Skip to main content
Last Updated: April 1, 2026 Application Publisher: Charlie SAS RCS Paris 102 163 060 90 Boulevard de la Tour-Maubourg, 75007 Paris, France President: Ghrenassia & Sons Contact: [email protected] Hosting:
  • Application: Cloudflare Workers
  • Database: Cloudflare D1
  • Domain: app.usecharlie.ai

Introduction

This Privacy Policy describes how Charlie (“we”, “our”, or “the App”) collects, uses, and protects information when you install and use our Shopify application. Charlie is a fulfillment and location management app that helps merchants manage multiple store locations and create intelligent order routing rules. This application is subject to French and European regulations, including the General Data Protection Regulation (GDPR - Regulation EU 2016/679) and the French Data Protection Act of January 6, 1978, as amended.

Data Controller

The data controller is: Charlie SAS [email protected]

Information We Collect

Merchant Information

When you install and use Charlie, we collect:
Data typeDescription
Shop informationStore name, email address, owner name, timezone, currency, domain
Location dataLocation names, addresses, types, opening hours, capacity limits, phone numbers, geographic coordinates
Configuration settingsShipping zones, local pickup settings, fulfillment constraint rules, shop preferences
Session dataAuthentication tokens and session information required for app functionality
Application logsDiagnostic information including shop identifiers, location IDs, and webhook events
Inventory exportsMerchant staff email address used for delivering export files

Customer Information

We do NOT directly collect or store personal information from your customers.
However, we may process:
  • Customer attributes (B2B status, tags) solely for order routing decisions
  • Delivery preferences during checkout for location selection
  • Order information to determine optimal fulfillment locations
No customer personal data is stored in our database.

Automatically Collected Information

  • Webhook events: Tracking of webhook events (e.g., location updates, inventory changes) for app functionality
  • Application logs: Server-side logs for debugging and performance monitoring
  • No tracking cookies: We do not use cookies for tracking or analytics purposes
We process your data on the following legal bases:
BasisPurpose
Contract performanceProcessing necessary for the application usage contract
Legitimate interestsTo improve our services and ensure application security
Legal obligationTo comply with our legal and regulatory obligations

Purposes of Processing

We use the collected information to:
  • Provide core app functionality including location management and order routing
  • Synchronize data with Shopify’s platform
  • Process fulfillment rules and routing decisions
  • Display location maps and validate addresses
  • Maintain app sessions and authentication
  • Provide checkout UI extensions for customer location selection
  • Debug issues and monitor application performance
  • Improve app functionality and fix bugs
  • Comply with legal obligations

Data Storage and Security

Location and Retention Period

Data typeRetention
DatabaseCloudflare D1 (SQLite) with encryption at rest
Session dataRetained while subscription is active
Event logsWebhook deduplication events retained for 48 hours
Activity logsConfiguration change audit trail retained for 90 days
Application logsDiagnostic logs retained for 30 days
Database backupsDaily backups stored in Cloudflare R2, retained for 30 days
Inventory export filesRetained for 30 days, then automatically removed
Error monitoring (Sentry)Error logs retained for 90 days
Product analytics (PostHog)Usage events retained for 12 months
Metafield dataFollows Shopify’s data retention policies
Most business data is stored in Shopify’s platform using metafields—minimal data is stored in Charlie’s database.

Security Measures

We implement industry-standard security measures:
  • Encrypted connections (HTTPS/TLS)
  • Secure authentication tokens via Shopify OAuth
  • Regular security updates
  • Access controls and monitoring
  • Data encryption at rest and in transit
  • No storage of sensitive payment information

Third-Party Services

We use the following third-party services:
ServicePurposeData received
ShopifyCommerce platform, data source of truth, authenticationAll merchant commerce data
Cloudflare (Workers, D1, KV, Queues, R2, Analytics Engine)Application hosting, database, caching, background jobs, backups, fulfillment analyticsOperational configuration, OAuth sessions, anonymized routing metrics
SentryError monitoringStack traces and request context (no PII, no access tokens)
PostHogProduct analyticsUsage interaction events with shop fingerprint only
ResendTransactional email (inventory export notifications)Merchant email address, download URLs
MantleSubscription billing managementBilling plan status
BetterStackUptime monitoring and status pageService health heartbeats only
Google Maps Time Zone APITimezone resolution from location coordinatesGPS coordinates of merchant locations
We do not use any third-party advertising, remarketing, or customer tracking services. Analytics services (Sentry, PostHog) receive only operational data and shop-level interaction events — no customer PII, no merchant business data.

