Privacy Policy

This Privacy Policy describes how Konfirm, operated by Pacific Softwares ("we", "us", or "our"), collects, uses, stores, and protects information when you install and use the Konfirm Shopify application (the "App"). By installing the App, you agree to the practices described in this policy.

1. Who We Are

Konfirm is a Shopify application developed and maintained by Pacific Softwares. We are the data processor for merchant and customer data handled through the App. The Shopify merchant (store owner) is the data controller for their customers' personal data.

Contact: hello@pacificsoftwares.com

2. Information We Collect

2.1 Merchant data (from Shopify store owners)

• Shopify store domain (e.g. yourstore.myshopify.com)
• Shopify OAuth access token (used exclusively to read and tag orders)
• SMS provider credentials you enter in Settings (MSG91 API key, Twilio SID/token) — stored encrypted at rest
• SMTP credentials you enter in Settings — stored encrypted at rest
• Custom message templates
• App configuration preferences (retry count, auto-cancel setting, etc.)

2.2 Customer data (from your shoppers)

When a COD order is placed in your store, Konfirm receives the following from the Shopify orders/create webhook:

• Customer name
• Customer phone number (E.164 format)
• Customer email address
• Order number, total amount, and currency
• Order status (pending / confirmed / cancelled / expired)

We do not collect payment card details, addresses, or any other personal data beyond what is listed above.

2.3 Usage data

• OTP attempt logs (number of attempts, timestamp, provider used)
• SMS delivery status (sent / delivered / failed) as reported by your SMS provider
• App event logs for debugging (no customer PII in logs)

3. How We Use Your Information

• To send OTP verification messages via SMS and/or Email to your customers
• To tag Shopify orders (cod-confirmed, cod-cancelled) via the Shopify Admin API
• To display order history and analytics in the Konfirm dashboard
• To enforce the Free plan confirmation limit and manage billing
• To respond to your support requests
• To comply with legal obligations, including Shopify's GDPR data webhooks

We do not sell, rent, or share your data or your customers' data with any third party for marketing purposes.

4. Third-Party Services

Konfirm integrates with the following third-party services to deliver its functionality. Your credentials (API keys) for these services are stored by Konfirm but messages are sent through your account:

• MSG91 — SMS delivery. MSG91 Privacy Policy →
• Twilio — SMS delivery. Twilio Privacy Policy →
• Your SMTP provider — Email delivery. Governed by the privacy policy of your chosen mail provider (e.g. SendGrid, Mailgun, Gmail).
• Shopify — Order data is received via Shopify webhooks and order tags are written via the Shopify Admin API. Shopify Privacy Policy →

5. Data Storage and Security

• All data is stored on servers located in the European Union / United States (DigitalOcean).
• Sensitive credentials (SMS provider keys, SMTP passwords, Shopify access tokens) are encrypted at rest using AES-256.
• All data in transit is protected by TLS 1.2 or higher (HTTPS only).
• Shopify webhook payloads are verified using HMAC-SHA256 signatures before processing.
• We perform regular security reviews and apply patches promptly.

6. Data Retention

• Active merchants: Data is retained for as long as the App is installed on your store.
• After uninstall: Shopify access tokens are revoked immediately. All shop data (orders, tokens, settings) is deleted within 48 hours upon receipt of Shopify's shop/redact webhook.
• Customer data: Individual customer records are anonymised within 30 days of a customers/redact GDPR request from Shopify.
• Billing records: Retained for 7 years as required by financial regulations.

7. GDPR and Your Rights (EEA / UK Residents)

If you or your customers are located in the European Economic Area (EEA) or the United Kingdom, the following rights apply under the General Data Protection Regulation (GDPR) and UK GDPR:

• Right of access — Request a copy of the personal data we hold.
• Right to rectification — Request correction of inaccurate data.
• Right to erasure — Request deletion of your data ("right to be forgotten").
• Right to restriction — Request that we limit how we use your data.
• Right to data portability — Receive your data in a machine-readable format.
• Right to object — Object to data processing based on legitimate interests.

To exercise any of these rights, email hello@pacificsoftwares.com. We will respond within 30 days.

Shopify merchants can also trigger customer data requests and redactions directly from the Shopify admin — Konfirm responds automatically to all three mandatory GDPR webhooks.

8. CCPA (California Residents)

California residents have the right to know what personal information is collected, request deletion of personal information, and opt out of the sale of personal information. Konfirm does not sell personal information. To exercise your rights under CCPA, contact hello@pacificsoftwares.com.

9. Cookies

The Konfirm admin dashboard (embedded in Shopify) uses session cookies for authentication. The public OTP verification page (/verify/{token}) does not use any cookies or tracking pixels. We do not use advertising cookies or third-party analytics trackers on any Konfirm pages.

10. Children's Privacy

Konfirm is a business-to-business service intended for Shopify merchants. We do not knowingly collect personal data from individuals under the age of 18. If you believe we have inadvertently collected such data, please contact us immediately.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. Material changes will be communicated to active merchants via email or an in-app notice at least 14 days before they take effect. Continued use of the App after the effective date constitutes acceptance of the revised policy.

12. Contact Us

If you have any questions about this Privacy Policy or how we handle your data, please contact us:

• Email: hello@pacificsoftwares.com
• Company: Pacific Softwares
• Response time: Within 2 business days