Beard Capital

Privacy Policy

Last updated: 19 June 2026

This policy covers the Beard Capital Audit app, which connects to your Shopify store and your Meta (Facebook) advertising account. Plain English, because you should know exactly what we touch.

What we do

Beard Capital Audit produces an audit of how your business is performing — sales, retention, inventory, products, and marketing. To do that, we read data from the accounts you connect: your Shopify store through Shopify's Admin API, and your Meta ad account through the Meta Graph API.

What we read

With your permission, and read-only:

Shopify — orders and reports, customers, products and inventory, price rules and marketing events, analytics.
Meta (Facebook) — your ad accounts and their advertising performance (the ads_read and business_management permissions). We do not post, manage campaigns, or read personal profile content beyond your basic account identity.

We only ever read. We never write to, change, or delete anything in your store or your ad account.

What we store

Almost nothing.

We do not store your customers' data or your ad audience data. The audit reads your data live at the moment it runs, calculates the result, and keeps nothing customer-level or person-level afterwards.

The one thing we keep is a single access token per connected account, so the app can reconnect to run an audit. Every token is encrypted with AES-256-GCM before it is saved. Tokens are never stored in plain text and never sent to your browser.

How we protect it

Everything moves over an encrypted HTTPS connection.
Access tokens are encrypted at rest with 256-bit encryption.
Tokens stay on the server. They never reach the browser or any third party.

Deleting your data

You are in control of the connection at all times.

Disconnect any time — use the disconnect button in the app. We revoke the token and delete the stored connection immediately.
Shopify uninstall — when you remove the app, Shopify tells us and we delete your store's connection and its encrypted token. Around 48 hours later Shopify sends a second deletion signal and we delete again to be sure.
Meta removal & data-deletion requests — if you remove the app from your Facebook settings, Meta sends us a signed data-deletion request. We verify it, delete the Meta connection and its encrypted token for that account, and return a confirmation code. Because we hold only an encrypted token, deletion is complete the moment that row is removed.

Your data rights

Because we do not store customer or person-level data, there is nothing of that kind for us to return or erase. We still honour the data-request and redaction signals from both platforms:

Customer data request (Shopify) — we confirm we hold no stored customer data.
Customer redaction (Shopify) — nothing to erase.
Shop redaction (Shopify) — we delete your store's connection and encrypted token.
Data deletion (Meta) — we delete your Meta connection and encrypted token.

Who we use

We run on Cloudflare (hosting), Supabase (database, which holds only the encrypted tokens), and Resend (email). We do not sell or share your data with anyone, and we do not use it for advertising.

Contact

Questions about this policy or your data, including any deletion request: [email protected].