Legal

Privacy Policy

Effective date: March 1, 2026 ยท Last updated: March 1, 2026

1. Introduction

OTP Guard ("we", "us", or "our") is a Shopify app that provides order verification via one-time passwords (OTPs) sent to customers by SMS. This Privacy Policy explains how we collect, use, store, and protect information when you install and use our app.

By installing OTP Guard, you ("the Merchant") agree to this Privacy Policy. If you do not agree, please uninstall the app.

2. Information We Collect

From Merchants (store owners)

  • Shopify store domain (e.g. your-store.myshopify.com)
  • Shopify plan name (Basic, Shopify, Advanced, Plus) โ€” used only to determine feature eligibility
  • OTP Guard billing plan (Starter, Growth, Pro) โ€” determined by in-app subscription
  • App settings: verification timer duration, active/inactive status, custom message templates

From Your Customers (end shoppers)

  • Phone number from the shipping address or customer profile on each order
  • OTP code โ€” stored as a bcrypt hash; the raw code is never saved
  • Verification status (pending, verified, cancelled, expired)
  • Timestamps: when the OTP was sent, when it was verified or cancelled
  • Shopify Order ID and order number โ€” used to tag and update the order in your admin

Usage Data

  • Monthly counts of OTPs sent, verified, and cancelled โ€” used to enforce plan limits and display your dashboard

3. How We Use Your Information

We use the information we collect only to provide the OTP Guard service:

  • Sending verification SMS messages to your customers after they place an order
  • Recording verification outcomes and displaying them in your merchant dashboard
  • Automatically cancelling unverified orders after the configured timeout
  • Tagging and adding notes to Shopify orders (otp-verified, otp-cancelled)
  • Enforcing monthly OTP limits based on your billing plan
  • Billing through Shopify's native billing system

We do not sell, rent, or share your data or your customers' data with any third party for advertising, analytics resale, or any purpose other than delivering the OTP verification service.

4. Third-Party Services

OTP Guard relies on the following third-party services to operate:

Twilio (SMS delivery)

We use Twilio's Messaging Service to send SMS messages to your customers. Customer phone numbers and message bodies are transmitted to Twilio for delivery. Twilio is bound by its own Privacy Policy. We use our own Twilio account โ€” merchants never provide Twilio credentials.

Shopify

OTP Guard integrates with the Shopify Admin API to read order data, add tags, add notes, and cancel orders. This integration is governed by Shopify's Privacy Policy.

Fly.io (Hosting)

Our application server and PostgreSQL database are hosted on Fly.io in the us-east (iad) region. Data is stored on Fly.io infrastructure and subject to Fly.io's data handling practices.

5. Data Retention

  • OTP records (phone numbers, verification status, timestamps) are retained for 90 days from creation, after which they are automatically deleted.
  • Usage records (monthly OTP counts) are retained for 12 months to support billing history display.
  • Shop settings are retained while the app is installed. When you uninstall OTP Guard, your shop record and all associated data are deleted within 48 hours.
  • On a GDPR customer redact request, all OTP records associated with the specified customer's phone number are deleted within 30 days.

6. Your Rights

Depending on your location, you (and your customers) may have rights under applicable data protection laws including the GDPR (EU/UK) and CCPA (California):

  • Right of access โ€” you can request a copy of the data we hold about your store
  • Right to erasure โ€” you can request deletion of your store's data at any time
  • Right to portability โ€” you can request your data in a structured format
  • Right to object โ€” you can object to how we process your data

Shopify automatically forwards GDPR data requests to us via webhook. We process customer redact and shop redact requests within 30 days of receipt. To submit a request directly, email privacy@otpguard.app.

7. Security

  • OTP codes are never stored in plain text โ€” we store only a bcrypt hash
  • Verification tokens are single-use UUIDs that expire automatically
  • All communication between our server and Shopify / Twilio uses HTTPS/TLS
  • Database credentials and API keys are stored as encrypted environment secrets
  • Customer phone numbers are masked in dashboard displays (e.g. +1*****4567)

Despite these measures, no system is 100% secure. If you discover a security vulnerability, please report it responsibly to security@otpguard.app.

8. Children's Privacy

OTP Guard is a business tool designed for Shopify merchants. We do not knowingly collect data from individuals under the age of 16. If you believe a minor has provided us with personal data, please contact us and we will delete it promptly.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For material changes, we will notify merchants via a banner in the app dashboard. Continued use of OTP Guard after changes are posted constitutes acceptance of the updated policy.

10. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or how your data is handled, please contact us:

OTP Guard Support

Email: privacy@otpguard.app

We aim to respond to all privacy requests within 5 business days.