← Back to Home

Privacy Policy

Last updated: December 1, 2025

Duplicate Guard ("we", "us", or "our") provides a duplicate order detection service for Shopify merchants. This Privacy Policy describes how we collect, use, and handle your personal information and your customers' data when you use our app. We are committed to protecting the privacy and security of your data in compliance with GDPR, CCPA, and Shopify's Protected Customer Data requirements.

1. Information We Collect

We process only the minimum personal data required to provide duplicate order detection services. When you install Duplicate Guard, we collect:

• Shop Information: Shop domain, email, and plan details
• Protected Customer Data:
• Customer email addresses
• Customer names (first name and last name)
• Customer phone numbers
• Billing addresses (address line 1, address line 2, city, province, country, zip code)
• Shipping addresses (address line 1, address line 2, city, province, country, zip code)
• Order Information: Order number, total price, currency, and creation date

Legal Basis: We process this data based on our legitimate interest in providing fraud prevention services and in compliance with the Shopify Partner API License and Terms of Use.

2. How We Use Your Information

We use customer personal data solely for duplicate order detection. Specifically:

• Duplicate Detection: To identify potential duplicate orders by matching customer identifiers (email, phone, shipping address) across orders
• Fraud Prevention: To help merchants prevent accidental duplicate shipments and reduce fraudulent orders
• Merchant Alerts: To provide merchants with alerts when duplicate orders are detected

Purpose Limitation: We do NOT use customer data for:

• Marketing or advertising
• Profiling or analytics beyond duplicate detection
• Selling to third parties
• Any purpose other than duplicate order detection

Automated Decision-Making: Our duplicate detection algorithms only flag orders for merchant review and do not have legal or significant effects on customers. Merchants make all final decisions about handling duplicates.

3. Data Retention

We apply specific retention periods to ensure personal data is not kept longer than necessary:

• Active Merchants: Data is retained while the app is installed and active
• After App Uninstall: All data is deleted within 48 hours via our shop/redact webhook
• Individual Customer Requests: Data is anonymized immediately upon receiving a customers/redact webhook
• Resolved Duplicates: Order data is retained for audit purposes but can be deleted upon request

4. Data Sharing and Third Parties

No Data Sale: We do not sell, rent, or share your personal data or your customers' data with third parties for marketing purposes.

Service Providers: We may share data with trusted third-party service providers (e.g., hosting providers, database providers) solely for the purpose of operating our app. These providers are bound by data processing agreements and confidentiality obligations.

Customer Opt-Out: Customers can opt out of data processing by requesting merchants to uninstall our app, which triggers automatic data deletion.

5. Security Measures

5.1 Encryption

• In Transit: All API communications, webhook payloads, and OAuth flows use HTTPS/TLS 1.2+ encryption
• At Rest: PostgreSQL database encryption, encrypted storage volumes
• Backups: AES-256 encrypted backups stored in secure encrypted storage

5.2 Access Controls

• Role-based access control (RBAC)
• Principle of least privilege
• Staff access limited to authorized personnel only
• Multi-factor authentication (MFA) for admin accounts
• Regular access reviews and audits

5.3 Environment Separation

• Separate databases for development, staging, and production
• No production data used in test environments
• Different environment variables and secrets per environment

5.4 Data Loss Prevention

• Database firewall rules
• Network security controls and intrusion detection
• Database access logs with 90-day retention
• Application logs for suspicious activity
• Monthly log reviews for unusual access patterns

5.5 Staff Access Requirements

• Minimum 12-character passwords
• Mixed character requirements (uppercase, lowercase, numbers, special characters)
• 90-day password rotation
• Password history (last 5 passwords)
• MFA required for admin accounts

5.6 Access Logging

• All database queries logged with timestamp, user, and IP address
• API request logging
• Webhook processing logs
• Audit trail for all data modifications (audit_logs table)
• Monthly log reviews for suspicious activity

5.7 Security Incident Response Policy

We have a documented Security Incident Response Policy that includes:

• Incident Severity Levels: Critical, High, Medium, Low
• Response Procedures: Immediate containment, investigation, evidence collection, notification procedures, remediation, and post-incident review
• Compliance: GDPR breach notification requirements (72 hours), CCPA notification requirements
• Testing: Regular incident response drills and annual policy reviews

6. Customer Rights and GDPR Compliance

6.1 Customer Rights

Under GDPR and other privacy regulations, customers have the following rights:

• Right to Access: Request access to personal data we hold
• Right to Rectification: Request correction of inaccurate data
• Right to Erasure: Request deletion of personal data ("right to be forgotten")
• Right to Data Portability: Request data in portable format
• Right to Restriction: Request restriction of processing
• Right to Object: Object to processing

6.2 GDPR Webhook Implementation

We have implemented the following GDPR compliance webhooks:

• customers/data_request: We respond to customer data requests within 30 days, providing all stored order data
• customers/redact: We immediately anonymize customer data upon request
• shop/redact: We delete all shop data within 48 hours when the app is uninstalled

6.3 How to Exercise Rights

Customers can exercise their rights by:

• Requesting data access or deletion through their merchant
• Merchants can uninstall the app to trigger automatic data deletion
• Contacting us directly at [email protected] for data requests

7. Consent and Opt-Out

• Merchant Consent: Merchants provide consent by installing our app
• No Automated Decision-Making: Our app does not perform automated decision-making with legal or significant effects
• Customer Opt-Out: Customers can opt out by requesting their merchant to uninstall the app
• No Consent Required for Data Sale: Not applicable as we do not sell customer data
• Legitimate Interest: Fraud prevention and duplicate order detection

8. Data Protection Agreements

Our data protection framework includes:

• Terms of Service with data processing clauses
• Privacy Policy (this document)
• Compliance with Shopify Partner Program Agreement
• Compliance with Shopify API License and Terms of Use
• Merchant Data Processing Agreement (MDPA)
• Compliance with GDPR, CCPA, and applicable privacy regulations

9. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last updated" date. We encourage you to review this Privacy Policy periodically.

10. Contact Us

If you have any questions about this Privacy Policy, data protection, or wish to exercise your privacy rights, please contact us at:

Email: [email protected]

For privacy-specific inquiries, please include "Privacy Request" in your subject line.