Privacy Policy

This Privacy Policy explains how ShipUp.app (“ShipUp”, “we”, “us”, or “our”) collects, uses, discloses, and safeguards personal data when you use our multi-store e-commerce management platform and related services (the “Service”). The Service helps merchants manage orders, fulfillment, courier tracking, cash-on-delivery (COD) reconciliation, accounting, and analytics across their connected Shopify and WooCommerce stores.

By creating an account, connecting a store, or otherwise using the Service, you acknowledge that you have read and understood this Policy. If you do not agree with it, please do not use the Service.

1. Our role: controller and processor

ShipUp plays two distinct roles depending on the data involved:

• As a data controller — for the account and billing information of the merchants and team members who sign up to use the Service. We decide how and why this data is processed.
• As a data processor (or service provider)— for the store data we ingest on a merchant’s behalf, including their end-customers’ personal data (such as order, contact, and delivery details). Here the merchant is the controller, and we process this data only to provide the Service under our agreement with that merchant.

If you are an end customer of a store that uses ShipUp and wish to exercise your privacy rights, please contact the merchant you purchased from; they are the controller of your data. We will assist them in responding to your request.

2. Information we collect

Account and team data. When you register, we collect your name, email address, password (stored only as a secure hash via our authentication provider), business name, phone number, and role within your organization.

Store and order data synced from your platforms. When you connect a Shopify or WooCommerce store, we receive and store data needed to operate the Service, including orders, order line items, products, inventory levels, fulfillment and tracking details, and store configuration.

End-customer personal data.As part of order and customer records, we process personal data belonging to your store’s customers, such as their name, email address, phone number, shipping and billing address, city, order history, and order value. We process this data solely to provide order-management, delivery, COD-reconciliation, and customer-support features on the merchant’s behalf.

Communications data. If you use our messaging features, we process the content and delivery status of SMS and WhatsApp messages sent to customers, along with opt-out preferences.

Payment and billing data. Subscription billing is handled by our third-party payment processor. We do not store full card numbers; we retain limited billing metadata such as plan, invoice history, and the last four digits of a payment method.

Technical and usage data. We automatically collect log data such as IP address, browser and device type, pages viewed, actions taken in the app, and timestamps, which we use for security, debugging, and improving the Service.

3. How we collect information

• Directly from you when you create an account or configure the Service.
• From your connected platforms via authorized OAuth connections (for example, Shopify’s Admin API) using the access scopes you grant.
• Through real-time webhooks sent by Shopify and WooCommerce when events occur in your store (such as a new or updated order).
• From courier and logistics partners’ APIs when we poll shipment status on your behalf.
• Automatically, through your use of the Service.

4. How we use information

• To provide, operate, and maintain the Service.
• To sync, sort, and route orders through the order-management pipeline.
• To generate pick lists, consignment notes, and fulfillment and rider-handover workflows.
• To track shipments and reconcile COD settlements with courier partners.
• To produce accounting records, analytics, and reports for the merchant.
• To send transactional and customer-service communications on the merchant’s behalf, where enabled.
• To authenticate users, secure the Service, prevent fraud, and enforce our terms.
• To comply with legal obligations.

5. Legal bases for processing

Where the EU/UK General Data Protection Regulation (GDPR) or similar laws apply, we rely on the following legal bases: performance of a contract (to deliver the Service you or the merchant requested); legitimate interests (to secure, support, and improve the Service, balanced against your rights); consent (where required, for example for certain communications); and compliance with legal obligations.

6. How we share information

We do not sell personal data. We share data only as needed to run the Service, with the categories of recipients below (“sub-processors”):

• Cloud hosting and database providers — to host the application and store data securely.
• E-commerce platforms — Shopify and WooCommerce, which we connect to on your behalf.
• Courier and logistics partners— such as PostEx, Trax, TCS, Leopards, and M&P, to book shipments, track parcels, and reconcile COD.
• Messaging providers — to deliver SMS and WhatsApp messages you choose to send.
• Payment processor — to handle subscription billing.
• Professional advisers and authorities — where required by law, legal process, or to protect rights, safety, and security.
• In a business transfer — if we are involved in a merger, acquisition, or sale of assets, subject to this Policy.

We require our sub-processors to protect personal data and to use it only for the purposes for which it was shared.

7. International data transfers

We are based in Pakistan and may process data there and in other countries where we or our sub-processors operate. Where personal data is transferred across borders, we take steps to ensure it remains protected in line with applicable law, including using appropriate safeguards such as standard contractual clauses where required.

8. Data retention

We retain personal data for as long as it is needed to provide the Service to the merchant, and as required to comply with our legal, accounting, and reporting obligations. When a merchant disconnects a store or closes their account, we delete or anonymize the associated store and customer data within a reasonable period, except where longer retention is required by law. We also honor the deletion requests described in Section 10.

9. How we protect information

We implement technical and organizational measures appropriate to the risk, including encryption of sensitive credentials at rest (Shopify access tokens and courier API credentials are encrypted using AES-256-GCM), encryption in transit over HTTPS, role-based access controls, tenant isolation so each merchant’s data is segregated, and verification of the authenticity of incoming webhooks. No method of transmission or storage is completely secure, so we cannot guarantee absolute security.

10. Shopify data protection and deletion requests

In accordance with Shopify’s requirements, we support the mandatory privacy webhooks. When Shopify or a merchant submits a request, we act as follows:

• Customer data request— we acknowledge requests for the data we hold about a store’s customer and assist the merchant in fulfilling them.
• Customer redaction— we delete the customer’s record and erase the personal data associated with their orders from our systems.
• Shop redaction — approximately 48 hours after a merchant uninstalls the app, we delete the data we hold for that store.

11. Your privacy rights

Depending on where you live, you may have rights to access, correct, delete, or receive a copy of your personal data; to object to or restrict certain processing; and to withdraw consent. To exercise these rights with respect to your ShipUp account, contact us at livestorepilot@gmail.com. If your data was provided to ShipUp by a merchant (i.e., you are a store’s customer), please direct your request to that merchant, and we will support them in responding.

12. Cookies and similar technologies

We use strictly necessary cookies and similar technologies to keep you signed in, remember your preferences (such as theme), and keep the Service secure. We do not use these technologies to sell your personal data.

13. Children’s privacy

The Service is intended for businesses and is not directed to children. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, please contact us so we can delete it.

14. Changes to this Policy

We may update this Policy from time to time. When we make material changes, we will revise the “Effective date” above and, where appropriate, notify you through the Service. Your continued use of the Service after an update constitutes acceptance of the revised Policy.

15. Contact us

If you have questions about this Policy or our privacy practices, contact us at livestorepilot@gmail.com.