MailShield (“the App”, “we”, “us”, “our”) is a Shopify app that helps merchants block fake, disposable, and mistyped email addresses at checkout and flag risky orders afterwards. This policy explains what data the App accesses, how it is used, and how it is protected.
1. Who we are
MailShield is operated by Stackedboost. For any privacy question or request, contact us at admin@stackedboost.com.
2. Data we access
When a merchant installs the App and authorizes it through Shopify, we access:
Store information — your shop domain and an offline access token, used to operate the App and call the Shopify Admin API on your behalf.
Customer email addresses:
At checkout — our Shopify checkout-validation Function evaluates the buyer’s email to block disposable, mistyped, invalid, or merchant-blocklisted addresses. This runs inside Shopify’s infrastructure; the email is not transmitted to our servers during checkout.
After an order is placed (paid plans only) — Shopify sends us the order via the orders/create webhook, which includes the customer’s email, so we can compute a risk score.
Order metadata — order ID, name, and existing tags/notes, so we can add a risk tag and note.
Merchant settings — your custom blocked-domain list and alert email.
We do not access payment information, customer addresses, phone numbers, or any data beyond what is listed above.
3. How we use the data
Detect disposable/temporary email domains, common typos, invalid formats, and domains on the merchant’s blocklist.
Perform a DNS/MX lookup on the email domain (not the full address) to check deliverability (Advanced plan).
Tag flagged orders and add a risk note in the merchant’s Shopify admin.
Send the merchant an email alert for high-risk orders (if enabled).
We do not sell, rent, or share customer data, and we do not use it for advertising or any purpose beyond the risk scoring described here.
4. Data we store and retention
Store settings (blocklist, alert email, plan) — kept while the App is installed.
Risk logs (order ID, email domain, risk score, and the flagged email) — retained for 90 days, then automatically deleted.
We store the minimum necessary to provide the dashboard and logs.
5. Data deletion
When you uninstall the App, we delete your store’s data, including risk logs and settings.
We honor Shopify’s customers/data_request, customers/redact, and shop/redact requests.
6. Sub-processors
Railway — application hosting and PostgreSQL database (European Union).
Resend — transactional email for merchant alerts.
Shopify — the commerce platform the App runs on.
All sub-processors are bound by their respective data-protection terms.
7. Security
All data is transmitted over TLS/HTTPS.
Data at rest is stored in a managed PostgreSQL database with access restricted to the App.
All webhook requests are verified using Shopify’s HMAC signatures.
8. Your rights
Depending on your jurisdiction (e.g. GDPR, CCPA), you may have the right to access, correct, or delete personal data. Contact admin@stackedboost.com to exercise these rights.
9. Changes to this policy
We may update this policy from time to time; the “Last updated” date above will reflect any change.