounting law.
- Application logs — 30 days, then permanently deleted.
For Shopify merchants
Drop Sigma implements all three mandatory Shopify GDPR webhooks (customers/data_request, customers/redact, shop/redact) with HMAC signature verification. Compliance is automated and does not require any action from you.
6. GDPR Rights (for EU / UK customers)
If you or your customers are in the European Economic Area or the United Kingdom, you have the following rights under the GDPR / UK GDPR:
- Right of access — request a copy of the personal data we hold about you.
- Right to erasure ("right to be forgotten") — request deletion of your personal data.
- Right to data portability — receive your data in a structured, machine-readable format (JSON or CSV).
- Right to rectification — ask us to correct inaccurate or incomplete data.
- Right to restriction of processing — ask us to pause processing while a dispute is resolved.
- Right to object — object to processing based on our legitimate interests.
- Right to lodge a complaint — file a complaint with your local supervisory authority (e.g., the ICO in the UK, CNIL in France, DPC in Ireland).
To exercise any of these rights, email privacy@dropsigma.com. We respond within 30 days, free of charge unless the request is manifestly unfounded or excessive.
7. Cookies & Tracking
Drop Sigma uses a minimal set of cookies. We do not use advertising or cross-site tracking cookies.
- Session cookie (
sessionid) — keeps you logged in. Essential.
- CSRF cookie (
csrftoken) — protects against cross-site request forgery. Essential.
- Cookie consent choice (
ds_cookie_choice) — remembers whether you accepted or declined non-essential cookies. Stored in localStorage.
- First-party analytics — basic page-view counters; no third-party advertising network involved.
You can clear cookies from your browser settings at any time. Disabling essential cookies will sign you out and may break parts of the dashboard. See our Cookie Policy for details.
8. Security
- TLS in transit — every connection between you, Drop Sigma, and our sub-processors is encrypted with TLS 1.2 or higher.
- Encrypted at rest — the Postgres database on Railway is encrypted at rest.
- OAuth tokens encrypted — Shopify and Gmail OAuth refresh tokens are stored encrypted using Django's
SECRET_KEY-derived encryption.
- Per-tenant scoping — every database query is filtered by the requesting user's tenant; we explicitly forbid superuser-fallback patterns that could leak data across stores.
- Webhook HMAC verification — every Shopify webhook is verified with Shopify's HMAC signature before processing.
- Access controls — production access is restricted to authorized engineers via single sign-on and 2FA. All access is audit-logged.
- Password hashing — passwords are hashed with PBKDF2 (Django default) and never stored in plain text.
9. Children's Privacy
Drop Sigma is a B2B product targeted at e-commerce merchants. It is not directed at children under 16 and we do not knowingly collect personal data from them. If you believe a child has provided us personal data, please email privacy@dropsigma.com and we will delete it.
10. International Data Transfers
Our infrastructure runs primarily in the United States (Railway). If you or your customers are located in the European Economic Area, the United Kingdom, or other regions with data-export restrictions, your data may be transferred outside your home region.
For EU / UK transfers, we rely on the European Commission's Standard Contractual Clauses (SCCs) as the legal basis, supplemented by the technical measures described in Section 8.
11. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes — for example, adding a new sub-processor or changing how we use Gmail data — we will notify you at least 30 days in advance by:
- Displaying a banner inside your Drop Sigma dashboard, and
- Emailing the primary account contact on file.
The "Last updated" date at the top of this page always reflects the most recent revision. Continued use of the Service after the effective date constitutes acceptance of the updated policy.
12. Contact
For all privacy-related requests (access, deletion, portability, GDPR / CCPA inquiries, sub-processor questions, security concerns):
Email: privacy@dropsigma.com
General support: support@dropsigma.com
Website: dropsigma.com
We respond to every privacy request within 30 days as required by GDPR.
See also: Terms of Service · Cookie Policy · Refund Policy · Support