Data Protection & Security
It's your money and your customers' data. Here's exactly how ShipOps handles both, and how requests to access or erase data are fulfilled.
Our data-protection principles
- Collect the minimum. We store only what's needed to run COD delivery operations, and we keep a PII-minimized copy of Shopify order data (city only, no street address on that record).
- Read-only where possible. Courier tracking data is accessed read-only using your own token; we write back to Shopify only what you explicitly enable.
- No selling, no profiling. We never sell personal data and never use it for advertising or profiling.
- Delete on request. Erasure requests are honored promptly and completely, including the raw courier payloads that contain personal data.
Protected Customer Data
To run a COD delivery, ShipOps processes the customer's name, phone number, and shipping address. These are classed as Protected Customer Data under Shopify's requirements. We access them only to identify and act on parcels — showing the action inbox, enabling operator-initiated WhatsApp and calls, and matching payout receipts to orders. We do not collect customer email addresses, and we do not transmit customer PII to the courier (the courier already holds it as the delivering carrier).
Security measures
- Encryption in transit: all traffic is served over TLS.
- Encryption at rest: courier API tokens are encrypted with AES-256-GCM.
- Embedded in Shopify: the app runs inside the Shopify admin using Shopify's session and authentication.
- Access control: access to production data is limited to authorized operators.
- Tenant isolation: each store's data is scoped to that store; uninstalling immediately stops background syncing.
Mandatory data-request webhooks
ShipOps implements the three Shopify compliance webhooks:
customers/data_request— we compile the data we hold about a customer and make it available to the store owner within 30 days.customers/redact— we erase that customer's name, phone, and address, plus the raw courier payload containing them.shop/redact— sent by Shopify about 48 hours after uninstall; on receipt we permanently delete all data we hold for that store.
Sub-processors
- Shopify — the platform ShipOps is embedded in and the source of order data.
- Your courier partner (e.g. PostEx) — tracking data and delivery instructions, called with your token.
- Hosting / database provider in [region] — where data is stored.
- WhatsApp / Meta — only when your staff initiate a click-to-chat message from your own account.
Making a data request
Customers should direct access or deletion requests to the merchant (the data controller). Merchants can trigger deletion automatically by removing a customer in Shopify (which fires customers/redact), or email us at support@shipops.app to request assistance at any time.
Contact
Security or data-protection questions: support@shipops.app. For full detail on what we collect and why, see the Privacy Policy.