Analytics choice

We use PostHog analytics to understand public site usage only if you accept. Essential auth cookies still work without analytics. Read the Privacy Policy.

WeaveCycle

Shopify-first returns routing and resale recovery.

Privacy Policy

EU-first privacy notice for WeaveCycle merchants and workspace users.

This policy explains how WeaveCycle handles account, Shopify, return workflow, and analytics data. It is a transparent legal-review draft dated May 4, 2026.

Contact

Privacy requests

WeaveCycle uses founder@weavecycle.ai for privacy, security, and data protection requests until a dedicated legal contact is published.

Email a privacy request

Controller and processor roles

WeaveCycle acts as a controller for direct site, account, support, security, and product analytics data. For Shopify merchant data and customer-related return workflow data processed inside a merchant workspace, WeaveCycle generally acts as a processor on the merchant's instructions.

This notice is not a signed data processing agreement. Merchants that need a DPA, final subprocessor terms, or legal entity details should contact WeaveCycle before sending live production data.

Data we process

Workspace and account data

Work email, name, job title, organization name, workspace name, role, invitation status, notification preferences, and sign-in timestamps.

Shopify and return workflow data

Store domain, Shopify scopes, product records, order records, customer-related order data, return reasons, routing decisions, recovery values, and sync status.

Operational and audit data

Audit log actions, product events, sync runs, import summaries, webhook events, routing overrides, export records, and support context.

Analytics and device data

Public pageviews only after consent, signed-in product events, browser metadata, timestamps, referrer, and high-level usage properties.

Purposes and lawful bases

We process data to run the service, secure it, and make return recovery measurable.

Providing the WeaveCycle workspace

Contract or pre-contractual steps with the merchant, and legitimate interests in operating the service.

Processing Shopify return, order, product, and customer-related data

Processor activity performed on merchant instructions, plus contract performance for the workspace.

Security, auditability, abuse prevention, and service integrity

Legitimate interests and legal obligations where applicable.

Public marketing analytics

Consent. Public PostHog analytics is not initialized until analytics consent is accepted.

Product analytics inside signed-in workspaces

Legitimate interests in running and improving the B2B service, with disclosures and privacy request channels available.

Cookies and analytics

Supabase and WeaveCycle use essential auth cookies for sign-in and session continuity. Public PostHog analytics uses local storage and cookies only after consent. The default analytics host is the EU PostHog endpoint.

Retention

Workspace data is retained while the workspace is active and for a reasonable period needed for audit, security, legal, and backup purposes. Pilot merchants can request deletion or export review by email.

Automated decisions

WeaveCycle routing, forecasting, and listing tools are workflow aids. The current product does not make solely automated legal or similarly significant decisions about individuals.

Your GDPR rights

We aim to respond within one month.

The response period may depend on identity verification, merchant instructions, and lawful exceptions.

Access the personal data WeaveCycle holds about you.
Correct inaccurate or incomplete personal data.
Delete personal data where GDPR grounds apply.
Restrict or object to processing where GDPR grounds apply.
Request portability for data you provided where the right applies.
Withdraw consent for public analytics at any time by clearing the analytics consent choice or contacting WeaveCycle.
Complain to your local EU or EEA data protection authority.

Recipients and subprocessors

WeaveCycle uses infrastructure, auth, analytics, and commerce services to run the product. See the subprocessor page for the current list.

International transfers

The target posture is EU-first: Render Frankfurt, EU Supabase, EU PostHog, and Vercel route execution preferred in Frankfurt where applicable. Some providers, support, CDN delivery, or account administration may involve processing outside the EEA, supported by provider DPAs and Standard Contractual Clauses where needed.