TrueTag

Privacy Policy

Last updated: June 4, 2026

1. Who we are

TrueTag ("we", "our", "the app") is a Shopify app that assigns a unique serial number and QR code to each unit a merchant sells, and gives that merchant's customers a public page to verify a product is genuine and check its warranty status. This policy explains what we collect, why, and how it is handled.

2. What we collect from merchants

When you install TrueTag on your Shopify store we receive and store:

  • Your shop domain (e.g. your-store.myshopify.com)
  • An offline Shopify access token granting the scopes you approved, encrypted at rest using AES-256-GCM before it is written to the database
  • Your plan and billing state with us
  • Your app configuration — branding, warranty templates, and which products are serialized (no personal data)

3. What we collect from your customers

TrueTag's only personal data about your customers is the information a customer chooses to submit themselves:

  • Warranty registration: the email address and optional name a customer voluntarily enters on the public verify page to register a warranty. This is shown only to you, the merchant.
  • Verification-scan logs: when someone scans a QR code, we record the scan result and a one-way hashed form of the IP address and browser user-agent for fraud and anomaly detection. We do not store the raw IP address or user-agent, and these hashes are not linked to a customer identity.

We do not pull customer names, email addresses, phone numbers, or shipping addresses from your orders. When Shopify notifies us that an order was fulfilled, the order data we read is limited to line-item, product, variant, and order-id information used to generate serial numbers — the optional customer fields are redacted and never reach us. We never display buyer personal data on the public verify page.

4. How we use this data

  • Generate and store a unique serial number and QR code for each unit you sell.
  • Power the public verify page so a customer can confirm authenticity and warranty status, and register a warranty.
  • Send warranty-related email (e.g. registration confirmation) to a customer who has submitted their address, via our email provider. Every such email includes an unsubscribe link; opting out records a preference tied to your email address and that merchant's store so future warranty emails from that store are suppressed.
  • Detect suspicious scan patterns (using the hashed scan logs) so you can spot possible counterfeiting.
  • Enforce plan limits and bill you correctly.

TrueTag does not use any artificial-intelligence service, and we do not sell, rent, or share customer data with third parties for marketing or any other purpose.

5. Where data is stored

All data is stored in a Supabase (PostgreSQL) database hosted in the United States. Shopify access tokens are encrypted at rest using AES-256-GCM before being written to the database. The application is hosted on Vercel.

6. Sub-processors

We rely on the following service providers to operate the app. Each is bound by their own privacy and security commitments:

  • Shopify — source of merchant and order data.
  • Supabase — database hosting (United States).
  • Vercel — application hosting.
  • Resend — transactional email delivery.

7. Retention & deletion

We retain a shop's data for as long as the app is installed, so serial records and warranty status stay accurate. Deletion is driven by Shopify's mandatory privacy webhooks:

  • On uninstall, the store record is flagged uninstalled and no further email is sent. Roughly 48 hours later Shopify dispatches a shop/redact webhook and we delete the store record and, by database cascade, all associated units, warranties, customer warranty registrations, verification-scan logs, and email opt-outs.
  • On a customers/redact webhook, we delete that customer's warranty registration(s) and email opt-out within the store.
  • On a customers/data_request webhook, the merchant is responsible for fulfilling the data export. The data we hold about a customer is limited to their submitted warranty registration (email and optional name), the associated warranty record, and hashed scan logs.

8. Your rights

Customers in jurisdictions covered by the GDPR, CCPA, or similar laws may request access to or deletion of their data. Requests should be made to the merchant of the store on which the data was collected; merchants can contact us at truetag.support@gmail.com for assistance.

9. Changes to this policy

We may update this policy as the product evolves. Material changes will be communicated to installed merchants and reflected in the "last updated" date above.

10. Contact

Questions or concerns? Reach us at truetag.support@gmail.com.