Security Policy
Last updated: 27 June 2026
IRONVOLT takes the security and privacy of customer, order, and marketplace data seriously. This Security Policy explains the safeguards we use for our ecommerce operations, Shopify store, TikTok Shop integrations, and any approved post-purchase customer-service messaging tools operated by IRONVOLT.
This public policy summarises our security programme. A more detailed internal Information Security Policy is maintained for operational use, supplier review, and platform-review evidence.
1. Scope
This policy applies to IRONVOLT systems, processes, staff, contractors, and approved service providers that handle customer, order, marketplace, product, delivery, support, or security information. It includes our Shopify store, TikTok Shop Seller operations, the IRONVOLT Post-Purchase Messages connector, cloud hosting, administrative devices, and related operational records.
Payment card processing and checkout payment security are handled by Shopify and approved payment providers. IRONVOLT does not intentionally collect, process, or store full payment card numbers through its post-purchase messaging connector.
2. Data We Protect
Depending on the service used, IRONVOLT may handle the following types of information for legitimate ecommerce, fulfilment, support, compliance, and customer-service purposes:
- Customer and order identifiers, such as order numbers, item details, fulfilment status, and product purchase information.
- Contact and delivery information needed to fulfil orders or provide customer support.
- Customer-service messages and message delivery records.
- Operational logs, audit records, API request metadata, and security events.
- Marketplace app credentials, OAuth tokens, API keys, and configuration values needed to operate approved integrations.
We apply data minimisation: we only collect and retain information needed for the relevant business, fulfilment, support, legal, platform, or security purpose.
3. TikTok Shop Customer Data
Where IRONVOLT uses TikTok Shop data, it is used only for authorised seller operations, such as order support, fulfilment coordination, product-specific post-purchase information, and records needed to demonstrate that customer messages were sent correctly.
For any TikTok Shop post-purchase messaging feature, IRONVOLT will only send messages that are connected to a customer's order and that provide useful product or service information, such as usage instructions, warnings, delivery expectations, care instructions, or frequently asked questions. Automated messaging must be configured to respect TikTok Shop API permissions, rate limits, customer messaging rules, and any applicable platform policies.
We do not use TikTok Shop customer data for unrelated marketing, resale, unauthorised profiling, or sending messages outside the permissions and policies of the relevant platform.
4. Access Control
Access to systems that contain customer, order, marketplace, or security data is restricted to authorised users who need that access for a legitimate business purpose. IRONVOLT applies least-privilege access, strong passwords, multi-factor authentication where available, and role-based access controls on administrative platforms.
Administrative accounts must not be shared. Access should be reviewed when staff, contractors, or service providers change role or no longer require access. Access must be removed promptly when it is no longer needed.
5. Credential and Token Security
API keys, OAuth tokens, app secrets, passwords, and signing secrets are treated as confidential security credentials. They must not be published, committed to source code, pasted into public channels, or shared with unauthorised parties.
Production secrets are stored in approved environment-variable or secret-management tools. If a credential is suspected to be exposed or misused, it must be rotated promptly and the incident-response process must be followed.
6. Secure Development and Change Control
Changes to customer-facing integrations, API scopes, message templates, hosting, storage, authentication, redirects, and automation rules must be reviewed before live use. Security-relevant changes should be tested before deployment, and production changes must be consistent with platform permissions and documented operating procedures.
For post-purchase messaging, IRONVOLT reviews the selected product trigger, message content, customer-service purpose, and sending rules before enabling automation.
7. Cloud Hosting and Supplier Management
IRONVOLT uses reputable third-party platforms for ecommerce operations, hosting, fulfilment, payment processing, analytics, and customer support. Suppliers that may process customer or operational data are reviewed for their role, data categories, access controls, retention practices, and security responsibilities.
Where a provider is responsible for platform infrastructure, IRONVOLT remains responsible for secure configuration, appropriate access control, data minimisation, and responsible use of the provider's services.
8. Logging, Monitoring, and Audit Records
IRONVOLT maintains operational records where needed to support reliability, troubleshooting, compliance, and security review. For automated post-purchase messages, records may include order identifiers, product trigger information, message template version, sending status, timestamps, and error details.
Logs are used for legitimate operational and security purposes. They should not contain unnecessary sensitive information and should be retained only for as long as needed for the relevant business, legal, platform, or security purpose.
9. Retention and Deletion
Customer, order, support, and security data is retained only for as long as necessary for fulfilment, customer support, legal obligations, accounting, dispute handling, platform compliance, security monitoring, and legitimate business records. When data is no longer required, it should be deleted, anonymised, or archived according to the applicable system capability and legal requirement.
Where a customer or platform makes a valid deletion, access, or correction request, IRONVOLT will review and respond in line with applicable law and platform rules.
10. Incident Response
An information security incident is any suspected or confirmed event that could compromise the confidentiality, integrity, availability, or authorised use of customer data, marketplace data, credentials, customer messages, or related systems.
When an incident is suspected, IRONVOLT will investigate, contain the issue, preserve relevant evidence, rotate affected credentials where needed, assess the impact, and notify affected parties, platforms, regulators, or providers where required by law, contract, or platform policy.
11. Business Continuity
IRONVOLT aims to keep customer-service, order-support, and ecommerce operations available and reliable. If an automated integration fails, IRONVOLT may pause automation, use manual customer-service workflows, restore service from verified configuration, and review the issue before re-enabling live automation.
12. Security Responsibilities
Everyone who handles IRONVOLT systems or data must use reasonable security practices, including protecting devices, using approved accounts, keeping credentials confidential, reporting suspected issues quickly, and following platform rules. Security controls and policy requirements may be updated as our business, integrations, suppliers, and legal obligations change.
13. Contact
For questions about this Security Policy or the handling of IRONVOLT customer data, please contact IRONVOLT through the Contact page on this website.