Privacy Policy

COD Affiliates ("the app", "we", "us") is a Shopify-embedded application that helps Shopify merchants manage affiliate marketing programs and track affiliate attribution across orders.

The app is developed and operated by Facundo Alvarez, registered in Argentina, contactable at support@codaffiliates.com.

For your customers' data: we act as a Data Processor. The Shopify merchant installing our app is the Data Controller. We only process data the merchant has authorized via Shopify's OAuth scopes.

For affiliate data: we act as a Data Controller when merchants add affiliates with email/username/password to the app. The merchant invites the affiliate; we store the affiliate's account to allow them to log into the external portal at portal.codaffiliates.com.

3.1 From the Shopify merchant (your shop)

• Shop identifiers: shop domain, timezone, default currency, install status.
• Order metadata (read via Shopify Admin API): order number, processed date, payment method, financial status (paid / pending / refunded / cancelled), subtotal, totals, discount codes used in the order, line items (SKU, title, quantity, price).
• Custom cart attribute ref: a string the merchant's affiliate tracking script captures from ?ref= URL parameters when a visitor lands on the store.

We do not ingest customer personal data such as customer name, email, phone, or shipping address. The Shopify Admin API would expose this under read_customersscope, which we do not request.

3.2 From affiliates (people the merchant invites)

• Display name (required).
• Email address (optional).
• Login username and password hash (only if the merchant creates portal credentials). Passwords are hashed using scrypt with a per-user salt — we never store plain passwords.
• Social handles (optional): Instagram, TikTok, YouTube usernames, only if the merchant enters them.
• Session tokens: opaque random tokens stored in HTTP-only cookies (Path=/portal, SameSite=Lax) when affiliates log in, expiring after 30 days of inactivity.

3.3 From the affiliate portal session

• IP address and User-Agent string at the time of login (security audit trail).
• Last login timestamp.

3.4 Automatic / technical

• Standard server logs from our hosting provider (request timestamp, request path, response status, client IP). Retained for up to 30 days for debugging and abuse prevention.

• To match incoming orders against active affiliate methods (REF_URL, discount code, duplicate product) and compute commissions.
• To show merchants their affiliate analytics (orders attributed, commissions owed, quality scores).
• To allow affiliates to log into the external portal and see their own commission data.
• To debug technical issues and prevent abuse.

We do not use any of this data for advertising, profiling outside the affiliate program, or training machine learning models.

All application data (PostgreSQL database) is hosted on Fly.io infrastructure in the São Paulo (gru) region, Brazil. Backups are managed by Fly.io.

The application server runs on Fly.io machines in the same region. Communication between the merchant's Shopify admin and our app is encrypted via HTTPS (TLS 1.2+).

We use the following third parties to operate the service:

• Fly.io (USA-based, infrastructure operated globally) — application hosting and PostgreSQL database. Fly Privacy Policy →
• Shopify — source of merchant and order data, processed under Shopify's data processing agreement with the merchant.
• Cloudflare — DNS only (no proxy / no data transit through Cloudflare beyond DNS resolution).

We will notify merchants of any new subprocessors via this page at least 30 days before they begin processing data.

• While the app is installed: all data is retained to keep the affiliate program functioning.
• When you uninstall the app: Shopify sends us a shop/redact webhook 48 hours after uninstall. We delete all data associated with your shop (orders, affiliates, commissions, sessions) within 30 days of receiving this webhook.
• Customer data requests: when Shopify sends us a customers/redactwebhook, we anonymize any references to that customer in order metadata within 30 days. In practice, we hold very little customer-identifying data — see section 3.1.
• Server logs: 30 days maximum.

If you're a data subject (an affiliate or merchant), under GDPR (EU), CCPA (California), LGPD (Brazil), or any applicable jurisdiction, you have the right to:

• Access a copy of the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Delete your data ("right to be forgotten").
• Restrict processing of your data.
• Object to processing.
• Port your data to another service.
• Withdraw consent at any time (where processing is based on consent).

To exercise any of these rights, email support@codaffiliates.com from the email address associated with your account, or have the merchant submit the request on your behalf. We respond within 30 days.

We implement the three GDPR webhooks Shopify requires of every App Store app:

• customers/data_request: when a customer requests their data from a merchant using our app, we respond confirming what (if any) data we hold about that customer.
• customers/redact: when a customer requests deletion, we remove their data from our systems within 30 days.
• shop/redact: 48 hours after a shop uninstalls the app, we delete all data we hold for that shop within 30 days.

We apply industry-standard security practices, including:

• HTTPS / TLS 1.2+ for all data in transit.
• Encrypted PostgreSQL at rest (managed by Fly.io).
• Passwords hashed with scrypt (memory-hard, per-user salt).
• HTTP-only cookies for session tokens, with SameSite=Lax and Secure flags.
• Shopify OAuth access tokens stored encrypted and only used to query data the merchant has explicitly granted access to.
• No third-party trackers, ad pixels, or analytics scripts on the app surface.

If we detect a data breach affecting your data, we will notify you and the relevant regulatory authorities within 72 hours, as required by GDPR / LGPD.

Our infrastructure is in Brazil. If you are an EU / UK resident, data transfer to Brazil is permitted under the European Commission's adequacy decision for Brazil (LGPD) where applicable, and otherwise under Standard Contractual Clauses (SCCs).

The app is not intended for use by anyone under 16. We do not knowingly collect data from minors. If you believe a minor has provided us data, contact us and we will delete it.

We may update this policy as the product evolves. Material changes will be announced on this page with at least 30 days' notice before they take effect. The "Last updated" date at the top reflects the most recent revision.

Privacy questions, data requests, or anything else: support@codaffiliates.com.