Privacy Policy
Last Updated: June 23, 2026
Introduction
This Privacy Policy ("Policy") describes how Change My Order ("App," "we," "us," or "our") collects, uses, and protects
information when you use our Shopify app to manage customer order change requests.
We are committed to protecting your privacy and complying with applicable data protection laws, including the
General Data Protection Regulation (GDPR) and similar regulations worldwide.
What Information We Collect
The App collects and processes the following types of information:
1. Shop Information
- Shop domain and name (from Shopify)
- Store contact email address
- Store logo URL (optional, provided by merchant)
- Custom branding preferences (colors, footer text)
2. Customer Information
When customers submit order change requests, we collect:
- Customer email address
- Customer name
- Shipping address (if requesting address change)
- Phone number (if provided, optional)
- Order number and order details from Shopify
- Product/variant information (current and requested)
- Customer notes explaining the change request
3. Request Data
- Type of change request (address, variant, product, cancellation, contact update)
- Original and requested data snapshots (stored as JSON)
- Request status and merchant approval/rejection notes
- Audit logs of all actions taken on requests
- Estimated price adjustments (refunds or additional charges)
4. Communication Data
- Email templates stored by the merchant
- Email queue records for customer and merchant notifications
- Delivery status and timestamps
5. Technical Data
- Webhook delivery logs (topics, timestamps, payloads)
- API interaction logs for debugging
- IP addresses (for rate limiting abuse prevention)
How We Use This Information
We use collected information for the following purposes:
1. Core Functionality
- Processing customer order change requests
- Communicating with customers about their requests
- Providing merchants with administrative tools to review and approve/reject requests
- Executing approved changes via Shopify Admin API
2. Email Delivery
- Notifying merchants of new change requests
- Sending customers confirmation and status updates
- Using merchant-customized email templates
3. Security and Compliance
- Rate limiting to prevent abuse
- Logging for audit and troubleshooting
- Responding to GDPR data requests and deletion requests
4. Improvements
- Analyzing aggregated, anonymized usage patterns to improve the App
- Monitoring for errors or issues
Data Storage and Retention
Where Data Is Stored
All data is stored in a SQLite database managed on secure infrastructure provided by Fly.io.
Data is encrypted at rest and in transit via HTTPS.
How Long We Keep Data
-
Order Change Requests: Retained indefinitely unless deleted via GDPR redaction or shop uninstall.
Merchants can manually delete records if needed.
-
Email Queue: Deleted after successful delivery or 30 days, whichever is sooner.
-
Webhook Logs: Retained for 90 days for debugging purposes.
-
Sessions: Deleted immediately when the app is uninstalled.
-
Shop Data (Settings, Templates, Logs): Deleted 48 hours after app uninstall via Shopify's shop/redact webhook.
GDPR and Data Protection
Your Rights
Under GDPR and similar regulations, you have the right to:
- Access: Request a copy of personal data we hold about you
- Correction: Ask us to correct inaccurate data
- Deletion: Request deletion of your personal data (right to be forgotten)
- Portability: Request your data in a portable format
- Withdrawal of Consent: Opt-out of email communications
How to Exercise Your Rights
To exercise any of these rights, please contact us at privacy@changemyorder.app.
We will respond to your request within 30 days.
Shopify may also forward data deletion requests directly to us via the GDPR webhooks. We automatically
process these requests to delete customer and shop data as instructed.
Data Retention After Request Denial or Cancellation
If a customer's change request is rejected or cancelled, we retain the request record for:
- Audit and compliance purposes
- Dispute resolution
- Service improvement analysis
Customers can request this data be deleted via the GDPR data deletion process.
Third-Party Services
The App integrates with the following third-party services:
-
Shopify: Order data, customer information, and product details are fetched from your Shopify store.
See Shopify's Privacy Policy.
-
Email Service (SMTP): Emails are sent via the SMTP server configured by the merchant
(e.g., Gmail, SendGrid). The merchant is responsible for configuring their email provider.
-
Fly.io: Infrastructure and database hosting. See Fly.io's Privacy Policy.
Security Measures
We implement the following security measures to protect your data:
- HTTPS/TLS encryption for all data in transit
- Database encryption at rest
- IP-based rate limiting to prevent abuse and brute force attacks
- Secure webhook authentication via HMAC-SHA256
- Access logs and audit trails for all data operations
- Regular security reviews and monitoring
Merchant Responsibilities
Merchants using the App are responsible for:
- Configuring SMTP credentials securely (never sharing credentials)
- Complying with GDPR and local data protection laws when using this App
- Obtaining customer consent to process order changes as needed
- Maintaining the accuracy of customer data
- Monitoring the audit logs for suspicious activity
Changes to This Policy
We may update this Privacy Policy from time to time. We will notify merchants of material changes
by updating the "Last Updated" date and providing notice via the App dashboard.
Your continued use of the App after changes constitutes your acceptance of the updated Policy.
Contact Us
Compliance with Shopify Policies
This App complies with Shopify's App Store requirements
including GDPR and data protection obligations. The App includes webhooks for:
customers/data_request — Responds with customer data held
customers/redact — Deletes customer PII on request
shop/redact — Deletes all shop data 48 hours after uninstall
© 2026 Change My Order. All rights reserved.