Privacy policy

Last updated: 2026-05-15

TagAlong (“the App”) is published by Handeeman LLC. This policy explains what data we collect from Shopify merchants who install the App, how we use it, and how merchants can request its deletion.

What we collect

• Shop domain and offline access token. When you install the App, Shopify provides us a long-lived access token tied to your *.myshopify.com domain so we can call the Shopify Admin API on your behalf (only for thewrite_discounts and read_orders scopes you approved at install).
• Subscription state.Your current TagAlong plan, subscription identifier, and billing period dates, synced from Shopify's billing system.
• Aggregated order counts.The number of orders per month where TagAlong's bundle discount fired. We do NOT store customer names, emails, addresses, line item details, or any other order-level data.
• Webhook delivery logs. Topic, timestamp, and SHA-256 hash of the webhook body — kept for debugging and retention is capped at 30 days.

What we do NOT collect

• Customer personally identifiable information of any kind.
• Order line item contents, prices, or descriptions.
• Product catalog data beyond what the function reads at runtime.
• Cookies or analytics trackers on the embedded admin or marketing site.

How we use it

The access token is used exclusively to (a) create and manage the Shopify app subscription you authorized, and (b) acknowledge GDPR webhooks. Aggregated order counts are used solely to enforce your plan's monthly bundled-order allowance and display usage in your dashboard.

How we store it

Data is stored in Google Firestore (GCP us-central1). Access is restricted to authorized Handeeman LLC personnel and runs only inside the TagAlong backend application.

How long we keep it

Active installation records are kept for as long as the App is installed on your store. When you uninstall, your access token is immediately revoked and the installation record is marked as uninstalled. We retain the uninstalled record for 90 days (for billing reconciliation and support history), then delete it entirely.

GDPR / data subject rights

Because TagAlong does not store customer PII, GDPR data-subject requests have no customer data to act on. Shopify's mandatory GDPR webhooks (customers/data_request,customers/redact, shop/redact) are received and acknowledged but require no further action on our side.

Contact

Questions, deletion requests, or compliance inquiries: contact support@usetagalong.com.