Privacy Policy — GDPR + CCPA Privacy Automator

Last updated: July 8, 2026

What this app does

GDPR + CCPA Privacy Automator ("the app") helps merchants handle customer data-deletion and data-access requests: it tracks requests with deadlines, anonymizes customer records on request, compiles data access reports, and keeps an audit log. It is operated by SurfSafe.

Data we collect and store

Data access reports (PDF/JSON) are generated on demand from your Shopify data and downloaded directly by you — the app does not store report contents and never emails your customers.

How data is used

Data is used solely to provide the app's features: tracking privacy requests, anonymizing customer records, generating data access reports, and notifying you of new requests. We do not sell, rent, or share your data with third parties. Data is hosted on Fly.io (application) and Neon (database), and notification emails to you are delivered via Resend — all in the United States.

Data deletion

When you uninstall the app, Shopify notifies us and all data for your store — settings, privacy requests, audit logs, and access tokens — is permanently deleted. The app also honors Shopify's own privacy webhooks (customers/data_request, customers/redact, shop/redact) for its stored data.

Contact

Questions or requests: support@surfsafe.io