1Introduction
Codify ("we," "us," "our," or "the App") is a Shopify application that helps merchants
create and manage Cash on Delivery (COD) order forms, protect against fraud, track
conversions, and boost sales. This Privacy Policy explains how we collect, use, store,
and protect personal data in compliance with applicable privacy laws, including the
General Data Protection Regulation (GDPR), the California Privacy Rights Act (CPRA),
the Colorado Privacy Act, Virginia's Consumer Data Protection Act (VCDPA), and other
applicable regulations.
This policy applies to merchants who install and use Codify, as well as their customers
whose data may be processed through the App.
2Information We Collect
2.1 Information Collected Through Shopify's APIs
When merchants install our App, we access the following data through Shopify's APIs:
- Store Information: Store name, domain, currency, timezone, and plan details — used to configure app functionality
- Product Data: Product titles, IDs, prices, and images — used for form display, pixel tracking, and upsell features
- Order Data: Order IDs, status, and line items — used for the COD dashboard, analytics, and delivery provider integration
2.2 Information Collected Directly from Merchants
- Account Information: Shopify store domain and authentication credentials (managed via Shopify OAuth)
- App Configuration: Form designs, fraud protection rules, delivery settings, pixel IDs, and Google Sheets integration preferences
- Billing Information: Managed entirely through Shopify's Billing API — we do not store payment card details
2.3 Information Collected from Merchants' Customers
When a customer submits a COD order form, the following data is collected:
| Data Type |
Purpose |
Stored By Us? |
| Full Name |
Order identification and fulfillment |
No — passed to Shopify |
| Phone Number |
Delivery coordination and order confirmation |
No — passed to Shopify |
| Email Address (optional) |
Order confirmation |
No — passed to Shopify |
| Shipping Address |
Order fulfillment and delivery |
No — passed to Shopify |
| IP Address |
Fraud prevention and duplicate order detection |
Stored in Shopify order notes |
| Browser User Agent |
Technical troubleshooting |
Stored in Shopify order notes |
Important: We do NOT use cookies or tracking pixels
of our own on merchants' storefronts. We do NOT drop any cookies on
customers' devices. Pixel tracking (Meta, TikTok, Google) is configured and controlled
entirely by the merchant.
3How We Use Information
We use collected information only for the following purposes:
- Order Processing: Customer data is passed to Shopify's API to create draft orders, which are then converted to final orders in the merchant's store
- Fraud Prevention: IP addresses, phone numbers, and email addresses are checked against merchant-configured blocklists to prevent fraudulent or duplicate orders
- Google Sheets Export: If explicitly enabled by the merchant, order data is exported to the merchant's personal Google Sheets account for their internal order management
- Delivery Integration: If configured by the merchant, order and shipping data is sent to the merchant's chosen delivery provider
- Analytics & Dashboard: Aggregate order statistics (total orders, confirmation rates) are displayed to merchants in the app dashboard
- Ad Pixel Events: If configured by the merchant, conversion events (ViewContent, AddToCart, Purchase) are fired on the storefront to the merchant's ad platforms
We do NOT use personal data for any purpose beyond providing our App's
services. We do NOT sell, rent, license, or share personal data for
advertising, marketing, or any other commercial purpose.
4Data Storage & Security
4.1 What We Store
Codify does NOT store customer personal information (name, email,
phone, or address) in our own database. All customer data is immediately passed to
Shopify and stored securely in the merchant's Shopify store as order records.
Our application database stores only:
- App configuration data (form designs, display settings, button styles)
- Fraud protection rules (blocked IPs, phone numbers, and email addresses — stored as one-way cryptographic hashes, not in plaintext)
- Merchant session tokens (encrypted, managed via Shopify's App Bridge)
- Google Sheets integration settings (OAuth tokens, spreadsheet IDs)
- Subscription and billing records (managed via Shopify Billing API)
4.2 Security Measures
- Encryption in Transit: All data transmission uses HTTPS/TLS encryption
- Encryption at Rest: Database connections use encrypted protocols; sensitive tokens are stored with encryption at rest
- Secure Infrastructure: Application hosted on Fly.io with isolated containers and encrypted networking
- Database Security: PostgreSQL database with role-based access control and encrypted connections
- Authentication: Shopify OAuth 2.0 and App Bridge session tokens — no merchant passwords stored
- Third-Party Auth: Google OAuth 2.0 for Sheets integration — no Google passwords stored
- Access Control: Staff access to production data is limited and logged
- Encrypted Backups: Database backups are encrypted to protect personal data even in backup storage
- Data Loss Prevention: Technical controls and policies are in place to prevent unauthorized data extraction or exfiltration
- Environment Separation: Test and production environments are strictly separated — no production customer data is used in development
- Incident Response: We maintain a security incident response policy with defined procedures for detecting, investigating, and responding to potential data breaches, including notifying affected merchants within 72 hours
- Dependency Management: Regular security updates and dependency patching
5Data Retention
We apply retention periods to ensure personal data is not kept longer than necessary:
- Customer Personal Data: Not stored in our database. Retained in Shopify orders according to the merchant's own data retention settings
- App Configuration Data: Retained while the app is installed and actively used by the merchant
- Fraud Protection Data: Blocked IPs, phones, and emails are retained while the app is installed; deleted upon uninstall
- Session & Auth Tokens: Automatically rotated and expired per Shopify's security policies
- Upon App Uninstall: All merchant-related data (configuration, fraud rules, integration settings) is automatically deleted within 48 hours via our GDPR-compliant
shop/redact webhook handler
6Data Sharing & Third Parties
We do NOT sell, rent, or share customer data with any third parties for
marketing, advertising, or any purpose beyond providing our App's services.
