Agoraxa for Shopify

Checkout Address Guard Privacy Policy

Last updated: February 2026

Target App: Checkout Address Guard

1. Overview

Checkout Address Guard ("the App") is a Shopify application developed by Agoraxa ("we", "us", or "our"). The App validates shipping addresses at checkout to prevent delivery failures caused by PO Box addresses. This Privacy Policy explains what data the App accesses, how it is used, and how it is protected. It applies to merchants who install the App and to customers who interact with stores using the App.

2. Data We Access

The App accesses only the minimum data necessary to operate.

  • Shipping address (real-time only): During checkout, the App reads address1, address2, and company fields via Shopify Functions to detect PO Box patterns. This data is never stored, logged, or transmitted externally — it is discarded immediately after validation.
  • Shopify OAuth session (merchant data): When installed, we store a Shopify OAuth session token (shop domain, access token, session metadata) for authentication. This data is encrypted and automatically deleted on uninstall.
  • App settings: Merchant configuration (enable/disable, custom patterns, error messages) is stored as Shopify metafields — managed by Shopify, not by us.
  • API scope: The App requests only read_validations. We do not request customer data scopes such as read_customers or read_orders.

3. Data We Do NOT Collect

We want to be transparent about data we never collect or store:

  • Customer names, email addresses, or phone numbers
  • Billing or payment information
  • Order details or purchase history
  • Browsing behavior or analytics data
  • IP addresses
  • Device fingerprints or advertising identifiers

4. How We Use Data

We use data exclusively to provide the App's core functionality. We do not use data for marketing, advertising, profiling, or any purpose beyond PO Box detection and app operation.

  • Shipping address fields → PO Box pattern detection at checkout (not stored)
  • OAuth session → App authentication and API access (stored until uninstall)
  • App settings (metafields) → Merchant's blocking configuration (stored by Shopify)

5. Automated Decision-Making

The App uses automated processing (Shopify Functions) to determine whether a shipping address contains a PO Box pattern. When a match is detected, the checkout is blocked with an error message and the customer is asked to provide a street address instead. No human review occurs — the decision is fully automated based on pattern matching. Merchants can configure detection sensitivity through custom patterns and the allowlist. Customers who believe their address was incorrectly blocked can contact the merchant directly.

6. Third-Party Sharing

We do not share, sell, rent, or transmit any data to third parties. The App does not make any external API calls or connect to any services outside of Shopify's platform.

7. Cookies and Tracking Technologies

The App does not use any tracking technologies:

  • No tracking cookies or third-party cookies
  • No web beacons or pixel tags
  • No analytics or advertising SDKs
  • No browser fingerprinting
  • The only client-side storage is a single localStorage item (po-box-blocker:test-at-checkout) in the Shopify Admin for the merchant's testing convenience — not used for tracking

8. Data Storage and Security

We implement the following security measures:

  • Hosting: United States (Render cloud hosting)
  • Encryption in transit: All data transmitted over HTTPS (TLS)
  • Webhook authentication: Payloads verified via HMAC-SHA256
  • Access control: API secrets managed via environment variables, never in source code
  • Logging: No customer personal information in application logs
  • Minimal access: Only read_validations scope — no customer data API access

9. Data Retention and Deletion

Data is retained only as long as necessary:

  • OAuth session: While the App is installed → automatically deleted on uninstall (app/uninstalled webhook)
  • Residual session data: Up to 48 hours after uninstall → cleaned up via shop/redact webhook
  • Shipping addresses: Not retained — real-time processing only
  • App settings (metafields): Managed and removed by Shopify on uninstall

10. International Data Transfers

The App's server is located in the United States. For merchants in the EEA, UK, or other jurisdictions with data transfer restrictions: merchant session data (OAuth tokens) is stored on a US-based server; customer shipping addresses are processed within Shopify's infrastructure and never transferred to our servers. We rely on Standard Contractual Clauses (SCCs) and Shopify's Data Processing Agreement as the legal basis for any transfer of merchant data.

11. Legal Basis for Processing (GDPR)

For merchants and customers in the EEA or UK, we process data under the following legal bases: OAuth session and app settings under contract performance (necessary to provide the service); shipping address under legitimate interest (necessary for PO Box detection as configured by the merchant). Data subject rights under the GDPR:

  • Right to access your personal data
  • Right to rectification of inaccurate data
  • Right to erasure — uninstalling the App triggers automatic deletion
  • Right to restriction of processing
  • Right to data portability
  • Right to object to processing based on legitimate interest
  • Right to lodge a complaint with your local data protection authority
  • To exercise these rights, contact commerce-support@agoraxa.com

12. CCPA/CPRA Compliance (California)

For California residents: we do not collect personal information beyond OAuth sessions for app operation. We do not sell or share personal information as defined by the CCPA/CPRA, and have not done so in the preceding 12 months.

  • Right to know what personal information we collect
  • Right to deletion — uninstalling the App automatically deletes all data
  • Right to opt out of the sale of personal information (we do not sell any)
  • To submit a request, contact commerce-support@agoraxa.com

13. GDPR Compliance Webhooks

The App implements all mandatory Shopify compliance webhooks, authenticated via HMAC-SHA256:

  • customers/data_request → No customer data stored — returns acknowledgment
  • customers/redact → No customer data to delete — returns acknowledgment
  • shop/redact → Deletes all session data for the shop

14. Children's Privacy

The App does not knowingly collect personal information from children under 13 years of age (or under 16 in the EEA). Since the App does not collect or store any customer personal information, no special provisions for children's data are required.

15. Your Rights

As a merchant, you can uninstall the App at any time (triggering automatic data deletion), request information about what data we hold, or modify settings through the Shopify Admin. As a customer, your shipping address is only processed in real-time during checkout and is never stored — if you believe your address was incorrectly blocked, please contact the merchant directly.

16. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated date. This policy is reviewed at least once every 12 months.

17. Contact

If you have questions about this Privacy Policy or our data practices, please contact us at commerce-support@agoraxa.com.