Privacy Policy

Last updated: February 27, 2026

This Privacy Policy describes how COD Boss — Form & Upsells & OTP (“we”, “us”, or “the App”) collects, uses, and shares personal information when you install or use our application through the Shopify platform.

1. Information We Collect

1.1 From Merchants (Store Owners)

  • Account information: Shopify store domain, store name, owner name, and email address (provided by Shopify during installation)
  • Configuration data: Form settings, offer configurations, pixel IDs, email settings, and fraud prevention rules you set up in the app

1.2 From Customers (Buyers)

When customers fill out a COD order form on a merchant’s store, we collect:

  • Personal details: First name, last name, email address, phone number
  • Shipping address: Street address, city, state/province, postal code, country
  • Order information: Products ordered, quantities, prices, discount codes
  • Custom form fields: Any additional information the merchant has configured their form to collect

1.3 Automatically Collected

  • Technical data: IP address, browser user agent string
  • Analytics data: Form views, form starts, submissions, conversion events, country (derived from IP)
  • Abandoned form data: Partially completed form information for cart recovery purposes

1.4 From Shopify APIs

  • Product and variant information (titles, prices, images)
  • Order and draft order data
  • Customer data as permitted by granted access scopes
  • Theme information for extension configuration

2. How We Use Information

  • Order processing: Creating and managing Cash on Delivery draft orders in the merchant’s Shopify store
  • Cart recovery: Sending abandoned cart recovery emails to customers who started but did not complete an order (when enabled by the merchant)
  • Analytics: Providing merchants with conversion analytics, funnel metrics, and performance data for their COD forms
  • Fraud prevention: IP-based blocking, rate limiting, and geographic restrictions to protect merchants from fraudulent orders
  • Upsells & offers: Displaying relevant product offers and quantity discounts during the order process
  • Ad pixel tracking: Firing conversion events to merchant-configured advertising platforms (Facebook, TikTok, Google, Pinterest, Snapchat) when enabled
  • SMS notifications: Sending order confirmations and OTP verification messages when enabled by the merchant

3. How We Share Information

We share personal information only as necessary:

  • With Shopify: Order data is sent back to the merchant’s Shopify admin as draft orders
  • Email service (Resend): Email addresses and content for sending recovery/notification emails
  • SMS provider: Phone numbers and message content for SMS/OTP delivery
  • Ad platforms: Anonymized conversion event data to platforms the merchant has configured (no raw PII is shared with ad platforms)

We do not sell, rent, or trade personal information to third parties for their marketing purposes.

4. Data Retention

  • Order data: Retained while the app is installed. Deleted within 30 days of a customer data deletion request or app uninstall.
  • Abandoned form data: Automatically expires and is eligible for deletion. Permanently deleted upon customer data deletion request.
  • Analytics data: Retained while the app is installed. IP addresses are anonymized upon customer deletion requests.
  • Session data: Deleted immediately when the app is uninstalled.
  • All shop data: Permanently deleted within 48 hours after app uninstallation, in compliance with Shopify’s shop/redact webhook.

5. Data Storage & Security

Data is stored in a PostgreSQL database hosted on Fly.io infrastructure. All data in transit is encrypted via TLS/SSL. We follow industry-standard security practices to protect stored data.

6. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate personal data
  • Deletion: Request deletion of your personal data
  • Restriction: Request that we restrict processing of your personal data
  • Portability: Request transfer of your data in a machine-readable format
  • Objection: Object to our processing of your personal data

Merchants can exercise these rights on behalf of their customers, or customers can contact us directly. We respond to all data subject requests within 30 days.

7. GDPR Compliance

We comply with the General Data Protection Regulation (GDPR) and respond to all mandatory Shopify compliance webhooks including customer data requests, customer data deletion requests, and shop data deletion requests.

8. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us at:

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify merchants of any material changes through the app or via email. The “Last updated” date at the top indicates when this policy was last revised.