Privacy Policy
Last updated: July 9, 2026
1. Who we are
OrderPad ("the App", "we", "us") is an order assistant for sales agents, embedded in the Shopify admin. It is operated by GC Global Digital Services LLC, a Delaware limited liability company (600 N Broad Street, Suite 5, Middletown, DE 19709, United States). For any privacy matter, contact us at support@dro.wtf.
2. Scope and roles
The App is installed by Shopify merchants. For the personal data of a merchant's customers and staff, the merchant is the data controller and we act as a data processor / service provider, processing data only on the merchant's instructions to provide the App. For the merchant's own account data (store domain, contact email, subscription plan), we act as an independent controller for the purpose of operating and billing the App.
3. Data we process
- Store data: store domain, store name, contact email, currency, time zone, subscription plan and usage counters.
- Staff (agent) data: Shopify staff ID, name and email of the staff members who use the App, so each order can be attributed to its agent.
- Customer data (on behalf of the merchant): name, company, email, phone, tax ID, tags and the customer metafields the merchant enables for search. This data is synced from Shopify into a search index so agents can find customers quickly.
- Order data: products, quantities, prices, discounts, totals, chosen location and payment option, and the agent who created each order.
- Technical data: Shopify API access tokens (expiring tokens with rotation) required to operate, and minimal operational logs.
We do not process payment card data. Payments and app billing are handled entirely by Shopify.
4. Purposes and legal bases (GDPR)
- Providing the App (customer search, order creation, statistics) — performance of a contract (Art. 6(1)(b) GDPR) and the merchant's instructions as controller.
- Billing and account management — performance of a contract (Art. 6(1)(b)).
- Security, abuse prevention and troubleshooting — legitimate interest (Art. 6(1)(f)).
- Compliance with legal obligations (Art. 6(1)(c)).
5. Sharing and subprocessors
We do not sell or share personal information for advertising, and we do not use it for profiling or training purposes. Data is shared only with the infrastructure providers strictly needed to run the App:
- Shopify (platform; source and destination of store, customer and order data).
- Vercel Inc. (application hosting, USA/EU edge network).
- Neon Inc.(managed PostgreSQL database where the App's data is stored).
6. International transfers
Where data is transferred outside the EEA/UK (e.g. to the USA), we rely on appropriate safeguards: the EU Standard Contractual Clauses and, where the provider is certified, the EU–US Data Privacy Framework.
7. Retention and deletion
- Data is retained only while the App is installed and the service is provided.
- When a merchant uninstalls the App, Shopify sends us a mandatory redaction request (shop/redact) about 48 hours later and all of that store's data is permanently deleted from our database.
- When a merchant asks Shopify to delete a specific customer (customers/redact), we delete that customer from our index and anonymize their order records automatically.
- Customer data requests (customers/data_request) are honored through the merchant; contact us if you need assistance.
8. Security
All traffic is encrypted in transit (TLS). Data at rest is encrypted by our hosting providers. Shopify access is performed with short-lived, automatically rotated access tokens, and every App request from the Shopify admin is verified with signed session tokens. Access to production systems is limited to the operator.
9. Your rights (EEA/UK)
Subject to the GDPR, you may exercise the rights of access, rectification, erasure, restriction, portability and objection. If you are a customer of a store using the App, please direct your request to that store (the controller); we will assist the merchant in fulfilling it. You may also lodge a complaint with your local supervisory authority.
10. US privacy rights (CCPA/CPRA and state laws)
We act as a service provider for merchant customer data. We do not sell personal information, do not share it for cross-context behavioral advertising, and do not use sensitive personal information beyond providing the service. US residents may have rights to know, delete and correct their personal information and will not be discriminated against for exercising them. Requests can be made through the merchant whose store you interacted with, or via support@dro.wtf.
11. Cookies and local storage
The App does not use advertising or analytics cookies. It only uses essential browser storage: your language preference and, for the App owner, an administration key. The App runs inside the Shopify admin, whose cookies are governed by Shopify's own privacy policy.
12. Children
The App is a business tool and is not directed to individuals under 16.
13. Changes
We may update this policy; the date above reflects the latest version. Material changes will be communicated through the App or the listing.
14. Contact
GC Global Digital Services LLC · 600 N Broad Street, Suite 5, Middletown, DE 19709, United States · support@dro.wtf