TrackHQ
Launch app
Menu

Privacy Policy — TrackHQ

Last updated: April 22, 2026

This privacy policy describes how TrackHQ (“we”, “us”, “our”) collects, uses, stores, and shares information when merchants use our Shopify application and when end customers interact with tracking features we power. Our production application is operated at https://app.trackhq.co (the “App”).

Important: This document is provided for transparency and to support Shopify App Store and legal expectations. It is not legal advice. Privacy laws vary by region and by how you use personal data. If you need advice about your obligations, consult a qualified attorney.

Who this policy covers

  • Merchants: Businesses that install the App on their Shopify store.
  • Merchant staff: Individuals who log into Shopify and use the embedded App (when online access sessions are used).
  • End customers: Individuals who use merchant storefront features we help provide (for example, the order tracking page served via Shopify’s app proxy).

Information we collect through Shopify’s APIs

When a merchant installs the App, we receive authorization to access their store through Shopify’s Admin API, Storefront API (where configured), and webhooks, consistent with the access scopes approved at installation. Depending on how the merchant uses the App and Shopify’s data model, this may include:

  • Store and configuration data: Shop domain, shop identifiers, navigation or theme-related data we are permitted to read or update for tracking page integration.
  • Order and fulfillment data: Orders, fulfillments, tracking numbers, carriers, fulfillment-related timestamps, and associated references needed to show shipment status and maintain tracking records.
  • Product and catalog data: Product information used for features such as package contents on the tracking experience and optional product recommendations.
  • Customer data (where permitted by scopes): Information from Shopify needed to associate shipments with orders and, where enabled, to support notifications or lookups (for example, customer contact fields available through the APIs we use).
  • Location and fulfillment-network data: Data such as fulfillment or location information needed to process shipments.

We use this information only to provide and improve the App’s core services (tracking, merchant dashboard, notifications, billing and usage limits, and related features), unless we describe a different use elsewhere in this policy or obtain appropriate consent where required.

Information we collect directly from merchants

  • Account and billing context: Subscription or plan state, usage against shipment quotas, and related billing metadata needed to operate paid features.
  • Settings and preferences: Merchant-configured options for the customer-facing tracking page (for example, branding and display settings stored as configuration in our systems).
  • Support and operational communications: Information merchants send us when requesting help (for example, email content), if applicable.

We may also generate service and security logs (for example, application or webhook processing logs) that can include technical metadata such as timestamps, shop identifiers, and error messages. We do not use those logs to sell personal data or for unrelated advertising.

Information from merchants’ customers (end customers)

  • Tracking page interactions: When someone visits the merchant’s tracking URL (for example, https://{store}/apps/track), we process query parameters and similar request data needed to look up a shipment (such as tracking number, optional carrier hint, or order lookup fields the merchant enables). Our servers handle these requests to render tracking information.
  • Order lookup: Where the merchant enables it, we may process information the customer enters or that is passed in the URL to validate access to order or shipment details (for example, order number combined with a contact identifier), consistent with the merchant’s storefront configuration.
  • Optional product recommendations: If enabled, we may use product and catalog information from Shopify to show related products on the tracking page. This is intended to support the merchant’s storefront experience, not third-party interest-based advertising across the web.

We do not intentionally collect special categories of sensitive personal data. We do not knowingly direct the App at children.

Cookies and similar technologies: The App runs in Shopify’s ecosystem. Shopify, the merchant’s theme, or our embedded admin experience may set cookies or use storage as needed for authentication and security. Our customer-facing tracking page may rely on standard browser mechanisms and Shopify app proxy behavior. We do not describe every cookie name here because implementations can change; merchants should align their own store privacy notices with their theme and Shopify settings.

Information we process using subprocessors and third-party services

To provide tracking status, we send tracking numbers (and related carrier or routing hints) to carrier and multi-carrier tracking providers configured for the App (for example, postal and logistics APIs). Those providers return shipment status events; they may log requests according to their own policies.

We may use cloud infrastructure and email delivery (for example, email notifications related to fulfillments where the merchant enables such features) and managed database hosting. Data is stored in systems we control or lease for the purpose of operating the App.

A current list of categories of subprocessors can be provided upon request; specific vendor names may change as we improve reliability and security.

How we use information

We use the information above to:

  • Sync and display shipment tracking for merchants and their customers.
  • Operate the embedded merchant experience (dashboard, settings, customization).
  • Send transactional or operational notifications where merchants configure them.
  • Enforce plan limits, billing, and abuse prevention.
  • Maintain security, debug issues, and comply with law.

We do not sell personal information. We do not use personal data for third-party interest-based advertising unrelated to operating the App.

Retention

We retain information as long as needed to provide the service, meet legal obligations, resolve disputes, and enforce our agreements. Illustrative examples:

  • OAuth session data (including tokens and, for online sessions, staff identifiers provided by Shopify): retained while the App is installed and the session is valid; removed or invalidated on uninstall or session expiry as applicable.
  • Shipment and tracking cache data: retained to power live tracking and merchant analytics; may be deleted or anonymized when no longer needed for the service or when a merchant uninstalls, subject to backup and operational constraints.
  • Email notification queues: retained until sent or purged according to operational rules; error metadata may be retained briefly for retries.

Exact retention can depend on merchant actions (for example, reinstalling the App) and technical backups. For specific deletion questions, contact us using the details below.

Legal bases (where applicable)

If the GDPR or similar laws apply, we typically rely on:

  • Performance of a contract with the merchant (providing the App).
  • Legitimate interests in securing and improving the service, provided those interests are not overridden by individual rights.
  • Legal obligations where we must retain or disclose certain records.

Merchants are generally responsible for establishing a lawful basis for their own customer-facing processing and for their store’s privacy notices.

International transfers

We may store and process data in the United States and other countries where we or our service providers operate. If we transfer personal data from the EEA, UK, or Switzerland, we use appropriate safeguards where required (for example, standard contractual clauses or other mechanisms recognized by applicable law).

Security

We implement technical and organizational measures appropriate to the nature of the data we process, including access controls and encryption in transit where supported. No method of transmission or storage is completely secure; we encourage merchants to use strong Shopify account security practices.

Individual rights and requests

Depending on where individuals live, they may have rights to access, correct, delete, restrict, or object to certain processing, and to data portability or to withdraw consent where processing is consent-based.

  • End customers should usually contact the merchant first, because the merchant controls the Shopify store and many data elements.
  • Merchants and their staff may contact us for App-related data questions.

To exercise rights or ask questions, email us at tools@lvmodel.com. We may need to verify requests and coordinate with Shopify or the merchant where we cannot directly identify the data subject.

We support Shopify’s privacy compliance requirements for apps (including mandatory webhooks and processes related to data subject requests, customer redaction, and shop data deletion) as described in Shopify’s privacy law compliance documentation. Merchants should ensure their App Store listing and store policies reference an accurate privacy policy.

Marketing and promotional use

TrackHQ is an order tracking and operations app, not a standalone email marketing platform. We do not use buyer personal data to build cross-merchant advertising profiles. If we introduce optional marketing-related features that require additional consent under local law, we will describe them clearly and obtain consent where required.

Changes to this policy

We may update this policy from time to time. We will post the updated version with a new “Last updated” date. If changes are material, we will provide additional notice as appropriate (for example, via the App or email to merchants).

Contact

Supa LVM
Email: tools@lvmodel.com