Privacy Policy

This Privacy Policy describes how [Company Legal Name] (“we”, “us”, or “our”) collects, uses, and protects personal data in connection with the Address Guardian Shopify application (“the Service”). Address Guardian is operated by SunnyApps.de and provides real-time address validation for Shopify merchants.

The data controller responsible for your personal data is:

Data Protection Officer: [DPO Email]

When you install and use Address Guardian, we may collect and process the following categories of personal data:

• Address data — street address, city, state/region, postal code, and country, as entered by your customers at checkout.
• Email addresses — customer email addresses associated with orders for validation and communication purposes.
• Order data — order identifiers and metadata retrieved via the Shopify API to apply validation results and tags.
• Usage data — pages visited within the app, features used, and interaction events, collected to improve the Service.

We use the data we collect for the following purposes:

• Address validation — submitting address data to the Loqate/GBG API to verify accuracy, completeness, and deliverability.
• Order tagging — applying validation result tags to orders in your Shopify store to help you identify and act on address issues.
• Email validation — checking customer email addresses for validity to support accurate communications.
• Analytics — understanding how merchants interact with the Service in order to improve features and user experience.

For users in the European Economic Area (EEA), we process personal data on the following legal bases under the General Data Protection Regulation (GDPR):

• Legitimate interests (Article 6(1)(f)) — we have a legitimate interest in validating shipping addresses to facilitate successful order fulfillment and reduce failed deliveries. This interest is balanced against the rights and freedoms of data subjects.
• Consent (Article 6(1)(a)) — where we collect data for purposes that require explicit consent, we will obtain that consent before processing.
• Contractual necessity (Article 6(1)(b)) — some processing is necessary to perform the contract with the merchant who has installed the app and to provide the features of the Service.

We engage the following third-party service providers who may process personal data on our behalf:

• Loqate / GBG — address and email validation services. Loqate is a UK-based company and a subsidiary of GBG plc. Address data is transmitted to Loqate's API to perform validation checks. Loqate processes data in accordance with its own privacy policy and applicable data protection law.
• Shopify — the e-commerce platform that powers your store. We access Shopify APIs in accordance with Shopify's Partner Program Agreement and API Terms of Service. Shopify is the data controller for data held within your Shopify store.
• Plausible Analytics — a privacy-friendly, cookie-free analytics platform based in the EU. Plausible does not collect personal identifiers and its data is processed exclusively within the European Union.

We retain personal data only for as long as necessary to fulfil the purposes described in this policy:

• Validation results — address and email validation results are retained for 90 days following the validation event, after which they are permanently deleted.
• Account data — data related to your merchant account and app configuration is retained for as long as the Address Guardian app remains installed on your Shopify store.
• Post-uninstall deletion — upon uninstallation of the app, all account and associated data will be permanently deleted within 30 days.

If you are located in the EEA, you have the following rights regarding your personal data under the GDPR:

• Right of access — you may request a copy of the personal data we hold about you.
• Right to rectification — you may request correction of inaccurate or incomplete personal data.
• Right to erasure — you may request deletion of your personal data where there is no legitimate reason for us to continue processing it.
• Right to restriction of processing — you may request that we limit how we use your personal data.
• Right to data portability — you may request that we transfer your personal data to you or a third party in a structured, machine-readable format.
• Right to object — you may object to processing based on legitimate interests or for direct marketing purposes.

To exercise any of these rights, please contact our Data Protection Officer at [DPO Email]. We will respond to your request within 30 days. You also have the right to lodge a complaint with the relevant supervisory authority in your country of residence.

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you the following rights:

• Right to know — you have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of that information, our purposes for collecting it, and the categories of third parties with whom we share it.
• Right to delete — you have the right to request deletion of personal information we have collected from you, subject to certain exceptions.
• Right to opt-out of sale — we do not sell your personal information to third parties. No opt-out action is required.
• Right to non-discrimination — we will not discriminate against you for exercising any of your CCPA rights.

To submit a CCPA rights request, please contact us at [DPO Email].

We are committed to respecting your privacy with regard to tracking technologies:

• Privacy-respecting analytics — we use Plausible Analytics, which is cookieless and does not collect any personally identifiable information. Plausible measures aggregate usage patterns only.
• No third-party tracking cookies — we do not use advertising networks, social media pixels, or any third-party tracking cookies.
• Essential cookies only — where cookies are set, they are strictly necessary for the operation of the Service (e.g. session management) and do not require your consent under applicable law.

We take the security of your data seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, loss, or disclosure:

• All data transmitted between your store, our servers, and third-party APIs is encrypted using TLS (Transport Layer Security).
• Communication with the Loqate API and Shopify API is conducted over secure, authenticated channels.
• Access to personal data is restricted to authorised personnel on a need-to-know basis through role-based access controls.
• We conduct regular security reviews of our infrastructure, dependencies, and processes to identify and remediate vulnerabilities.

While we strive to protect your data, no method of electronic transmission or storage is 100% secure. We encourage you to notify us immediately if you suspect any unauthorised use of your account.

As a German company, our primary operations are based in the European Union. However, some data transfers outside the EU/EEA may occur:

• EU processing — our core infrastructure is located within the EU and benefits from the full protections of the GDPR.
• UK (Loqate/GBG) — address data submitted to Loqate may be processed in the United Kingdom, which has been granted adequacy status by the European Commission, ensuring equivalent data protection standards.
• Standard contractual clauses — where data is transferred to countries without an adequacy decision, we rely on the European Commission's standard contractual clauses (SCCs) or equivalent safeguards as applicable.

The Address Guardian Service is designed for use by Shopify merchants and is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected such data, please contact us immediately so that we can take appropriate steps to delete it.

We may update this Privacy Policy from time to time to reflect changes in our practices, the Services we offer, or applicable law. When we make changes, we will update the “Last updated” date at the top of this page.

Changes to this policy become effective upon posting to this page. We encourage you to review this policy periodically. Continued use of the Service after changes are posted constitutes your acceptance of the revised policy.

For material changes, we may also notify affected merchants via the email address associated with their Shopify account.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We aim to respond to all enquiries within 30 days of receipt.