Privacy Policy
Overview
CheckoutGuard Bot Filter ("the App") is a Shopify application that scores abandoned checkouts to identify likely bot-generated traffic, allowing merchants to suppress those email addresses from their email service provider. This policy describes what data the App processes, why, and how long.
Data we receive from Shopify
When a merchant installs the App, Shopify provides the App with the permissions listed on the install screen: write_customers (for tagging flagged customers) and read_orders (for reading historical purchase signals on the checkout webhook payload). The App receives webhook payloads for the following topics:
checkouts/createandcheckouts/update— the source of scored dataproducts/create— for tracking product release timingapp_subscriptions/update— for billing reconciliationapp/uninstalledandapp/scopes_update— for session lifecyclecustomers/data_request,customers/redact,shop/redact— GDPR compliance
What we store
For each abandoned checkout the App processes, we store: the checkout token, customer email address, computed score, list of triggered signals, customer ID (if present), subtotal price, and timestamps. We do not store full names, billing addresses, phone numbers, or payment information.
For address and phone verification (when those external APIs are enabled), we hash the input before sending to the verification provider and store only the hash, the verification status, and a reason code. Raw addresses and phone numbers are never persisted.
What we do not store
- Payment card data (the App never sees this)
- Full physical addresses or phone numbers (only hashes)
- Full customer names, dates of birth, or government identifiers
- Browsing or pixel-tracking data
Data retention
Scored checkout records are automatically purged after 60 days. Verification cache rows (address and phone hashes) are retained for 30 days, after which they are eligible for purge on the next access. Merchant plan and session data are retained for the duration of the App installation.
On app uninstall, all session data for the merchant is purged automatically. On shop/redact webhook (received 48 hours after uninstall), all merchant-associated data including scored checkouts, plan records, and verification cache entries are purged.
GDPR rights
For merchants in the EU/EEA/UK and customers of those merchants, the App honors the GDPR webhooks Shopify sends:
- customers/data_request: The merchant or the customer can request a copy of stored data. We log the request and respond within 30 days.
- customers/redact: 10 days after a merchant requests customer redaction, we delete all scored checkout rows and any verification cache entries associated with that customer's identifiers.
- shop/redact: 48 hours after a merchant uninstalls, we delete all data associated with the merchant.
Sub-processors
The App is hosted on Railway (United States). Database storage is on Railway-managed Postgres. We do not use third-party analytics or advertising tools. Optional verification features may call Google Maps Address Validation and Twilio Lookup; those calls send only hashed or single-field inputs and the providers' own privacy policies apply.
Security
All traffic to the App is served over HTTPS. Shopify session tokens are stored in Postgres with row-level access constrained to the Shopify-issued shop identifier. Database credentials are never committed to source control.
Children's privacy
The App is intended for use by merchants operating Shopify stores. It does not knowingly process data of children under 13.
Changes to this policy
Material changes to this policy will be reflected by updating the effective date at the top. Merchants will be notified via the App dashboard for changes that affect data handling.
Contact
Questions about this policy or data requests can be sent to support@zoecapital.net.