Privacy Policy
This policy describes how the Checkout Guard application (the "App") — a Shopify app that validates shipping addresses and cart limits at checkout — handles personal data. It distinguishes two fundamentally different situations: merchant account data (for which the publisher is the data controller) and customer data evaluated at checkout (for which the merchant is the controller and the publisher is a mere processor).
Roles: controller and processor
The App operates in two distinct GDPR roles:
- Merchant account data (the merchant who installs the App and its staff): the publisher Jonathan VARELA is the data controller.
- Customer data processed at checkout (shipping address, cart contents): the merchant is the data controller; the publisher acts as a processor (Art. 28), only on the merchant's instructions and within Shopify's terms.
Data processed and purposes
Merchant account data (publisher as controller)
| Data | Purpose | Legal basis |
|---|---|---|
| Shop domain, Shopify OAuth access token | Authenticate the App to the Shopify API, operate the embedded admin | Contract (Art. 6.1.b) |
| Merchant staff identity (id, name, e-mail, locale) — only for Shopify-provided "online" sessions | Identify the user signed into the embedded admin | Contract (Art. 6.1.b) |
| Rule configurations (shop domain, rule type, message, min/max parameters or pattern) | Provide the service: enforce validation rules at checkout | Contract (Art. 6.1.b) |
| Technical and security logs (transient) | Security, diagnostics, service continuity | Legitimate interest (Art. 6.1.f) |
Rule configurations contain no customer personal data: they are thresholds, patterns and messages defined by the merchant.
Customer data at checkout (merchant as controller, publisher as processor)
At checkout, the App's Validation Function receives, within Shopify's infrastructure, the data needed to enforce the merchant's rules: the shipping address and the cart contents. This data is evaluated in memory to produce a result (allow / block + message). It is neither stored, nor logged, nor transmitted to any third party by the App.
No retention of customer data
The App retains no customer personal data. Checkout evaluation is transient and runs inside Shopify's infrastructure. No customer profile, address history or cart contents are persisted by the App.
Recipients and sub-processors
The App uses no third-party API or service other than Shopify. Recipients are:
| Entity | Role | Data |
|---|---|---|
| Shopify (Shopify International Ltd. / Shopify Inc.) | Commerce hosting platform, Validation Function execution, App billing | All (the merchant already operates on Shopify) |
| HOSTINGER, UAB | Hosting of the embedded App and its configuration store | Merchant account data |
App subscription billing is handled by Shopify (Shopify App Pricing). The App never receives, stores or processes any payment data (card number, banking details).
International transfers
Merchant account data is hosted with HOSTINGER, UAB (location: Švitrigailos str. 34, LT-03230 Vilnius, Lithuania). Shopify, as the platform, may process data outside the European Union. These transfers are governed by the European Commission's Standard Contractual Clauses (SCC) (Art. 46), incorporated into Shopify's data processing terms; where a US recipient is certified under the EU–US Data Privacy Framework, that adequacy mechanism may also apply. A copy of the applicable safeguards may be obtained on request at la.forge.des.j@gmail.com (Art. 13.1(f)). Shopify's data processing terms apply in addition to this policy.
Retention periods
| Data | Period |
|---|---|
| OAuth session (access token) | Duration of the installation; deleted on App uninstall |
| Rule configurations | Duration of the installation; deleted on shop/redact (within 48 h of uninstall at the latest) |
| Technical and security logs | Transient — not archived beyond operational rotation |
| Customer data at checkout | Not retained (transient evaluation) |
On uninstall, the App deletes the shop's sessions (app/uninstalled webhook). At the latest 48 hours after uninstall, Shopify triggers the shop/redact webhook: the App then purges the shop's rule configurations and any remaining session.
Data subject rights
For merchant account data, the merchant and its staff have the rights of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18) and portability (Art. 20). The right to object (Art. 21) applies to processing based on legitimate interest (the technical and security logs), not to data processed on the contractual basis (Art. 6.1.b). These rights may be exercised by e-mailing la.forge.des.j@gmail.com. The publisher responds within one month (Art. 12.3).
For customer data, the merchant is the controller: customers exercise their rights with the merchant. As a processor, the App assists the merchant (Art. 28.3.e) — in practice it holds no customer data to return or erase.
Anyone may lodge a complaint with their supervisory authority (Art. 77); in France, the CNIL (3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07 — www.cnil.fr).
Compliance requests via Shopify
The App responds to Shopify's mandatory compliance webhooks:
customers/data_requestandcustomers/redact: as the App retains no customer personal data, there is nothing to provide or erase;shop/redact: the App purges the relevant shop's rule configurations and sessions.
Data security
The publisher implements proportionate technical and organisational measures: encryption in transit (HTTPS/TLS), token storage via Shopify's session mechanism, access control, and minimisation (the App requests only the write_validations scope that is strictly required and stores no customer data).
Cookies and trackers
The embedded App uses only the cookies and tokens strictly necessary for authentication and operation within the Shopify admin (App Bridge, session). It uses no analytics or marketing cookies and relies on no third-party analytics service.
CCPA/CPRA addendum (California residents)
This addendum supplements the policy for California residents and covers the preceding 12 months.
Roles. For customer data evaluated at checkout, the publisher acts as a service provider (§1798.140) on the merchant's (the business) behalf — requests are exercised with the merchant. For merchant account data, the publisher is itself the business: requests are exercised directly with it at la.forge.des.j@gmail.com.
Categories of personal information processed (§1798.140(v)):
| CCPA category | Data | Purpose |
|---|---|---|
| Identifiers | Shop domain; for "online" sessions, merchant staff name and e-mail | Authenticate the App, operate the embedded admin |
| Internet activity | Technical logs of the embedded App | Security, diagnostics |
| Geolocation | Customer shipping address | Checkout validation — not retained |
No other category is processed (no Commercial information, Biometric, Sensory, Professional data, nor Inferences). Recipients: Shopify (the platform) and HOSTINGER, UAB (the host) — no other third party.
California consumer rights: know (§1798.100), delete (§1798.105), correct (§1798.106), opt out of sale/sharing (§1798.120). The App does not sell or share personal data and has not sold or shared any in the preceding 12 months. Exercising a right triggers no discrimination (§1798.125).
Changes
The publisher may amend this policy. The last-updated date appears at the top. Installing merchants are notified of material changes.
Contact
For any data protection question: la.forge.des.j@gmail.com — Jonathan VARELA, 62 Rue de Dampierre, 17400 Saint-Jean-d'Angély, France.