Zoomifi - Smart Delivery Dates Privacy Policy

Last updated: May 3, 2026

Zoomifi - Smart Delivery Dates (“the App”) is provided by Zoomifi to merchants who use Shopify to power their stores. The App computes statistically accurate delivery promise dates from the merchant's own historical fulfillment data and, when those promises are beaten, sends the customer an "arriving early" notification. This Privacy Policy explains exactly what data we access, how long we keep it, how we protect it, and what happens when a merchant uninstalls.

1. Information we access

From the merchant's Shopify store

Once a merchant installs the App, we access the following data via Shopify's Admin API and via webhook subscriptions:

Field	Source	Used for
Order ID, order created-at timestamp, shipping country code	`orders/create` webhook	Logging the delivery promise we made at PDP, and as the cohort axis for delivery-time statistics (delivery times vary by destination country)
Fulfillment ID, fulfillment created-at, tracking carrier name, shipment status, tracking URL	`fulfillments/update` webhook	Computing the actual cutoff-to-delivery interval that drives the statistical EDD model, and the CTA link in the early-delivery email
Customer email address	Order payload (lazy-fetched only when the early-delivery email is about to be sent)	Recipient address on the early-delivery email. Never persisted in our database.
Product handles, IDs, and titles	Admin API	Resource picker — letting the merchant choose which products show the cutoff banner
Active theme metadata	Admin API	Detecting whether the merchant has activated our theme app extension

We do not access or store: customer name, billing address, shipping address (beyond the two-letter country code), payment information, cart line items, SKUs, prices, quantities, phone numbers, customer ID, note attributes, custom fields, tags, discount codes, IP address, browser fingerprint, or geolocation.

From the merchant directly

When a merchant signs up, we receive their store name, email address, and any configuration values they enter in the App's admin (cutoff times, banner copy, email template). This is standard merchant-account information.

2. Data retention

Order and fulfillment data is retained for a maximum of 180 days, then automatically purged. The retention cap is enforced by a daily scheduled command (qo:purge-old-orders) that runs at 03:30 UTC on the production server and deletes any rows in edd_promises or fulfillment_observations older than the cap. Merchants can configure a shorter retention window from the App admin; they cannot extend it beyond 180 days.

Customer email addresses are never persisted. They are fetched from Shopify only at the moment an early-delivery email is being dispatched, used to send the message, and discarded immediately. There is no customer-email table in the App's database.

Aggregate statistics derived from the data (e.g. the per-cohort 95th- percentile delivery interval) contain no personally identifiable information and are retained for the lifetime of the App installation.

3. How we protect data

In transit: All Shopify API traffic uses TLS 1.3. Inbound webhooks are HMAC-verified against the Partner App secret before any payload is parsed; invalid signatures return 401. Outbound email is delivered via Amazon SES with TLS-required SMTP.
At rest: Database storage is on AWS EBS volumes encrypted with AES-256 using AWS KMS-managed keys. App access tokens are double-encrypted via Laravel's Crypt::encryptString wrapper before being written to MySQL.
Access control: The application database is on a private subnet with no public IP and no public database port. SSH access is restricted to a single IAM-bounded operator account. All merchant-facing admin actions are gated by Shopify session-token verification — only an authenticated merchant admin session can invoke them.

4. What happens when a merchant uninstalls

When a merchant uninstalls the App, all data associated with their store is deleted within seconds:

The app/uninstalled webhook fires immediately. Our handler deletes the store row, all delivery-promise records, all fulfillment observations, and the cached access token in a single database transaction.
Shopify's shop/redact webhook fires 48 hours later as a safety net. Our handler performs an idempotent re-purge — a no-op if step 1 succeeded, a backstop if it didn't.
The customers/redact webhook (fired 10 days after a merchant deletes a specific customer) purges any delivery-promise rows matching that customer's order IDs.
The customers/data_request webhook returns a JSON manifest of any data we hold for the requested customer's orders — typically empty if older than the retention cap.

5. Sharing of data

We do not sell, rent, or share merchant or customer data with third parties for advertising or marketing purposes. The only third parties that touch the data are infrastructure providers necessary to operate the service:

Amazon Web Services (compute, database, email delivery) — covered by AWS's data-processing addendum.
Shopify (the platform the App is built on) — covered by Shopify's Partner Program data-handling terms.

We may also disclose information when required to do so by law, subpoena, court order, or other legal process, or to protect our legal rights.

6. Your rights

If you are a resident of the European Economic Area, the United Kingdom, California, or another jurisdiction with data-protection rights, you have the right to request access to, correction of, or deletion of personal data we hold about you. To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

Data may be stored or processed outside your country of residence, including in the United States and Canada.

7. Changes to this policy

We may update this policy from time to time to reflect changes to our practices or to legal or regulatory requirements. The "Last updated" date at the top of the page reflects the most recent revision.

8. Contact

For any privacy-related question or request, contact us at [email protected].