Data Sharing

We do NOT share your data:
  • We do not sell, rent, or trade your information to third parties
  • We do not share your data for marketing purposes
  • We do not use your data for purposes other than providing app functionality
We may share information only when:
  • Required by law or legal process
  • Necessary to protect rights, safety, or property
  • You explicitly consent to such sharing

International Transfers

Data may be transferred outside the European Union only when:
  • Appropriate safeguards are in place (standard contractual clauses, adequacy decisions)
  • The transfer is necessary for contract performance
  • Services used have appropriate data protection measures

Your Rights (GDPR)

Under the GDPR, you have the following rights:
RightDescription
AccessObtain confirmation that your data is being processed and access this data
RectificationCorrect inaccurate or incomplete data
ErasureRequest deletion of your data under certain conditions
RestrictionRequest restriction of processing under certain conditions
Data portabilityReceive your data in a structured format
ObjectObject to the processing of your data
Withdraw consentWhere processing is based on consent
To exercise these rights, contact us at: [email protected] You also have the right to lodge a complaint with your local supervisory authority. For France: Commission Nationale de l’Informatique et des Libertés (CNIL) 3 Place de Fontenoy - TSA 80715 75334 PARIS CEDEX 07 Tel: +33 1 53 73 22 22

Shopify GDPR Webhooks

We comply with Shopify’s mandatory GDPR compliance webhooks:
WebhookAction
customers/data_requestWe provide any processed customer data upon request
customers/redactWe delete any customer data upon request
shop/redactWe delete all shop data 48 hours after app uninstallation
As we do not store customer personal data, these requests typically return no data.

Cookies and Tracking

  • No tracking cookies: We do not use cookies for tracking, analytics, or advertising
  • Session management: Authentication is handled through Shopify OAuth without cookies
  • No third-party tracking: We do not use Google Analytics, Facebook Pixel, or any advertising/remarketing services

Data Deletion

To delete all your data:
1

Uninstall Charlie

Go to your Shopify admin and uninstall the Charlie app.
2

Automatic deletion

This triggers automatic deletion of all Charlie data stored in our database:
  • All session data (immediate)
  • All webhook event logs (within 48 hours)
  • All location configurations, fulfillment rules, and preferences
  • All activity logs and export records
Metafield values written to Shopify (inventory levels, safety stock, location tags) remain in your Shopify store since they belong to you and are accessible via the Shopify Admin API.
Data deletion is permanent and cannot be reversed.

Children’s Privacy

Our app is not directed to children under 16. We do not knowingly collect information from children under 16 years of age.

Customer Interaction

Your customers may interact with Charlie through:
  • Checkout UI extensions: For selecting pickup locations or delivery options
  • Order routing: Their delivery preferences influence fulfillment decisions
We process this information solely to fulfill orders according to your configured rules.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes through:
  • Email to your registered shop email
  • In-app notifications
  • Update notices in the Shopify App Store
Continued use of the app after changes constitutes acceptance of the updated policy.

California Privacy Rights (CCPA)

For California residents:
  • We do not sell personal information
  • You have the right to know what personal information we collect
  • You have the right to delete your personal information
  • You have the right to opt-out of the sale of personal information (though we do not sell data)
  • We will not discriminate against you for exercising your privacy rights

Contact Information

For any questions regarding data protection or to exercise your rights: Email: [email protected] Responsible: Rocco Ghrenassia Company: Charlie SAS
By installing and using Charlie, you acknowledge that you have read, understood, and agree to this Privacy Policy.
Last modified on April 23, 2026