Privacy Policy

ResaleProof helps Shopify merchants collect, verify, and apply resale sales-tax exemption certificates. Operating the app requires processing personal information about merchants, their customers, and the certificate data they upload. This policy explains what we collect, why, and how you can exercise your rights over it.

Canonical source of truth for this content is app/routes/legal.privacy.tsx + site/content/legal/privacy.mdx. Both render the same content; update both when the policy changes.

1. Who we are

ResaleProof is an independent Shopify app. For the purposes of GDPR / UK GDPR and similar frameworks, ResaleProof acts as a data processor for the merchant (who is the data controller for their customers’ information). Contact: legal@resaleproof.com.

2. What we collect

Merchant data (you, the store owner)

• Shopify shop domain and store name.
• Shop settings you configure through the onboarding wizard: sender name, reply-to email, logo URL, nexus-state list, cert-type preferences, and branding primary color.
• Audit events (who approved or rejected which certificate, and when) so we can produce the audit-ready export bundle.

Customer data (your buyers)

• Shopify customer global ID (GID).
• Email address (supplied by the customer in the portal).
• Resale certificate documents. These PDFs often contain personally identifying business information such as legal business name, address, signature, and federal or state tax identifiers (FEIN / EIN / state permit numbers). Handle with care — we never log the contents of these files.
• Certificate metadata (state, cert type, cert number, expiration date, submission source, approval status).
• IP address and user agent at the moment a certificate is submitted — stored as legal-audit evidence of the signature transaction. Not used for tracking, advertising, or profiling.

Operational data

• Short-lived rate-limit records (bucket key + timestamp) used to throttle abusive traffic. Retained 30 minutes, then purged.
• Email delivery logs (message ID, status, send timestamp) produced when we send transactional mail on your behalf.
• Error telemetry captured by Sentry: stack traces, route names, and correlation IDs. We explicitly disable Sentry’s default PII capture.

3. Why we collect it

• Provide the service. Storing certificates, matching them to Shopify customers, and applying the appropriate tax exemption at checkout is the core of what the app does.
• Transactional communication. Confirmation, renewal reminders, rejection notices, verification codes, and merchant activity digests.
• Audit defense. Merchants use the stored data to prove to state auditors that tax exemption was properly claimed. Retention windows reflect typical state audit lookback.
• Security + reliability. Rate limits and error telemetry protect merchant data against abuse and outages.

4. Third-party sub-processors

We transfer data to a small, audited set of vendors strictly for the purposes above:

• Shopify, Inc. — source of merchant + customer identities, target of tax-exemption mutations and file storage. We use Shopify Files to hold certificate PDFs (encrypted at rest by Shopify).
• Supabase, Inc. — Postgres database hosting certificate metadata, audit log, email log, and operational tables.
• Postmark (Wildbit LLC) — transactional email delivery. Postmark receives the recipient address and email body; we never ship cert-PDF contents through Postmark.
• Fly.io, Inc. — application hosting (compute + private network). No customer PII is logged to standard output.
• Functional Software, Inc. (Sentry) — error telemetry with PII capture disabled.

We do not sell, rent, or share data with advertisers, data brokers, or analytics vendors beyond the list above.

5. How long we keep it

• Active certificates: retained for as long as the merchant’s shop is installed.
• Expired certificates: retained for up to 7 years past expiration (longest US state audit lookback).
• Shop uninstall: immediate soft-delete; hard-delete (with all child records) 30 days later. The window allows accidental-uninstall recovery.
• Customer redact request (via the Shopify customers/redact webhook): all of the customer’s certificate records, audit rows, email-log rows, and Shopify Files PDFs are deleted on receipt.
• Verification codes: 15-minute TTL.
• Rate-limit logs: 30 minutes.

6. Security measures

• TLS for all data in transit.
• Supabase encryption at rest. Shopify Files are encrypted at rest by Shopify.
• Server-side HMAC verification on all Shopify webhooks; duplicate deliveries detected via X-Shopify-Event-Id.
• Customer Account UI calls authenticated with short-lived HS256 session tokens; submit requires an additional verified-email claim.
• IP-keyed rate limiting on all public endpoints.
• Service-role database credentials rotated out of source control and stored in hosting-provider secret storage.

7. Your rights

Depending on your jurisdiction (GDPR / UK GDPR, CCPA / CPRA, Colorado Privacy Act, Virginia CDPA, etc.) you may have the right to:

• Access the personal data we hold about you.
• Receive a machine-readable copy (data portability).
• Correct inaccurate data.
• Request deletion (“right to erasure”).
• Object to, or restrict, certain processing activities.
• Lodge a complaint with your local supervisory authority.

To exercise any of these, contact the merchant whose store you purchased from first — they are the primary data controller. If the merchant hasn’t responded within a reasonable window, reach out directly to legal@resaleproof.com. Merchants can also reach us at the same address to request a data export or deletion on behalf of a customer.

8. International transfers

ResaleProof is operated from the United States. Data may be processed in the US and in vendor regions used by Shopify, Supabase, Postmark, Fly.io, and Sentry. Where applicable we rely on Standard Contractual Clauses and our vendors’ own transfer mechanisms.

9. Children

The service is not directed at, nor intended for, individuals under 16. We do not knowingly collect data from children.

10. Changes to this policy

We’ll update this page if our practices change; the “Updated” date at the top reflects the current revision. Material changes will also be communicated in-app (admin dashboard banner) or via email to the merchant contact on file.

11. Contact

Questions, data-subject requests, or security disclosures: legal@resaleproof.com.