Privacy Policy

See also our Terms of Service and Data Processing Agreement.

1. Who we are

OfferGuard ("we", "us", "our") operates the OfferGuard Shopify application and the website at offerguard.app. OfferGuard helps Shopify merchants protect new-customer discount offers from abuse by analyzing checkout signals.

For data protection purposes, the Shopify merchant who installs OfferGuard is the data controller. OfferGuard acts as a data processor on the merchant's behalf.

2. Data we collect

2.1 Merchant data

When a merchant installs OfferGuard, we store:

• Shopify store domain (e.g., your-store.myshopify.com)
• Billing plan tier and monthly usage counters
• Rules and configuration the merchant creates within the app

2.2 Shopper data collected at checkout

When a shopper reaches checkout on a merchant's store, OfferGuard collects the following data to evaluate the merchant's rules:

• Email address — normalized and checked against a local list of known disposable email providers
• Phone number — if provided at checkout
• Shipping address — street, city, postal code, province, country
• IP address — from the request headers
• Device signals — browser user agent, platform, language, screen dimensions, hardware concurrency, device memory, timezone, and touch capability. These signals are combined into a device fingerprint hash.
• Cart details — product names, variant IDs, quantities, cart total, and currency
• Checkout and browsing signals — checkout token and page view events collected via the Shopify web pixel
• Buyer identity — whether the shopper is logged in to a Shopify customer account

2.3 Visitor tracking

OfferGuard deploys a Shopify web pixel that sets a first-party cookie (_og_vid) with a randomly generated visitor ID. This cookie expires after 1 year and is used solely to detect repeat visits from the same browser. It is a SameSite=Lax cookie scoped to the merchant's domain.

3. How we use the data

We process shopper data exclusively to:

• Determine whether a shopper qualifies as a new or returning customer
• Detect repeat purchases using the same email, phone, address, IP, or device
• Identify disposable email addresses using a local domain list (no external lookups)
• Detect zero-total orders
• Execute merchant-configured post-order actions (order tags, customer tags, risk assessments, fulfillment holds)
• Log checkout decisions for the merchant's dashboard

We do not use shopper data for advertising, profiling, marketing, or any purpose other than the fraud-prevention functionality described above.

4. External services and data sharing

OfferGuard does not send shopper data to any third-party service. All processing happens on our server and through the Shopify Admin API. Specifically:

• Disposable email detection uses a hardcoded local list — no external email verification APIs
• IP-based detection uses the raw IP address — no external geolocation or IP scoring services
• Device fingerprinting is computed locally — no third-party fingerprinting services
• Customer and order lookups are performed exclusively via the Shopify GraphQL Admin API

We do not sell, rent, or share personal data with any third party.

5. Data storage and security

• Data is stored in an SQLite database on our application server
• Communication between the Shopify checkout and our server uses HTTPS/TLS encryption
• Access to the merchant dashboard is protected by Shopify's OAuth session authentication
• We do not store payment card information — all payment processing is handled by Shopify

6. Data retention

• Decision logs (email, phone, IP, device data, cart details) — retained for 90 days, then automatically purged
• Device fingerprints — retained for 90 days
• Merchant rules and configuration — retained for the duration of the app installation
• Merchant account data — deleted within 30 days of app uninstallation via the shop/redact webhook

7. Shopify API scopes

OfferGuard requests the following Shopify API permissions:

• read_customers — look up whether a shopper is an existing customer
• read_orders — check prior order history for repeat-purchase detection
• write_orders — add tags and notes to flagged orders
• write_merchant_managed_fulfillment_orders / write_third_party_fulfillment_orders — hold fulfillment on flagged orders
• write_pixels — register the device fingerprint web pixel
• read_customer_events — receive checkout and page view events in the pixel

8. Your rights (GDPR / CCPA)

If you are a shopper on a merchant's store, the merchant is the data controller. To exercise your data protection rights (access, deletion, correction, portability), please contact the merchant directly.

Merchants can contact us at [email protected] to:

• Request export of all data we process on their behalf
• Request deletion of specific shopper data from our systems
• Request a copy of our data processing records

We respond to Shopify's mandatory privacy webhooks (customers/data_request, customers/redact, shop/redact) to fulfill data subject rights programmatically.

9. Cookies

We do not use any advertising, analytics, or social media cookies.

10. Children's privacy

OfferGuard does not knowingly collect data from children under 16. Our service is designed for use by Shopify merchants (businesses) and their adult customers.

11. Changes to this policy

We may update this policy from time to time. Material changes will be communicated via the app dashboard or email to the merchant's registered Shopify contact.

12. Contact

For privacy-related questions, contact us at [email protected].