Privacy Policy

Last updated: 2026-05-20

Anchor Subscriptions ("Anchor", "we", "us") is a Shopify app that enables merchants to manage subscription contracts. This policy explains what customer data we access, how we use it, and how we protect it.

1. Data controller and contact

Anchor Subscriptions acts as a data processor on behalf of the Shopify merchant who installs the app. The merchant is the data controller for their customers' data. For privacy-related requests, contact privacy@anchor-subscriptions.com.

2. Data we access

With merchant consent (granted at app install via Shopify scopes), Anchor accesses the following customer data through the Shopify Admin API:

• Customer name — to display the subscriber in the merchant admin and in dunning emails.
• Customer email address — to send transactional dunning notifications when a recurring payment fails.
• Customer shipping address — to populate the shipping address on orders generated by subscription contracts.
• Subscription contract metadata (status, next billing date, line items, billing attempts) — to mirror Shopify's state and render the merchant admin views.

We do not access nor request: customer phone numbers, browsing IP addresses, payment card details (Shopify handles all payment processing).

3. How we store data

Anchor follows a strict data minimization principle. We persist only Shopify resource identifiers (customer GID, contract GID, order GID) and the outcomes of subscription events (success / failure / status changes). We do not store customer names, emails, addresses, or payment data in our database.

When customer information is needed (to render an admin page or compose an email), we fetch it on-demand from the Shopify API, use it during the single request, and discard it afterward. The information transits through our servers in memory only and is never written to logs or third-party analytics.

4. Data retention

Subscription contract metadata is retained for the lifetime of the merchant's installation of Anchor. Upon uninstall, all merchant data is purged within 48 hours, except where law requires extended retention (e.g., dispute resolution).

5. Sub-processors

We use the following sub-processors to operate the service. All are SOC 2 Type II certified.

• Vercel Inc. — hosting and serverless functions execution. DPA
• Supabase Inc. — PostgreSQL managed database (stores only subscription metadata). DPA
• Functional Software, Inc. (Sentry) — error monitoring, configured to never capture customer PII. DPA
• Resend, Inc. — transactional email delivery for dunning notifications. DPA
• Cloudflare, Inc. — CDN and DDoS protection (transitive via Vercel). DPA

6. Security

All connections use TLS 1.3. Secrets are stored encrypted in our hosting platform's environment variable store and never committed to source control. Database connections use pgBouncer transaction pooling over TLS. Source code is in a private repository. Sentry error capture is configured with sendDefaultPii: false and a filter that strips PII from all events.

7. Customer rights (GDPR, CCPA)

Customers can exercise the following rights by contacting the merchant who installed Anchor (the data controller). The merchant can relay the request to us via Shopify's standard compliance webhooks:

• Right of access — request a copy of stored data. Anchor responds within 30 days via customers/data_request webhook.
• Right to erasure — request deletion of stored data. Anchor purges within 10 days via customers/redact webhook.
• Right to portability — receive data in a machine-readable format. Available via the data_request endpoint.

Because Anchor only stores Shopify resource identifiers (no PII), most erasure requests result in nullifying our internal reference to the customer; the actual customer record remains with Shopify.

8. Shop data deletion

When a merchant uninstalls Anchor, Shopify sends a shop/redact webhook 48 hours later. Upon receipt, we delete all data associated with that shop (subscription contracts, billing history, webhook event logs) from our database. Sentry error events related to the shop are retained for 90 days as per Sentry's default retention, then deleted.

9. Cookies

Anchor does not set tracking cookies. Authentication uses Shopify session tokens (JWTs) passed via the App Bridge.

10. Changes to this policy

We may update this policy. Material changes will be announced via email to installed merchants. The "Last updated" date at the top reflects the most recent revision.

11. Contact

For any privacy question or to exercise your rights: privacy@anchor-subscriptions.com.