Last updated: May 29, 2026
This Privacy Policy describes how Cartflow (the “App”, “we”, “us”, or “our”) collects, uses, and shares information when you (the “Merchant”, “you”) install or use the Cartflow: COD & Payment Methods application in connection with your Shopify-supported store.
When you install the App, we are automatically able to access certain types of information from your Shopify account, requested only as needed for the App to function: store information (store name, myshopify.com domain, primary contact email, currency, country, timezone, and plan); order information (order details, payment method selected at checkout, order totals, and fulfillment status) used to apply Cash on Delivery (COD) rules, payment-method customization, and any associated fees; checkout and customer information (which may include customer name, shipping/billing address, phone number, and email address) where required to verify COD orders or apply payment-method conditions; and your App configuration settings and rules.
We do not collect or store full payment card numbers, bank account details, or card security codes. Payment processing is handled entirely by Shopify and its certified payment providers.
We use the information we collect to: provide, operate, and maintain the App’s features, including payment-method display rules and COD management; apply the rules and customizations you configure; verify and reduce fraudulent or invalid COD orders where you enable such features; provide customer support and respond to your requests; improve and optimize the App; and comply with legal obligations.
We do not sell your information. We may share information only with service providers (such as cloud hosting and infrastructure providers) that process data on our behalf to operate the App, under appropriate confidentiality obligations; and to comply with applicable laws and regulations, respond to a lawful request for information, or otherwise protect our rights.
We retain your information for as long as the App is installed on your store. When you uninstall the App, we delete the data associated with your store within 48 hours, except where retention is required by law. You may request deletion of your data at any time by contacting us.
In accordance with Shopify’s mandatory compliance webhooks, we respond to customers/data_request (a store customer’s request to view data we hold about them), customers/redact (requests to delete a customer’s data), and shop/redact (deletion of all store data 48 hours after the App is uninstalled). If you are a shopper and wish to exercise your rights, please contact the merchant whose store you purchased from; we act as a data processor on the merchant’s behalf.
We implement commercially reasonable administrative, technical, and physical safeguards designed to protect the information we process against unauthorized access, disclosure, alteration, or destruction. Data is transmitted over encrypted (HTTPS/TLS) connections.
Your information may be processed and stored in countries other than your own. Where required, we rely on appropriate safeguards for such transfers.
We may update this Privacy Policy from time to time to reflect changes to our practices or for legal reasons. The “Last updated” date at the top indicates when this policy was last revised.