Legal

Privacy Policy

Effective March 18, 2026 — CapyBearHug LLC

Mastiff Defense is operated by CapyBearHug LLC, a Wyoming limited liability company. This Privacy Policy explains how we collect, use, and protect information when you use the Mastiff Defense Shopify app and related services at mastiffdefense.com.

By installing or using Mastiff Defense, you agree to the practices described in this policy.

01 Information We Collect

When you install Mastiff Defense on your Shopify store, we collect:

  • Your Shopify store domain and OAuth access token (required to communicate with Shopify's API)
  • Your selected subscription plan and billing status
  • The date your store was installed and any uninstall date
  • API keys generated for your store (stored as SHA-256 hashes — the raw key is shown once and never stored)

When your chatbot sends requests through our compliance pipeline, we collect:

  • The text of each request and response (processed in real time, logged for audit purposes)
  • Risk scores, compliance decisions, and reasoning for each request
  • IP addresses associated with API requests
  • Timestamps of each request

We do not store conversation history between sessions. Each request is stateless by design. This is a deliberate GDPR-friendly architectural decision.

02 How We Use Your Information

We use collected information solely to:

  • Provide the Mastiff Defense compliance screening service
  • Authenticate API requests and resolve tenant policies
  • Generate audit logs for your store's compliance activity
  • Process billing and manage your subscription via Shopify
  • Send transactional emails (installation confirmation, subscription changes)
  • Monitor service health and diagnose technical issues

We do not use your data for advertising, marketing profiling, or any purpose beyond operating the service.

03 Data Storage

Your data is stored in the following systems:

  • PostgreSQL database on Amazon RDS (AWS us-west-1, North California)
  • Audit logs stored in Amazon S3 (AWS us-west-1, server-side encrypted)
  • All data is stored within the United States

AWS infrastructure is SOC 2 certified and encrypted at rest and in transit.

04 Data Sharing

We do not sell, rent, or share your data with third parties except:

  • Shopify — required to process billing and validate app installation
  • Anthropic — customer message content is sent to Anthropic's Claude API for semantic compliance evaluation. Anthropic's privacy policy applies to this processing
  • Amazon Web Services — infrastructure provider for database and log storage
  • Legal requirements — if required by law, court order, or to protect our legal rights

05 Shopify Merchant & Customer Data

Mastiff Defense processes customer messages that pass through your chatbot. These messages may contain personal information entered by your customers.

We handle this data as follows:

  • Messages are processed in real time for compliance screening
  • Processed content is logged to your store's audit log for compliance purposes
  • No customer personal data is stored beyond what appears in the audit log
  • Conversation history is never stored server-side — it is stateless

In accordance with Shopify's Partner requirements, we respond to the following mandatory webhooks:

  • App uninstall — deactivates your store and revokes all API keys
  • Shop data erasure — permanently deletes all store data within 48 hours of request
  • Customer data erasure — removes any customer data from audit logs on request
  • Customer data request — provides a copy of any stored customer data on request

06 Your Rights

Depending on your location, you may have the following rights regarding your data:

  • Access — request a copy of the data we hold about your store
  • Correction — request correction of inaccurate data
  • Deletion — request deletion of your store's data
  • Portability — request your data in a machine-readable format
  • Objection — object to certain types of processing

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

07 Data Retention

  • Store and subscription data is retained for the duration of your subscription plus 90 days
  • Audit logs are retained for 12 months then automatically purged
  • After app uninstall, all store data is deleted within 48 hours upon receiving Shopify's shop redact webhook
  • API keys (hashed) are revoked immediately on uninstall

08 Security

We take security seriously:

  • All API keys are stored as SHA-256 hashes — raw keys are never stored
  • All data in transit is encrypted via TLS
  • All data at rest is encrypted via AWS SSE-S3
  • Shopify webhook signatures are verified via HMAC before processing
  • Admin access is protected by multi-user basic authentication
  • Rate limiting is applied to all public endpoints

If you discover a security vulnerability, please report it to [email protected].

09 Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the effective date at the top of this page. For material changes, we will notify installed stores via email where possible.

Continued use of Mastiff Defense after changes constitutes acceptance of the updated policy.

10 Contact Us

For privacy questions, data requests, or concerns:

CapyBearHug LLC
Operating as Mastiff Defense
Wyoming, USA
[email protected]

We aim to respond to all privacy inquiries within 30 days.