Privacy Policy
Last updated: February 23, 2026
Tax Exempt Manager ("we", "our", or "the App") is committed to protecting the privacy of merchants and their customers. This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data.
1. Data We Collect
We collect and store the following data when merchants and their customers use the App:
- Merchant data: Shopify store domain, store name, contact email, notification preferences, and billing plan information.
- Customer data: Name, email address, phone number, business name, Tax ID/EIN (encrypted at rest), and certificate details submitted through the tax exemption portal.
- Certificate documents: Uploaded files (PDF, PNG, JPG) containing tax exemption certificate images or scans.
- Extracted data: Information extracted from uploaded certificates using AI analysis, including business names, certificate numbers, dates, and state coverage.
2. How We Use Data
We use collected data solely for the following purposes:
- Processing and managing tax exemption certificate submissions.
- Synchronizing tax-exempt status with the merchant's Shopify customer records.
- Sending email notifications about certificate status (submission received, approved, rejected, expiring, or revoked).
- AI-powered certificate data extraction to assist merchants in reviewing submissions.
- Enforcing plan limits and managing billing through Shopify's Billing API.
3. Data Sharing
We do not sell, rent, or trade customer data to any third parties. Data is shared only in the following limited circumstances:
- With the merchant: Customer certificate data is accessible to the merchant who installed the App on their Shopify store.
- AI processing: Certificate document content may be processed by AI services (hosted on our own infrastructure or via secure third-party APIs) for data extraction purposes. No customer data is retained by these AI services beyond the processing request.
- Email delivery: Email notifications are sent through a third-party SMTP provider (Brevo). Only the minimum data required for email delivery is shared.
4. Data Retention
Certificate data and customer records are retained for as long as the merchant's Shopify store has the App installed. Upon app uninstallation, data is retained for 48 hours to allow for reinstallation, after which it is permanently deleted in response to Shopify's shop/redact webhook.
5. Data Security
We implement the following security measures to protect your data:
- All data in transit is encrypted using TLS/SSL.
- Database access is restricted and authenticated.
- Uploaded files are stored in a secured directory with restricted access.
- Session tokens are used for authentication — no third-party cookies required.
- Access scopes are limited to the minimum required (customer read/write only).
6. Your Rights (GDPR & CCPA)
If you are a customer whose data is stored by the App, you have the following rights:
- Right to access: You can request a copy of all personal data we store about you. Contact the merchant who operates the store, and they will initiate a data request through Shopify.
- Right to deletion: You can request that your personal data be deleted. Contact the merchant, and they will initiate a deletion request through Shopify. We process all deletion requests within 30 days.
- Right to portability: You can request your data in a machine-readable format (JSON).
7. Cookies
The App does not use cookies or local storage to track customers. The App operates entirely through Shopify's session token authentication for merchant access.
8. Children's Privacy
The App is not directed at individuals under the age of 16. We do not knowingly collect personal data from children.
9. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be reflected on this page with an updated "Last updated" date. We encourage you to review this policy periodically.
10. Contact
If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us at:
Email: [email protected]