Privacy Policy

What byword is

byword helps market vendors share verified sales reports without attaching a public name to the report. This policy explains how we collect, use, disclose, retain, and protect information from the byword website, vendor app, admin tools, and Shopify connection.

Information we collect

We collect information you choose to provide, including your email address, waitlist or invite activity, vendor profile details, market requests, report submissions, correction responses, and support messages.

For report review, we collect proof files you upload, such as participation proof, sales screenshots, POS summaries, receipts, or other market evidence. These files may contain text, images, sales figures, dates, market names, and vendor-identifying information.

When you sign in, we receive authentication identifiers and session data from our authentication provider so we can connect your account to your invite status, vendor profile, reports, and app access.

Shopify connection data

If you connect a Shopify store, byword uses Shopify OAuth to request only the access scopes currently needed for vendor verification and aggregate evidence: read locations, markets, orders, and products. We use Shopify data to confirm store ownership, understand whether the store is active, classify vendor evidence, and support aggregate sales review tied to a market report.

We store Shopify shop metadata, granted scopes, connection status, encrypted access token material, and minimized evidence needed for review. We do not intentionally store raw Shopify orders, order IDs, line items, buyer names, buyer contact details, or raw Shopify payload fragments.

If you disconnect or uninstall the Shopify app, we revoke local access where supported and stop using the connection for future evidence. We may retain limited historical review records when needed for audit, fraud prevention, report integrity, legal compliance, or dispute handling.

How we use information

We use information to operate the waitlist and invite system, authenticate users, verify vendors, review reports, detect duplicate or abusive submissions, produce anonymous market sales data, send service emails, troubleshoot the app, and maintain security.

Accepted report data may be used to generate anonymous individual reports and aggregate market rollups. We do not publish your name, email address, Shopify shop domain, raw proof files, or private vendor identity beside an accepted sales report.

How we share information

We share information with service providers that help us run byword, including hosting, authentication, database, storage, email delivery, analytics, error monitoring, automation, and AI-assisted review providers. They may process information only for the services they provide to us.

We may disclose information if required by law, to protect users or the service, to investigate fraud or abuse, or as part of a business transfer such as a merger, acquisition, financing, or asset sale.

We do not sell personal information, raw proof files, Shopify token material, or buyer data.

Security

We use HTTPS, private storage, access controls, audit trails, limited-scope credentials, and encrypted Shopify token storage. Proof previews and private review materials are available only through authorized workflows.

No system can be guaranteed completely secure. If you believe your information or Shopify connection has been exposed, contact us promptly.

Retention and deletion

We keep information for as long as needed to provide byword, operate anonymous report and invite systems, comply with legal obligations, resolve disputes, prevent abuse, and maintain audit history.

You can ask us to delete your account information, disconnect Shopify, or remove submitted proof files. Some records may be retained in limited form when needed for security, legal, audit, anti-abuse, or report-integrity reasons.

Your choices

You can choose not to connect Shopify and can contact us about access, correction, deletion, or portability requests. You can unsubscribe from non-essential emails using the instructions in those messages when available. Service emails related to invites, authentication, reports, security, or account administration may still be sent.

Children

byword is intended for vendors and is not directed to children under 13. We do not knowingly collect personal information from children under 13.

Changes

We may update this policy as byword changes. If we make material changes, we will update the effective date and provide additional notice when appropriate.

Contact

For privacy questions or requests, email morgan@byword.club.