We share data only with the following parties for operational purposes:
| Third Party |
Data Shared |
Purpose |
| Shopify |
Customer name, phone, email, address, order details |
Creating orders in the merchant's store (core app functionality) |
| Google (Sheets) |
Order data (if merchant enables integration) |
Exporting to the merchant's personal Google Sheets |
| Delivery Providers |
Order and shipping details (if merchant configures) |
Fulfillment via merchant's chosen delivery service |
| Fly.io |
Application data (hosting) |
Infrastructure — encrypted in transit and at rest |
7GDPR Compliance & Mandatory Webhooks
Our app implements all of Shopify's mandatory GDPR compliance webhooks to ensure full
compliance with data protection regulations:
- customers/data_request: When a customer requests access to their personal data, we respond with all data we hold (if any) associated with that customer
- customers/redact: When a customer requests deletion of their personal data, we remove any associated records from our fraud protection systems
- shop/redact: Within 48 hours after a merchant uninstalls the app, all merchant and associated data is automatically and permanently deleted from our systems
All webhooks are verified using Shopify's HMAC signature verification to prevent unauthorized requests.
Invalid requests receive a 401 Unauthorized HTTP response.
8Your Rights as an Individual
Depending on your jurisdiction (EEA, UK, California, Virginia, Colorado, etc.),
you may have the following rights regarding your personal data:
- Right to Access: Request a copy of the personal data we process about you
- Right to Deletion: Request erasure of your personal data ("right to be forgotten")
- Right to Rectification: Request correction of inaccurate or incomplete data
- Right to Portability: Request your data in a structured, machine-readable format
- Right to Object: Object to processing of your data for certain purposes
- Right to Restriction: Request restriction of processing in certain situations
- Right to Opt-Out: Opt out of any data sharing or "sale" of data (note: we do not sell data)
How to Exercise Your Rights
Since customer data is stored in Shopify orders (not in our database), please contact
the merchant from whom you made the purchase to exercise your data rights. Alternatively,
you can email us at contact@codifyapp.net
and we will coordinate with the relevant merchant. We aim to respond to all requests within 30 days.
9Legal Basis for Processing (GDPR)
We process personal data under the following legal bases:
- Contractual Necessity: Processing is necessary to fulfill orders placed through our App (Article 6(1)(b) GDPR)
- Legitimate Interests: Fraud prevention and security measures to protect merchants and their customers (Article 6(1)(f) GDPR)
- Consent: Optional features like Google Sheets export and pixel tracking are only activated when explicitly enabled by the merchant
- Legal Obligation: Compliance with applicable laws and regulations (Article 6(1)(c) GDPR)
10Automated Decision-Making
Our App uses automated processing for fraud detection: orders from blocked IP addresses,
phone numbers, or email addresses may be automatically rejected based on rules configured
by the merchant. These decisions do not have legal or similarly significant effects on
individuals — they only affect whether a specific COD order can be placed.
Merchants have full control over fraud protection rules and can add or remove entries
from blocklists at any time. Customers can contact the merchant to resolve any issues
with blocked orders.
11International Data Transfers
Your data may be transferred to and processed in countries outside your country of
residence, including countries where our infrastructure providers operate. We ensure
that all international data transfers comply with applicable data protection laws through:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions (where applicable)
- Encryption in transit (HTTPS/TLS) and at rest
- Contractual obligations with infrastructure providers
12Cookies & Tracking Technologies
Codify does NOT use cookies on merchants' storefronts. We do not drop
any first-party or third-party cookies on customers' browsers.
IP addresses are collected via standard HTTP headers for fraud prevention only and are
stored in Shopify order metadata (order notes). They are not used for tracking, profiling,
or advertising purposes.
Merchant-configured ad pixels (Meta, TikTok, Google) are controlled entirely by the
merchant and fire client-side events on the storefront. We provide the technical
mechanism; the merchant is the data controller for any data collected by these pixels.
13Children's Privacy
Codify is a business-to-business application designed for Shopify merchants. Our App
is not intended for use by individuals under the age of 16. We do not knowingly collect
personal information from children. If you believe we have inadvertently collected data
from a child, please contact us immediately and we will take steps to delete it.
14Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our
practices, technology, legal requirements, or other factors. The "Last Updated" date
at the top of this page indicates when the policy was most recently revised.
For material changes, we will notify merchants via the app dashboard or email.
Continued use of the App after such changes constitutes acceptance of the updated policy.
15Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our
data practices, please contact us: