Privacy Policy

Last Updated: February 13, 2026 · Effective Date: February 13, 2026

Declared ("we," "us," or "our") operates as a Shopify application that corrects customs declared values on ShipStation international orders. This Privacy Policy explains how we collect, use, store, and protect your information when you install and use the Declared app (the "Service").

1. Information We Collect

1.1 Shopify Store Data

When you install Declared, we access the following data from your Shopify store through the Shopify Admin API (GraphQL):

• Order data: Order numbers, order dates, fulfillment status, shipping addresses (country, province, postal code), and discount information
• Line item data: Product names, SKU numbers, quantities, original prices, discounted prices (via discountedUnitPriceAfterAllDiscountsSet), and HS tariff codes
• Shop information: Store name, domain, currency, and plan level (used for billing and app configuration)

We request only the minimum API scopes necessary to operate: read_orders and read_products.

1.2 ShipStation API Credentials

To connect to your ShipStation account, we collect your ShipStation API Key and API Secret. These credentials are encrypted at rest using AWS Key Management Service (KMS) with AES-256 envelope encryption. We never store these credentials in plaintext.

1.3 App Usage Data

We collect operational data about how the Service processes your orders, including processing timestamps, success/failure statuses, duty savings calculations, and error logs. This data is used to provide the dashboard analytics and to diagnose issues.

1.4 Information We Do NOT Collect

• We do not collect customer personal information beyond shipping country/region (needed for customs determination)
• We do not collect payment or credit card information (billing is handled entirely by Shopify)
• We do not store customer email addresses, phone numbers, or other contact details. Shopify webhook payloads may contain this data transiently, but we only read the shipping country code and discard the rest.
• We do not track your customers or use cookies on your storefront

2. How We Use Your Information

We use the data we collect solely for the following purposes:

• Customs value correction: Calculating accurate post-discount declared values for international orders and pushing corrected customs information to ShipStation
• Order processing: Matching Shopify orders to ShipStation orders via order numbers and SKU mapping
• Dashboard and analytics: Displaying processing history, duty savings, and operational metrics within the embedded Shopify admin app
• Notifications: Sending email alerts about processing results, errors, or orders requiring manual review (if you have enabled notifications)
• Service improvement: Diagnosing errors, monitoring system health, and improving the reliability of the Service

We do not sell, rent, or share your data with third parties for marketing or advertising purposes.

3. Third-Party Services

3.1 ShipStation

We transmit corrected customs information to ShipStation via their API on your behalf. The data sent includes order numbers, SKU identifiers, corrected customs declared values, HS tariff codes, country of origin, and item descriptions. This transmission is initiated solely to correct customs values as the core function of the Service. Your use of ShipStation is governed by ShipStation's own privacy policy and terms of service.

3.2 Shopify

The Service operates as an embedded Shopify app. Shopify processes your app subscription billing. Your relationship with Shopify is governed by Shopify's privacy policy and terms of service.

3.3 Amazon Web Services (AWS)

We use AWS to host and operate the Service. Data is stored in AWS regions within the United States. AWS services we use include:

• RDS (PostgreSQL): Encrypted database storage for order processing records
• KMS: Encryption key management for ShipStation credentials
• SQS: Message queuing for order processing (messages are transient and deleted after processing)
• SES: Transactional email delivery for notifications
• CloudWatch: Operational logging and monitoring

AWS acts as our data processor and is bound by the AWS Data Processing Addendum.

4. Data Retention

• Order processing records: Retained for a configurable period set by you in your app settings. The default retention period is 90 days. You may adjust this to a shorter or longer period based on your business needs.
• ShipStation API credentials: Retained for as long as your app installation is active. Credentials are permanently deleted upon app uninstallation.
• Audit logs: Retained for 1 year for security and compliance purposes.
• Aggregated analytics data: Retained for the lifetime of your account (no personally identifiable information).

When you uninstall the app, we delete all your data within 48 hours, including encrypted credentials, order records, and settings. Aggregated, anonymized statistics that cannot be linked back to your store may be retained.

5. Data Security

We implement the following security measures to protect your data:

• Encryption at rest: ShipStation API credentials are encrypted using AWS KMS with AES-256 envelope encryption. Database storage is encrypted using AWS RDS encryption.
• Encryption in transit: All data transmissions use TLS 1.2 or higher.
• Access control: Application access is authenticated through Shopify's OAuth flow. Administrative access to infrastructure is restricted and audited.
• Webhook verification: All incoming Shopify webhooks are verified using HMAC-SHA256 signatures.
• Audit logging: All sensitive operations (credential changes, settings modifications, order processing actions) are logged with timestamps and actor identification.
• No plaintext credential storage: ShipStation credentials are never written to logs, error messages, or any unencrypted storage.

6. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation (GDPR):

• Right of access: You may request a copy of the personal data we hold about you.
• Right to rectification: You may request that we correct inaccurate data.
• Right to erasure: You may request that we delete your data. Uninstalling the app triggers automatic data deletion.
• Right to restrict processing: You may request that we limit how we process your data.
• Right to data portability: You may request your data in a structured, machine-readable format.
• Right to object: You may object to our processing of your data.

We have implemented Shopify's mandatory GDPR webhooks:

• Customer data request (customers/data_request): We respond with any order-related data associated with the requesting customer.
• Customer data erasure (customers/redact): We delete all data associated with the specified customer.
• Shop data erasure (shop/redact): We delete all data associated with your shop within 48 hours of uninstallation.

To exercise any of these rights, contact us at privacy@declaredapp.com.

7. Your Rights Under CCPA

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA):

• Right to know: You may request disclosure of the categories and specific pieces of personal information we collect.
• Right to delete: You may request deletion of your personal information.
• Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.
• Right to opt out of sale: We do not sell personal information to third parties.

To exercise any of these rights, contact us at privacy@declaredapp.com.

8. International Data Transfers

Data is processed and stored in AWS data centers located in the United States. If you are located outside the United States, your data will be transferred to and processed in the United States. We rely on AWS's compliance with applicable data transfer mechanisms, including Standard Contractual Clauses (SCCs) where required.

9. Children's Privacy

The Service is designed for business use by Shopify merchants. We do not knowingly collect personal information from children under 16. If you believe we have inadvertently collected such information, please contact us and we will promptly delete it.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting a notice within the app dashboard or by email. Your continued use of the Service after changes take effect constitutes your acceptance of the revised policy.

11. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us:

• Email: privacy@declaredapp.com
• Website: https://declaredapp.com
• Mailing Address: [Address to be added]

For data protection inquiries in the EU, you may also contact your local data protection authority.