OptiMail Shopify App Privacy Policy
Border Business Systems Limited
Border House, 37 Abenbury Way, Wrexham Industrial Estate, Wrexham, LL13 9FS, United Kingdom
Email: support@bbsltd.co.uk | Telephone: 01978 784600
This Privacy Policy explains how Border Business Systems Limited (“BBS”, “we”, “us” or “our”) collects, uses, stores, shares and otherwise processes personal data in connection with the OptiMail Shopify app (the “App”). The App includes the merchant admin experience, Shopify webhooks and API integrations, the Thank You and Order Status extension blocks, and buyer-facing address confirmation or correction pages that are generated by the App.
This policy is intended for Shopify merchants considering or using the App, and for individuals whose data may be processed through the App, including store staff and end customers. It should be read together with any merchant-facing contract, terms of service, data processing terms, or store-level privacy notice that also applies.
1. Our role
When we process store, order and customer data to provide OptiMail functionality to a Shopify merchant, we generally do so to provide services to that merchant and in accordance with the merchant’s instructions and enabled settings. For certain activities, such as account management, billing, security, fraud prevention, service analytics, legal compliance, and direct communications with merchants, we may act as a controller or otherwise determine the purposes and means of processing.
Because Shopify merchants control the relationship with their customers, end customers should normally direct privacy requests to the merchant they purchased from first. Where required, we assist merchants with applicable privacy and compliance requests, including Shopify compliance workflows.
2. Personal data we process
The categories of personal data that we process depend on how a merchant configures OptiMail and how the App is used.
| Category | Examples | How we receive it | Primary use |
|---|---|---|---|
| Merchant and store account data | Shop domain, store identifiers, install/authentication records, app settings, merchant branding, contact details provided to us, subscription and billing references. | From Shopify during installation and use, and directly from merchants. | To install, authenticate, configure, bill, support, and secure the App. |
| Order and customer delivery data | Order IDs, customer IDs, shipping address fields, billing/shipping contact fields, order notes, order tags, order/customer metafields, and related webhook payloads. | From Shopify APIs, Shopify webhooks, and merchant-enabled extension flows. | To validate addresses, detect potential delivery issues, present correction options, and record outcomes in Shopify. |
| Buyer-submitted data | Buyer confirmations that an address is correct, corrected address details entered manually, or acceptance of a suggested or forwarding address. | Directly from buyers through OptiMail buyer-facing pages or post-purchase extension interactions. | To update the issue status, help the merchant fulfil the order, and maintain an audit trail of the buyer action. |
| Validation and derived data | Address validation results, issue flags such as mover or goneaway indicators, suggested or forwarding address data, correction links, token hashes, timestamps, and action outcomes. | Generated by the App or received from address-validation and change-of-address service providers. | To operate the core OptiMail workflow, create correction journeys, produce merchant reporting, and support review or troubleshooting. |
| Technical, security and usage data | Request metadata, timestamps, user-agent details, service logs, diagnostics, webhook metadata, and usage or billing event data. | Automatically generated when the App is used. | To protect the service, troubleshoot, monitor performance, maintain records, and support billing and compliance. |
OptiMail is designed around address-quality and delivery-risk workflows. This means that, depending on merchant settings and the permissions approved for the App, we may process personal data that relates to a single customer or order, including names, addresses, email addresses, and telephone numbers where available and necessary to provide the App’s functionality.
3. How we use personal data
- to install, authenticate and maintain the App for Shopify merchants;
- to validate shipping addresses, detect potential delivery-risk issues, and generate suggested corrections or flags;
- to show buyer-facing confirmation or correction journeys on Thank You pages, Order Status pages, and tokenised correction links;
- to write relevant information back into Shopify, including order status indicators, tags, notes, and metafields, and to update order shipping addresses when the merchant or buyer instructs us to do so through the App;
- to provide merchant dashboards, reporting, support, onboarding and service configuration;
- to maintain usage records, operational metrics, internal audit trails, and billing records;
- to secure the App, prevent abuse, investigate incidents, and debug or improve reliability and performance;
- to comply with applicable law, regulatory requests, contractual commitments, and Shopify platform requirements, including privacy and compliance webhooks.
4. Legal bases for processing
| Legal basis | Typical OptiMail use case |
|---|---|
| Performance of a contract | Providing the App to merchants, operating address-validation workflows, and supporting configured buyer correction journeys. |
| Legitimate interests | Securing the App, maintaining logs, preventing misuse, improving reliability, producing service analytics, and supporting merchants. |
| Legal obligation | Maintaining records where required, responding to lawful requests, and fulfilling privacy, tax, accounting, or regulatory requirements. |
| Consent, where required | Any processing that requires consent under applicable law will be handled only where valid consent has been obtained or another valid legal basis applies. |
5. Sources of personal data
- directly from Shopify when a merchant installs or uses the App;
- from Shopify APIs, Shopify webhooks, and the merchant’s store configuration;
- from buyers when they interact with OptiMail post-purchase blocks or correction pages;
- from merchants when they configure settings, upload branding, contact us, or request support;
- from service providers that help validate or enrich address and delivery-risk information.
