Skip to content
Reapita

Last updated: May 24, 2026

Privacy Policy

Reapita, Inc. ("Reapita," "we," "us") provides subscription billing and retention software for Shopify merchants. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and the choices you have. It applies to merchants installing Reapita on their Shopify store and to the end subscribers whose data flows through our service in the course of that merchant's operations.

1. Who is the data controller?

For data we process about merchants and the people they authorize to use Reapita ("Merchant Personal Data"), Reapita is the data controller. For data we process about a merchant's subscribers in the course of providing the service to that merchant ("Subscriber Personal Data"), the merchant is the controller and Reapita is the processor. See our Data Processing Addendum for the processor terms.

2. What we collect

Merchant data

  • Shop domain, shop owner name, shop owner email, billing address.
  • Account credentials (we delegate auth to Shopify; we store only the OAuth tokens needed to call the Shopify Admin API on your behalf).
  • Configuration data — plan setup, retention flow definitions, email templates.
  • Usage telemetry — feature usage, error logs, performance traces. No keystroke recording.
  • Billing data — Shopify handles charge collection; we store the resulting transaction records.

Subscriber data (on behalf of the merchant)

  • Name, email, shipping address, phone (if collected by the merchant).
  • Subscription contracts — products, cadence, next-charge date, total order count.
  • Payment-method reference — we store the Shopify Vault reference ID. We never see the underlying card number, CVV, or expiry.
  • Billing-attempt history — successes, failures, decline reason codes.
  • Portal interaction history — pauses, skips, swaps, cancel reasons.

3. Why we process it

  • To provide the service the merchant has contracted for (legal basis: contract).
  • To operate and improve the service — debugging, performance, capacity planning (legitimate interests).
  • To comply with our legal obligations, including tax, accounting, and regulatory reporting (legal obligation).
  • To detect and prevent fraud against the merchant or their subscribers (legitimate interests).
  • For aggregated, de-identified analytics that inform product roadmap (legitimate interests).

4. AI training

Reapita uses ML models for churn prediction, save-offer drafting, and dunning copy optimization. Our models are trained on aggregated, de-identified industry data — never on individual subscriber records in a way that could be tied back to a person or merchant. We do not sell your data to third parties for any purpose, including AI training.

5. Who we share data with

  • Subprocessors — cloud infrastructure (AWS, Cloudflare), email delivery (Resend), error monitoring (Sentry), analytics (PostHog). A current list is available on request.
  • The merchant for whom you are a subscriber — we hand all subscription, billing, and portal-interaction data to them via the admin app.
  • Shopify — to operate the underlying Shopify Subscription Contract APIs, payment vault, and order pipeline.
  • Legal authorities — only when we are legally required, and only the minimum data necessary.

6. International transfers

Reapita is headquartered in the United States. Subscriber Personal Data may be transferred to and processed in the US. We rely on Standard Contractual Clauses for transfers out of the EEA, UK, and Switzerland. See our DPA for the controller-to-processor clauses.

7. How long we keep it

Active subscription data is retained for the lifetime of the merchant's account. Upon merchant uninstall, we retain a backup for 30 days, then delete it irrevocably except where law requires a longer retention period (e.g. tax records — 7 years). Subscribers may request deletion of their personal data at any time via their merchant or by contacting privacy@reapita.com.

8. Your rights

Depending on your jurisdiction (GDPR in the EEA / UK, CCPA / CPRA in California, LGPD in Brazil, and others), you may have the right to access, correct, port, restrict, or delete your personal data, and to object to certain processing. Email privacy@reapita.com to exercise any of these rights. We respond within 30 days.

9. Security

Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Access is gated by role-based controls and audited. Production systems use hardware-backed MFA. We undergo annual third-party penetration tests and publish a SOC 2 Type II report on request.

10. Cookies

Our marketing site uses a single privacy-preserving analytics beacon (Cloudflare Web Analytics) that does not set cookies and does not identify individual visitors. The Reapita admin app uses session cookies for authentication only. We do not run cross-site advertising trackers.

11. Children

Reapita is a B2B service. It is not directed to children under 16, and we do not knowingly collect personal data from anyone under 16. If we learn we have, we will delete it.

12. Changes to this policy

We post material changes here at least 30 days before they take effect, and notify merchants by email. Continued use of the service after the effective date constitutes acceptance of the updated policy.

13. Contact

Reapita, Inc. · privacy@reapita.com
For EU/UK data-subject requests, you may also contact our EU Representative listed at eurep@reapita.com.