Privacy Policy

Resale Proof helps Shopify merchants collect, verify, and apply resale sales-tax exemption certificates. Operating the app requires processing personal information about merchants, their customers, and the certificate data they upload. This policy explains what we collect, why, and how you can exercise your rights over it.

1. Who we are

Resale Proof is an independent Shopify app. For the purposes of GDPR / UK GDPR and similar frameworks, Resale Proof acts as a data processor for the merchant (who is the data controller for their customers’ information). Contact: legal@resaleproof.com.

2. What we collect

Merchant data (you, the store owner)

• Shopify shop domain and store name.
• Shop settings you configure through the onboarding wizard: sender name, reply-to email, logo URL, nexus-state list, cert-type preferences, and branding primary color.
• Audit events (who approved or rejected which certificate, and when) so we can produce the audit-ready export bundle.

Customer data (your buyers)

• Shopify customer global ID (GID).
• Email address (supplied by the customer in the portal).
• Resale certificate documents. These PDFs often contain personally identifying business information such as legal business name, address, signature, and federal or state tax identifiers (FEIN / EIN / state permit numbers). Handle with care — we never log the contents of these files.
• Certificate metadata (state, cert type, cert number, expiration date, submission source, approval status).
• IP address and user agent at the moment a certificate is submitted — stored as legal-audit evidence of the signature transaction. Not used for tracking, advertising, or profiling.

Operational data

• Short-lived rate-limit records (bucket key + timestamp) used to throttle abusive traffic. Retained 30 minutes, then purged.
• Email delivery logs (message ID, status, send timestamp) produced when we send transactional mail on your behalf.
• Error telemetry captured by Sentry: stack traces, route names, and correlation IDs. We explicitly disable Sentry’s default PII capture.

Cookies and analytics

This marketing site (resaleproof.com) does not set tracking cookies and does not use third-party analytics — no Google Analytics, no Plausible, no Vercel Analytics, no behavioral fingerprinting. Routine page-load metadata is captured by our static-hosting provider for traffic and security purposes, but is not joined back to any individual visitor.

The Resale Proof Shopify app, when running inside the Shopify admin, uses only the cookies required by Shopify’s embedded-admin authentication (session tokens issued by Shopify itself). We don’t add cookies of our own.

3. Why we collect it

• Provide the service. Storing certificates, matching them to Shopify customers, and applying the appropriate tax exemption at checkout is the core of what the app does.
• Transactional communication. Confirmation, renewal reminders, rejection notices, verification codes, and merchant activity digests.
• Audit defense. Merchants use the stored data to prove to state auditors that tax exemption was properly claimed. Retention windows reflect typical state audit lookback.
• Security + reliability. Rate limits and error telemetry protect merchant data against abuse and outages.

4. Third-party sub-processors

We transfer data to a small, audited set of vendors strictly for the purposes above:

• Shopify, Inc. — source of merchant + customer identities, target of tax-exemption mutations and file storage. We use Shopify Files to hold certificate PDFs (encrypted at rest by Shopify).
• Supabase, Inc. — Postgres database hosting certificate metadata, audit log, email log, and operational tables.
• Postmark (Wildbit LLC) — transactional email delivery. Postmark receives the recipient address and email body; we never ship cert-PDF contents through Postmark.
• Fly.io, Inc. — application hosting (compute + private network). No customer PII is logged to standard output.
• Functional Software, Inc. (Sentry) — error telemetry with PII capture disabled.
• Anthropic, PBC — AI-powered cert OCR pre-fill (Pro tier only). When a Pro-plan customer uploads a cert PDF in the portal, the PDF bytes are sent to Claude Haiku 4.5 to extract state, cert type, permit number, and expiration date so the customer reviews + corrects + signs rather than typing from scratch. Anthropic does not train on API data. Free-tier merchants do not exercise this path.
• Intuit, Inc. (QuickBooks Online) — Optional Pro-tier sync. When a merchant connects QuickBooks Online, customer name + email + Shopify customer GID are sent to Intuit so the matching QuickBooks customer record is flipped to tax-exempt on cert approval (and back when the cert expires). Only merchants who explicitly connect QuickBooks Online trigger this path.

We do not sell, rent, or share data with advertisers, data brokers, or analytics vendors beyond the list above.

5. How long we keep it

• Active certificates: retained for as long as the merchant’s shop is installed.
• Expired certificates: retained for up to 7 years past expiration (longest US state audit lookback).
• Shop uninstall: immediate soft-delete; hard-delete (with all child records) 30 days later. The window allows accidental-uninstall recovery.
• Customer redact request (via the Shopify customers/redact webhook): all of the customer’s certificate records, audit rows, email-log rows, and Shopify Files PDFs are deleted on receipt.
• Verification codes: 15-minute TTL.
• Rate-limit logs: 30 minutes.

6. Security measures

• TLS for all data in transit.
• Supabase encryption at rest. Shopify Files are encrypted at rest by Shopify.
• Server-side HMAC verification on all Shopify webhooks; duplicate deliveries detected via X-Shopify-Event-Id.
• Customer Account UI calls authenticated with short-lived HS256 session tokens; submit requires an additional verified-email claim.
• IP-keyed rate limiting on all public endpoints.
• Service-role database credentials rotated out of source control and stored in hosting-provider secret storage.

7. Your rights

Depending on your jurisdiction (GDPR / UK GDPR, CCPA / CPRA, Colorado Privacy Act, Virginia CDPA, etc.) you may have the right to:

• Access the personal data we hold about you.
• Receive a machine-readable copy (data portability).
• Correct inaccurate data.
• Request deletion (“right to erasure”).
• Object to, or restrict, certain processing activities.
• Lodge a complaint with your local supervisory authority.

To exercise any of these, contact the merchant whose store you purchased from — they are the primary data controller. If your request is urgent, or if the merchant hasn’t responded within a reasonable window, you may contact us directly at legal@resaleproof.com. Merchants can also reach us at the same address to request a data export or deletion on behalf of a customer.

8. International transfers

Resale Proof is operated from the United States. Data may be processed in the US and in vendor regions used by Shopify, Supabase, Postmark, Fly.io, and Sentry. Where applicable we rely on Standard Contractual Clauses and our vendors’ own transfer mechanisms.

9. Children

The service is not directed at, nor intended for, individuals under 16. We do not knowingly collect data from children.

10. Changes to this policy

We’ll update this page if our practices change; the “Updated” date at the top reflects the current revision. Material changes will also be communicated in-app (admin dashboard banner) or via email to the merchant contact on file.

11. Contact

Questions, data-subject requests, or security disclosures: legal@resaleproof.com.