1. Introduction
COD Confirm ("we", "us", "our") is operated by Atharv Enterprises, a business registered in Gurugram, Haryana, India. This Privacy Policy explains how we collect, use, store, and protect your information when you install and use our Shopify app.
By installing COD Confirm, you agree to the practices described in this policy. If you do not agree, please uninstall the app.
2. What Data We Collect
We collect and store the following data to provide our service:
- Shop domain (e.g., your-store.myshopify.com)
- Shop owner email address (provided by Shopify during OAuth)
- Billing plan status (free or premium)
- COD rule configurations (field, operator, value, enabled status)
- Pincode/zipcode blocking lists
- Payment method reorder preferences
- Premium configuration snapshots (saved on plan downgrade for future restore)
- Support ticket content (email, subject, message)
- App event logs (install, uninstall, plan changes)
We do NOT collect the following:
- End-customer personal information (names, emails, addresses)
- Payment card or financial data
- Customer browsing behavior or analytics
- Third-party cookies or tracking pixels
3. How We Use Your Data
- To provide COD payment visibility and pincode blocking rules at your checkout
- To manage your subscription and billing through Shopify
- To respond to your support requests
- To send operational alerts (install/uninstall notifications to our team)
- To save and restore your configuration when you change plans
Legal Basis for Processing
We process merchant data under the following legal bases:
- Contract performance (Article 6(1)(b) GDPR): Processing shop configuration and rules data is necessary to provide the COD Confirm service you subscribed to.
- Legitimate interest (Article 6(1)(f) GDPR): Processing usage analytics and error logs to maintain service reliability and security.
4. Where Your Data Is Stored
| Data Type | Storage Location |
|---|
| Rule & pincode configurations | Shopify metafields (on your PaymentCustomization resource) |
| Account, billing & rule data | PostgreSQL database on Railway (US region, encrypted at rest) |
| Application logs | Logtail / Better Stack (retained 30 days) |
| Operational alerts | Slack (webhook-based, no data persisted) |
5. Third-Party Services
We use the following third-party services to operate COD Confirm:
| Service | Purpose | Data Shared |
|---|
| Shopify | Platform, billing, checkout | Shop domain, scopes, metafields |
| Railway | Database hosting | Shop domain, email, rules, tickets |
| Logtail (Better Stack) | Log aggregation | Shop domain, event types (no PII) |
| Slack | Operational alerts | Shop domain, ticket subjects |
We do NOT sell, rent, or share your data with advertisers, data brokers, or any other third parties not listed above.
6. Data Retention & Deletion
- On uninstall: Your shop record is soft-deleted and preserved for a 48-hour reinstall window. If you reinstall within 48 hours, your data is restored.
- On GDPR shop/redact webhook: ALL data is permanently hard-deleted — shop record, rules, support tickets, app events, and sessions. This action is irreversible.
- Support tickets: Retained until your shop data is deleted.
- Application logs: Auto-purged after 30 days.
7. Your Rights (GDPR / CCPA / DPDPA)
Regardless of your location, you have the following rights:
- Right to access: Request a copy of your data by emailing codbeacon@gmail.com
- Right to deletion: Uninstall the app from your Shopify admin. Shopify will send a shop/redact webhook that permanently deletes all your data.
- Right to portability: Request a data export via email.
- Right to rectification: Update your data through the app dashboard at any time.
- Right to object: Contact us to object to specific data processing activities.
We respond to all data requests within 24 hours on business days, and no later than 30 days as required by applicable law.
Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement. For merchants in India, you may contact the Data Protection Board of India once constituted under the DPDPA 2023.
8. Cookies & Tracking
- We use Shopify session tokens for authentication (no third-party cookies)
- We do NOT use analytics trackers, pixels, or browser fingerprinting
- No data is shared with advertising networks
- Our Shopify Function runs entirely on Shopify's edge infrastructure with zero external network calls
9. Data Security
We implement the following security measures to protect your data:
- All webhooks are validated via HMAC signature verification
- Webhook idempotency prevents duplicate processing of the same event
- Database is encrypted at rest (Railway PostgreSQL)
- All data transmission uses HTTPS/TLS encryption
- OAuth tokens are securely stored and never exposed to the client
- We request only 3 minimal Shopify API scopes required for functionality
10. Children's Privacy
COD Confirm is a business-to-business tool for Shopify store owners. Our service is not directed to individuals under 16 years of age. We do not knowingly collect data from minors.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Changes become effective upon posting to this page. The "Last updated" date at the top reflects the most recent revision. We encourage you to review this page periodically.
For material changes, we will notify affected merchants via the app dashboard or email.
12. Data Processing Agreement
For merchants who require a formal Data Processing Agreement (DPA) for GDPR or other regulatory compliance, we offer one at /dpa. You may also request a signed copy by emailing codbeacon@gmail.com.
13. Contact Us
If you have any questions about this Privacy Policy or your data, contact us: