Privacy Policy
Last updated: 31 May 2026
This Privacy Policy explains how dotAOV ("we", "us") handles information in connection with the dotAOV: Order Editing app ("the App") for Shopify. It applies to the Shopify merchants who install the App and to their customers who use it to edit an order. By installing the App, the merchant agrees to this policy.
1. What the App does
The App lets a merchant's customers — and the merchant's own staff — correct a recently placed order (for example, a wrong shipping address) within a time window the merchant controls. The App reads the relevant order from Shopify, shows the current values, and saves the customer's corrections back to the order.
2. Information we access
When an order is being edited, the App accesses, from Shopify, only the data needed for that order:
- Order number and order status (e.g. fulfillment state, creation date, cancellation status).
- The order's shipping address — recipient name, company, address, city, region, postal code, country, and phone.
- The order's contact email (used to verify the person editing owns the order).
- Order notes, line items, and product variants (only when the relevant editing features are enabled).
We request the minimum Shopify permissions required for this: read/write orders, read products, and order-edit access.
3. Information we store
We practice data minimization. The App does not store your customers' names, addresses, phone numbers, or emails. Order details are read live from Shopify when needed and written straight back — never retained on our servers.
The only data we persist is:
- An edit audit log — for each successful edit we keep the shop, the order ID, the order number, whether the edit came from the customer or staff, and a timestamp. This powers the merchant's dashboard. It contains no names, addresses, or contact details.
- Per-shop settings — the merchant's configuration (which fields are editable, the time window, branding and text).
- A Shopify session token — required by Shopify to authenticate the App for the shop.
4. How we use information
Information is used solely to display an order's current details and to save the customer's or staff's corrections back to that order. We do not use it for advertising, profiling, marketing, or analytics about individuals, and we do not build customer profiles.
5. Cookies & tracking
The customer-facing edit page sets no advertising or tracking cookies. The embedded merchant admin uses the session mechanism Shopify requires to keep you signed in. We do not use third-party analytics or ad trackers in the App.
6. How we protect information
- All data is transmitted over encrypted connections (HTTPS/TLS).
- Stored data is held in a managed PostgreSQL database that encrypts data at rest.
- Edits are verified against the order and rate-limited to prevent abuse and enumeration.
- We never sell or rent personal data.
7. Service providers (sub-processors)
The App relies on these providers to operate:
- Shopify — the platform the App runs on and the source of all order data.
- Railway — application hosting.
- Neon — managed PostgreSQL database for the limited data described above.
We share data with these providers only as needed to run the App, not for their own purposes.
8. International data transfers
Our hosting and database providers process data on servers located in the United States. Where data is transferred internationally, it remains protected by the security measures described above.
9. Data retention & deletion
Because we don't store customer personal data, there is nothing personal to delete on request. The edit audit log and shop settings are removed when the merchant uninstalls the App: settings are cleared on uninstall, and all remaining shop data is erased when Shopify sends the shop-redaction request (about 48 hours after uninstall). We honor Shopify's mandatory privacy webhooks for customer data requests and customer/shop redaction.
10. Your rights (GDPR / CCPA)
If you are a customer of a store using the App and want to know what data the App holds about you, or want it erased, contact the store you ordered from — they are the data controller. The App will provide or delete any data it holds (the audit-log entries for your orders) at the store's request. You can also reach us directly using the contact details below.
11. Children's privacy
The App is a merchant tool and is not directed at children. We do not knowingly collect personal information from children.
12. Changes to this policy
We may update this policy from time to time — for example, if we add new features. The "last updated" date above reflects the latest version, and material changes will be reflected here.
13. Contact
Questions about privacy or this policy? Email support@dotaov.com.