Privacy policy

Last updated: 2026-06-14

TagAlong (“the App”) is published by Handeeman LLC. This policy explains what data we collect from Shopify merchants who install the App, how we use it, and how merchants can request its deletion.

What we collect

• Shop domain and offline access token. When you install the App, Shopify provides us a long-lived access token tied to your *.myshopify.com domain so we can call the Shopify Admin API on your behalf, scoped to write_discounts and read_orders. You can verify the exact scopes on Shopify's install consent screen before installing.
• Order discount allocations. When an order is placed on your store, Shopify delivers an orders/createwebhook to the App. We read a strict allow-list of fields: order ID, order name, creation timestamp, currency, shipping line discount allocations, discount application metadata, and line item titles. From this we determine whether TagAlong's bundle-shipping discount fired on the order and the dollar amount of shipping it waived. We ignore — and never persist — customer name, email, phone, address, IP address, payment information, line item prices, SKUs, variant details, or any other personally identifiable customer field.
• Per-shop usage aggregates.Derived from the discount allocations above: a monthly count of bundles fired, total shipping waived, and addon product titles. Used to power the merchant's analytics dashboard, enforce the free-tier limit (10 bundles/month before the upgrade prompt), and trigger the in-app review request.
• Subscription state.If you start a paid plan, we store the Shopify-issued subscription ID, status, and current billing period end date, mirrored from Shopify's Billing API. We never see or store payment card details — those stay with Shopify.
• Webhook delivery logs. Topic, timestamp, and SHA-256 hash of the webhook body — kept for debugging. Retention capped at 30 days.

What we do NOT collect

• Customer personally identifiable information (name, email, phone, billing address, shipping address, IP address).
• Order line item prices, SKUs, variant details, or full line item descriptions (only the line item title is retained, for identifying which addon products appear in bundles).
• Payment information of any kind.
• Product catalog data beyond what the discount function reads at runtime.
• Cookies or analytics trackers on the embedded admin or marketing site.

How we use it

Merchant data is used exclusively to operate the App:

• The access token authorizes our backend to create, pause, and resume your TagAlong bundle-shipping discount via the Shopify Admin API, and to receive the orders/create webhook for usage tracking.
• Order discount data is used to count how often the bundle-shipping discount fires, surface that count and the dollar amount saved in your in-app dashboard, enforce the free-tier monthly limit, and trigger the in-app review prompt.
• Subscription state is used to keep your dashboard in sync with Shopify's billing system (paid vs free tier).
• We do not sell, share, or transfer any merchant or merchant-customer data to third parties.

How we store it

Data is stored in Google Firestore (GCP us-central1), encrypted at rest by Google's infrastructure and transmitted to and from our servers over TLS 1.2+ only. Access is restricted to authorized Handeeman LLC personnel and runs only inside the TagAlong backend application.

How long we keep it

Active installation records are kept for as long as the App is installed on your store. When you uninstall, your access token is immediately revoked and the installation record is marked as uninstalled. We retain the uninstalled record for 90 days (for support history), then delete it entirely.

Per-order usage events are automatically deleted 90 days after the order date via a Firestore time-to-live policy. Monthly usage aggregates (counts and dollar totals only — no order or customer identifiers) are retained for the lifetime of the installation so the dashboard can show historical trends.

GDPR / data subject rights

Because TagAlong does not store customer PII, GDPR data-subject requests have no customer data to act on. Shopify's mandatory GDPR webhooks (customers/data_request,customers/redact, shop/redact) are received and acknowledged but require no further action on our side.

Contact

Questions, deletion requests, or compliance inquiries: contact support@usetagalong.com.