← Parcel Pulse

Privacy Policy — Parcel Pulse

Last updated: 28 June 2026

Parcel Pulse ("the App", "we", "us") is a Shopify app that helps a merchant catch

duplicate orders and broken shipping addresses on their own store before an

order ships. This policy explains exactly what the App accesses, what it does

with it, and what it keeps. We collect and retain as little as the feature needs.

Who this applies to

This policy is for the merchant who installs the App and for the customers whose

orders the merchant processes through their Shopify store. The merchant is the

data controller for their customers' data; we act as a data processor on the

merchant's behalf, strictly to provide the App's pre-ship checks.

What the App accesses (Shopify scopes)

The App requests exactly two Admin API scopes — the minimum its features need:

• read_orders — to read the merchant's own unshipped (unfulfilled,

open) orders and run the two pre-ship checks. From each order we read: the

order phone, the order email, the shipping address (street, city, postal code,

country), and the order name, total and currency.

• write_orders — only to cancel a duplicate order when the merchant

explicitly clicks "Cancel duplicate" on a specific flagged row.

We do not request read_customers, because every field we use is read off

the order itself. We do not access products, inventory, customers' saved

profiles, payment data, themes, or any other store data.

Protected Customer Data

Because the App reads order phone and shipping-address fields, it is classified

as Protected Customer Data — Level 2 under Shopify's Protected Customer Data

requirements. A public disclosure of exactly what we read and retain is served

in-app at /docs/protected-customer-data.

How we use the data

When a merchant runs (or installs and triggers) a scan, the App reads the

unshipped orders into memory and runs two deterministic rule checks:

1. Duplicate-order detection — two open orders sharing the same phone

(compared on the last 9 digits) within a configurable time window.

1. Address validation — missing street number, malformed Romanian postal

code, or a phone with too few digits.

The raw order data is processed in memory only and then discarded. We do not

profile customers, we do not use the data to train any model, and we do not use

any third-party AI service — the checks are plain rules, not machine learning.

What we retain (PII-minimised)

After a scan we persist only what the flagged queue needs to be actioned:

• the order's Shopify ID and human order name (e.g. #1001),
• a masked phone showing only the last four digits (e.g. •••• 0192),
• the list of issue reasons (e.g. "Street address has no number"),
• a one-line risk reason, and the order total and currency.

We do not store raw phone numbers, full shipping addresses, customer names,

email addresses, or order line items. The flagged queue is **replaced on every

scan**, so stale flags do not accumulate. We also keep counts-only telemetry

(how many orders were validated and flagged per scan) to enforce the free quota

and render usage charts; this contains no customer data.

Data sharing & sub-processors

We do not sell, rent, or share customer data with third parties for their

own purposes. We use a minimal set of infrastructure sub-processors solely to

run the App:

• Application host / database / cache — the App runs on a dedicated virtual

server (hosted under the syncerp.work domain) with a PostgreSQL database and

a Redis queue, used only to operate the App and store the PII-minimised flags

described above.

• Shopify — the platform the App is installed on; order data is read via the

Shopify Admin API.

The App does not call Anthropic, OpenAI, or any other AI/LLM provider, and

sends no customer data to any analytics or advertising service.

If the merchant configures the optional alert webhook (a Pro feature), the

App POSTs a counts-only summary (orders scanned, number flagged, per-category

counts) to the URL the merchant chooses. That payload contains **no customer

data** and is sent only to the merchant's own endpoint.

Data retention & deletion

The flagged queue is overwritten on each scan and deleted when the App is

uninstalled or on a redaction request. We honour Shopify's mandatory compliance

webhooks:

• customers/data_request — we acknowledge; we hold no raw customer data to

return beyond the masked flags described above.

• customers/redact — we acknowledge; we retain no raw customer PII.
• shop/redact — we delete the shop's flagged-order rows and derived data.

On uninstall the shop record is marked uninstalled and its derived flags are

removed.

GDPR & your rights

For merchants and customers in the EU/EEA (and equivalent regimes), you have the

right to access, correct, export, restrict, or delete personal data we process,

and to object to processing. Because we retain only PII-minimised flags keyed to

the merchant's own orders, most requests are satisfied by the merchant within

Shopify; for anything else, contact us and we will action it without undue delay.

Security

Offline access tokens are encrypted at rest (AES-256-GCM). Order PII is processed

in memory and discarded; only masked flags are persisted. Access to the

production environment is restricted and key-based.

Changes

We may update this policy as the App evolves; material changes will be reflected

in the in-app disclosure and the "last updated" date above.

Contact

For privacy questions or data requests, contact: privacy@syncerp.work