Privacy Policy

Effective date: 2026-07-04 · Version 2.0 · Versión en español

At a glance: COD LATINO FORM processes only the data needed to create cash-on-delivery orders in your Shopify store. We never sell personal data, never use it for our own advertising or profiling, never train AI models on it, and never touch payment card data (orders are cash on delivery). Customer records are deleted on request via Shopify's redaction webhooks, and all shop data is erased after uninstall.

1. Who we are and scope

COD LATINO FORM ("the App", "we", "us") is a Shopify application that lets merchants offer cash-on-delivery (COD) order forms optimized for Latin America. This policy covers the App, our admin dashboard, our storefront form widget, and this website (codlatinoform.com).

Data controller for App operations: COD LATINO FORM. Privacy contact: soporte@codlatinoform.com. We respond to all privacy inquiries within 30 days.

2. Our role: processor for merchants

For end-customer (buyer) personal data, the merchant is the data controller and we act as a data processor / service provider, processing buyer data only on the merchant's documented instructions — namely, to create and forward COD orders. This section, together with Sections 3–10, constitutes our data-processing commitment to merchants. For merchant account data and website visitor data, we act as controller.

3. Data we collect

a) Merchant data: Shopify store domain, form and template configuration, quantity-offer settings, tracking-pixel identifiers and (where the merchant provides them) server-side API tokens, integration credentials the merchant voluntarily connects (e.g. Fufills), subscription plan, and support correspondence.

b) End-customer (buyer) data, submitted by the buyer through the merchant's order form: full name, phone number, delivery address, department/state and municipality, optional reference notes and any optional fields the merchant enables, plus order contents (product, variant, quantity, price, currency).

c) Technical data: transient server logs (IP address, user agent, timestamp) generated when an order is submitted, kept for security, rate-limiting and fraud prevention only.

What we never collect: payment card numbers or any payment credentials (orders are cash on delivery — no payment is processed by the App), government ID numbers, or precise geolocation.

4. Protected customer data (Shopify)

Under Shopify's Protected Customer Data framework, the App requests access to customer name, address and phone number. We use these fields for one purpose only: creating the COD order in the merchant's own Shopify store and, when the merchant enables a fulfillment integration, transmitting the same order to that provider. We apply Shopify's data-minimization principles: we request no protected fields we do not need, we do not use protected data for analytics, advertising or enrichment, and access within our systems is restricted to what order processing requires.

5. Purposes and legal bases

We process data to: (i) create COD orders in Shopify (performance of contract); (ii) forward orders to the fulfillment provider the merchant connected (merchant's instruction); (iii) fire the tracking pixels the merchant configured — here the merchant, not us, determines the recipients (merchant's instruction); (iv) count monthly order usage for plan limits and billing via Shopify Billing (performance of contract); (v) secure the service, prevent abuse and keep audit logs (legitimate interest); (vi) comply with legal obligations. We do not sell or rent personal data, use it for our own marketing or advertising, build profiles, or use it to train machine-learning or AI models.

6. Sharing and subprocessors

We share personal data only with the following categories of recipients:

Shopify Inc. — platform on which orders are created (the merchant's existing processor). Railway Corp. (USA) — application hosting. Neon Inc. (database on AWS, us-east-1, USA) — encrypted data storage. Fulfillment providers (e.g. Fufills) — only if, and for as long as, the merchant actively connects the integration; order data is transmitted over HTTPS with signed (HMAC-SHA256) requests. Advertising/analytics platforms (Meta, TikTok, Google, Snapchat, Pinterest) — only through pixels the merchant itself configures; the merchant is the controller of those transfers. We never disclose data to any other third party except where required by law, in which case we will notify the merchant unless legally prohibited.

7. International transfers

Our infrastructure is located in the United States. Where data of EU/UK residents is processed, transfers rely on the European Commission's Standard Contractual Clauses and equivalent UK safeguards implemented by our hosting subprocessors. Latin American data-protection regimes (e.g. Brazil's LGPD, Mexico's LFPDPPP, Argentina's Law 25,326) are respected through the same contractual and technical safeguards.

8. Retention and deletion

Buyer order records are retained while the App is installed, so the merchant can view and manage its orders. Technical logs are retained for a maximum of 30 days. Deletion triggers:

customers/data_request — we compile and return the customer's stored order data to the merchant within 30 days. customers/redact — we permanently delete that customer's order records from our database upon receipt, and in all cases within 30 days. shop/redact (sent by Shopify 48 hours after uninstall) — we permanently delete all data for that store: form configurations, orders, offers, pixel identifiers and tokens, integration credentials and OAuth sessions. These three mandatory Shopify privacy webhooks are implemented, verified with HMAC signatures, and processed automatically. Merchants may also request earlier deletion at any time by email.

9. Security

All traffic is encrypted in transit with TLS 1.2+. Data is encrypted at rest by our database provider. Webhooks and integration calls are authenticated with HMAC-SHA256 signatures with timestamp and single-use nonce to prevent replay. We request the minimum Shopify access scopes required, apply least-privilege access internally, and keep integration secrets hashed or encrypted. The App never stores payment credentials of any kind. In the event of a personal-data breach we will notify affected merchants without undue delay — within 72 hours where required — including the scope of affected data and mitigation steps.

10. Cookies and tracking

The storefront form widget sets no cookies and performs no fingerprinting or tracking of its own — it makes zero network requests before buyer interaction. The embedded admin uses Shopify session tokens strictly for authentication. Any advertising pixels that fire on the storefront are configured by, and are the responsibility of, the merchant, who must ensure appropriate buyer notice and consent in its own policies. This marketing website uses no advertising trackers.

11. Your rights

Depending on your jurisdiction — including the GDPR/UK GDPR, California CCPA/CPRA, Brazil's LGPD, Argentina's Law 25,326 and Mexico's LFPDPPP — you may have the right to access, correct, delete, port, restrict or object to the processing of your personal data, to withdraw consent, and to not be discriminated against for exercising these rights. We do not sell or share personal data as defined by the CCPA/CPRA. Merchants can exercise these rights at soporte@codlatinoform.com. Buyers should contact the merchant they purchased from (the controller); we support every merchant request through the webhooks in Section 8. You may also lodge a complaint with your local supervisory authority.

12. Children

The App is a business tool and is not directed at children. We do not knowingly collect data from anyone under 16; if we learn we have, we will delete it promptly.

13. Changes to this policy

We may update this policy as the App evolves. Material changes will be announced in the App admin and reflected in the effective date above. Continued use after changes constitutes acceptance.

14. Contact

COD LATINO FORM — soporte@codlatinoform.com · codlatinoform.com