Install App

Privacy Policy

Last updated: April 2026

ShipSmart is a Shopify app that calculates shipping rates at checkout. This policy explains what data we access, what we store and how we handle it. It is designed to meet our obligations under the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), as well as Shopify's privacy and data protection requirements.

What data we access

When a customer reaches checkout, Shopify sends us a carrier callback request containing the destination address (country, province, city and postal code) and the cart items (product names, SKUs, weights, prices and quantities). We use this data to evaluate your shipping rules and return the correct rates.

We also access your Shopify product catalog (titles, vendors, product types, tags and SKUs) so that shipping rules can target specific products.

What we store

  • Merchant session data — when a Shopify staff member opens the embedded ShipSmart app, Shopify provides their name and email as part of the active session. We retain this only for the duration of the active session and clear it when you uninstall the app.
  • Product metadata — product titles, vendors, types, tags and SKUs from your catalog. Used for matching products to shipping rules.
  • Aggregated analytics — for each shipping rate request we record the destination postal code, cart total value and the rate we returned. This powers the analytics dashboard.
  • Your configuration — shipping rules, postcode zones, product groups and settings you create in the app.

What we don't store

We do not store:

  • Customer names or email addresses
  • Full street addresses
  • Payment or billing information
  • Order details or order history
  • Individual cart item details from checkout requests

Carrier callback data (customer addresses and cart contents) is processed in real time for rate calculation and then discarded. Only the destination postal code and calculated rate are kept for analytics.

Your rights

Customers: ShipSmart does not store any customer-identifiable data — no names, emails, addresses or order history. If a customer requests their data via a merchant or via Shopify's privacy compliance system, our response confirms that we hold no customer data.

Merchants: You can request a copy of your stored configuration (shipping rules, postcode zones, product groups, analytics) at any time by emailing support@shipsmartapp.com. You can request deletion of all your data by uninstalling the app — Shopify's shop/redact webhook triggers automatic and permanent purge of all your data within 48 hours of uninstall.

Third-party services

ShipSmart is hosted on Vercel. Our database is hosted on Supabase. We do not sell, share or provide your data to any third party for marketing or any other purpose.

Security

All data is transmitted over HTTPS with TLS encryption. Database access is restricted to authenticated application servers. We use Shopify's HMAC verification on all webhook deliveries to ensure authenticity, and Shopify's session token system for in-app authentication. We do not use cookies, web beacons or tracking pixels.

Data retention and deletion

All your data — shipping rules, postcode zones, product groups, analytics records and synced product data — is automatically and permanently deleted when you uninstall ShipSmart from your Shopify store. The deletion is triggered by Shopify's shop/redact webhook, which Shopify dispatches 48 hours after uninstall.

Compliance webhooks

ShipSmart is subscribed to Shopify's mandatory privacy compliance webhooks:

  • customers/data_request — when a merchant forwards a customer data request via Shopify, we acknowledge receipt. Because we do not store customer-identifiable data, our response confirms no data is held.
  • customers/redact — when Shopify instructs us to delete a customer's data, we confirm there is no customer data to delete.
  • shop/redact — when Shopify instructs us to delete a shop's data 48 hours after uninstall, we permanently delete all configuration, product metadata, analytics and session data for that shop.

Contact

If you have questions about this privacy policy or how your data is handled, contact us at support@shipsmartapp.com.