Privacy Policy

Last updated: March 14, 2026

This Privacy Policy describes how TickPack ("we", "us", or "our") collects, uses, and handles information when you install and use our Shopify application. By installing or using TickPack, you agree to the practices described in this policy.

1. Information We Collect

1.1 Store Information

When you install TickPack, we receive your Shopify store domain and an access token through Shopify's OAuth process. This is required to authenticate API requests on your behalf.

1.2 Staff Accounts

Store administrators create staff accounts within TickPack. We store:

• Username and display name
• Password (securely hashed using bcrypt; we never store plaintext passwords)
• Role assignment (Admin or Staff)

1.3 Order Verification Data

When staff members verify orders, we log:

• Shopify order ID (a reference, not customer data)
• Staff member who performed the verification
• Time taken to complete verification
• Number of items verified
• Proof photo (if enabled by the store administrator)

1.4 Customer Data

TickPack does not store customer personal information. All customer and order details (names, addresses, email addresses, etc.) are fetched in real-time from the Shopify API and are never persisted in our database. Proof photos may incidentally contain shipping labels with customer addresses; these photos are subject to the retention policy described below.

2. How We Use Information

We use the collected information solely to:

• Authenticate staff members and manage access to the application
• Track order verification performance and generate reports for store administrators
• Provide proof-of-packing documentation through photos
• Manage order fulfillment status on your Shopify store (when auto-fulfill is enabled)
• Prevent duplicate order processing

3. Data Storage and Security

• Database: Verification logs and staff accounts are stored in a PostgreSQL database hosted on Supabase (AWS infrastructure).
• Photo Storage: Proof photos are stored in Supabase Storage with time-limited signed URLs. Photos are not publicly accessible.
• Passwords: All passwords are hashed using bcrypt with a cost factor of 10. We never store or transmit plaintext passwords.
• Sessions: User sessions are secured with HTTP-only, secure cookies and database-backed session tokens.
• Brute Force Protection: Login attempts are rate-limited to prevent unauthorized access.

4. Data Retention

• Proof Photos: Retained for the period configured by the store administrator (default 180 days). Expired photos are automatically deleted.
• Verification Logs: Retained for as long as the application is installed.
• Staff Accounts: Retained until deleted by an administrator or until the application is uninstalled.

5. Data Deletion

On App Uninstall: When you uninstall TickPack, all data associated with your store is permanently deleted, including:

• All staff accounts and sessions
• All verification logs
• All proof photos from cloud storage
• All application settings

As a safety net, Shopify sends an additional data deletion request 48 hours after uninstallation, at which point we verify that all data has been purged.

6. GDPR Compliance

We comply with the General Data Protection Regulation (GDPR) and respond to the following Shopify mandatory webhooks:

• Customer Data Request: Since we do not store customer personal information directly, we confirm that no customer PII is held outside of Shopify.
• Customer Data Erasure: When requested, we delete any verification logs and associated proof photos linked to the specified customer's orders.
• Shop Data Erasure: We delete all data associated with the store (see Section 5).

7. Third-Party Services

TickPack uses the following third-party services to operate:

• Shopify API: To read order data, manage fulfillments, and tag orders. Governed by Shopify's Privacy Policy.
• Supabase: For database hosting and photo storage (AWS infrastructure). Governed by Supabase's Privacy Policy.

We do not sell, rent, or share your data with any other third parties.

8. Data Sharing

We do not sell, trade, or otherwise transfer your information to third parties. Data is only shared with the third-party infrastructure providers listed above, strictly for the purpose of operating the application.

9. Cookies

TickPack uses a single essential cookie (tickpack_user_session) to maintain staff login sessions. This cookie is HTTP-only, secure in production, and contains no personal information. We do not use tracking cookies, analytics cookies, or any third-party cookies.

10. Limitation of Liability

TickPack is provided "as is" without warranty of any kind, express or implied. To the fullest extent permitted by applicable law:

• We are not liable for any indirect, incidental, special, consequential, or punitive damages arising from the use of or inability to use the application.
• We are not responsible for any loss of data, revenue, or business opportunities resulting from the use of TickPack.
• We are not liable for any errors, inaccuracies, or omissions in the order verification process. The store owner is solely responsible for verifying the accuracy of packed orders.
• Our total liability shall not exceed the amount paid by you for the application in the twelve (12) months preceding the claim.
• We are not responsible for any actions taken by Shopify, Supabase, or other third-party service providers that may affect the availability or functionality of TickPack.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be reflected by updating the "Last updated" date at the top of this page. Continued use of TickPack after changes constitutes acceptance of the updated policy.

12. Contact

If you have questions about this Privacy Policy or your data, please contact us at: support@tickpack.app