Checkout Defense — Privacy Policy

Last updated: June 23, 2026

What Checkout Defense does

Checkout Defense is a Shopify app that blocks disposable and burner email addresses at checkout and on customer signup, tags risky signups for the merchant’s review, and shows the merchant a dashboard of blocked attempts. It helps merchants reduce fake orders, promotion abuse, and chargebacks tied to burner-email purchases.

What we store

• Your store domain and the app session/access token issued by Shopify.
• Your app settings: checkpoint toggles, strictness, and any custom allow/block domain rules you add.
• Block-event records used for the merchant dashboard and activity feed. Each record stores only the email domain (for example, “mailinator.com”), the checkpoint, the action taken, a Shopify resource identifier (order or customer ID), an optional cart value, and a timestamp.
• Your subscription status (managed through Shopify Billing).

We do not store your customers’ raw email addresses, names, or other personal contact details. When a buyer enters an email at checkout or signup, the app checks the email’s domain against a list of known disposable domains and records only that domain — never the full address. Block-event records are kept for 90 days and then automatically removed.

How we use it

Solely to operate the app: to evaluate whether an email’s domain is a known disposable provider, to apply the protections you have enabled (block at checkout, tag a customer, or — only if you turn it on — remove a brand-new, zero-order customer who used a disposable email), to render your dashboard, manage your subscription, and respond to support requests. We do not sell or share your data, and we do not use it for advertising. We use no third-party email-validation or scoring service — domain checks run against a list we host ourselves.

Data deletion (GDPR / CCPA)

We honor Shopify’s mandatory privacy webhooks. When you uninstall the app or Shopify sends a shop-redact request, we permanently delete the settings and block-event records associated with your store. Because we store email domains rather than personal email addresses, a customer-redact or customer-data request involves no personal contact information held by us; we remove any records keyed to the affected Shopify customer identifier. You can also request deletion at any time by emailing us.

Subprocessors

We host the app on Vercel and store data in a Neon (PostgreSQL) database. Both process data only to provide the service. The disposable-email checkpoint at checkout runs as a Shopify Function on Shopify’s own infrastructure.

Contact

Questions or deletion requests: jewbear66@gmail.com.