Cordon Privacy Policy

# Cordon Privacy Policy

Last updated: 13 May 2026.

## What Cordon collects

Cordon is a Shopify app that helps merchants block unwanted traffic to their store. To do this we process the following from your store's visitors:

- **IP addresses**, used in-memory to determine country, ASN, and whether the visitor is a known bot/VPN/proxy/Tor user. We never store raw IP addresses in long-term storage.
- **Hashed IP fragments** — SHA-256 of the IP plus a daily-rotating server-side salt. Stored for up to 365 days for analytics. After the salt rotates, hashes are permanently irreversible — even by us.
- **Truncated IP prefix** (`/24` for IPv4, `/48` for IPv6) for aggregate analytics that do not identify individuals.
- **HTTP request metadata** — User-Agent, referrer, requested path. Stored alongside the hashed IP.
- **Your Shopify shop domain and admin user identifiers** as part of standard Shopify OAuth.

## What we do not collect

- Customer names, emails, phone numbers, or addresses
- Order data, product data, or prices
- Shopify customer IDs (we have no way to link visitor logs to specific customers)
- Storefront cookies — Cordon's storefront script does not set any cookies

## Where data is stored

- **Postgres** on Railway (EU and US regions)
- **Redis** on Upstash (global edge replication)
- **Backups**: daily Railway snapshots, retained 7 days

## Sub-processors

| Service | Purpose | Data shared |
|---|---|---|
| Railway | Application hosting | All app data (encrypted at rest) |
| Upstash | Redis caching | Hashed IPs, rule cache, rate-limit counters |
| IPinfo | IP geolocation | Raw IP, in-memory only, no persistence on their side per their EU terms |
| IPQualityScore | VPN / proxy / fraud detection | Raw IP, in-memory only |
| Cloudflare | Edge tier (Plus plan only) | Raw IP, request URL |
| Sentry | Error tracking | App-side error data; PII redacted |
| PostHog (EU) | Product analytics (admin UI only) | Shop domain, button-click events — never visitor data |

## Data retention

| Data type | Retention |
|---|---|
| Hashed visitor log (Starter plan) | 30 days |
| Hashed visitor log (Growth plan) | 90 days |
| Hashed visitor log (Pro plan) | 180 days |
| Hashed visitor log (Plus plan) | 365 days |
| Shop config + rules | Until app uninstall + 48-hour grace period, then permanently deleted |
| Daily IP-hash salt | 25 hours, then auto-rotated and unrecoverable |

## Your rights under GDPR

- **Right to access**: email `support@cordon.app`
- **Right to erasure**: uninstall the app — all data tied to your shop is purged within 48 hours via Shopify's `shop/redact` webhook
- **Right to data portability**: email `support@cordon.app` for an export
- **Right to object to processing**: uninstall the app at any time

## Data Processing Agreement (DPA)

A DPA is available on request — email `support@cordon.app` with your store domain and we will send a signed copy within one business day.

## Children

Cordon does not knowingly process data from anyone under 16. The app is sold to Shopify merchants, not consumers.

## International transfers

Visitor data may be processed in the US and EU depending on plan and routing. Where data is transferred outside the EU, Standard Contractual Clauses (SCCs) apply via our sub-processors.

## Contact

- **Privacy questions**: `support@cordon.app`
- **Data Protection Officer**: Bas Lefeber

## Changes to this policy

Updates will be posted here. The "Last updated" date at the top will be revised on any material change. Substantive changes will be notified via email to the merchant contact on record.