6. How we share personal data
We may disclose personal data only where reasonably necessary to operate the App, comply with law, or protect our rights and users.
- Shopify, so the App can read data from and write data back to the merchant’s Shopify environment;
- hosting, cloud, infrastructure, database, security, and communications providers that help us run and support the App;
- address-validation, change-of-address, or mover-detection service providers that we use to perform OptiMail’s address-quality checks;
- professional advisers, auditors, insurers, regulators, law enforcement, or courts where disclosure is legally required or reasonably necessary;
- a purchaser, investor, successor, or restructuring counterparty in connection with a corporate transaction, subject to appropriate confidentiality safeguards.
We do not needlessly disclose store or buyer data to unrelated third parties. Any third party that receives personal data on our behalf is expected to process it only for the relevant service purpose and subject to appropriate contractual or legal protections.
7. International transfers
BBS is based in the United Kingdom. Some of our service providers may process personal data outside the UK or European Economic Area. Where we transfer personal data internationally, we take steps intended to ensure that appropriate safeguards are in place, such as adequacy decisions, standard contractual clauses, or other lawful transfer mechanisms, where required by applicable law.
8. Retention
We retain personal data only for as long as reasonably necessary to provide the App, maintain security and operational records, comply with legal obligations, resolve disputes, and enforce our agreements. Retention periods vary by data type and context.
- merchant installation, account, configuration, and subscription records are retained while the App remains installed and for a limited period afterwards where needed for billing, audit, dispute resolution, or legal compliance;
- order-validation, issue-status, and buyer-response records are retained for only as long as reasonably necessary to provide the App’s functions, support reporting, and maintain a defensible audit trail for the merchant;
- buyer correction links and associated tokens are retained only until they expire, are used, or are otherwise invalidated;
- technical and diagnostic logs are retained for a limited period appropriate for security, fraud prevention, troubleshooting, and service monitoring;
- where we are legally required to keep particular records for longer, we will do so for the legally required retention period and then delete or anonymise the data when no longer necessary.
If a merchant uninstalls the App, or if Shopify sends a valid compliance or redaction request, we will delete or anonymise relevant data in accordance with applicable law, our contractual commitments, and Shopify’s compliance requirements, except where we must retain certain information by law.
9. Data rights and Shopify compliance
Depending on applicable law, individuals may have rights to access, correct, delete, restrict, object to, or request portability of their personal data. Because merchants control the relationship with their customers, customer requests should usually be directed to the merchant first. We support merchants in responding to applicable requests where required.
If you are a Shopify merchant using OptiMail, you may contact us directly regarding App data. We also process Shopify compliance workflows, including requests relating to stored customer data, customer redaction, and shop redaction, as applicable.
10. Security
We use reasonable technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse, alteration, or disclosure. These measures may include access controls, authentication controls, encrypted transport, tokenised buyer correction links, monitoring, and role-based access to operational systems. No method of transmission or storage is completely secure, so we cannot guarantee absolute security.
11. Automated decision support
OptiMail uses rules, matching logic, and address-validation workflows to help identify potentially inaccurate or outdated delivery details. These outputs are intended to support fulfilment decisions and allow merchants or buyers to review, confirm, or correct information. OptiMail is not intended to make solely automated decisions that produce legal or similarly significant effects on individuals without appropriate human oversight.
12. Buyer-facing pages and cookies or similar technologies
If a merchant enables buyer-facing correction journeys, buyers may interact with OptiMail directly through Thank You pages, Order Status pages, or tokenised correction links. These flows are designed to support the order fulfilment process. We may use strictly necessary technical mechanisms, such as session or security controls, to operate these flows. This policy does not override any cookie or tracking choices that may separately apply on a merchant’s storefront or Shopify services.
13. Changes to this Policy
We may update this Privacy Policy from time to time to reflect changes to the App, our service providers, applicable law, or our data practices. When we make material changes, we will update the effective date above and, where appropriate, provide additional notice.
14. Contact us
Border Business Systems Limited
Border House, 37 Abenbury Way
Wrexham Industrial Estate
Wrexham, LL13 9FS
United Kingdom
Email: support@bbsltd.co.uk
Telephone: 01978 784600