
WeCraft COD Fee & Rules
Shopify app · Last updated July 2, 2026
1. Overview
WeCraft COD Fee & Rules ("the App") is a Shopify application operated by WeCraft that automatically applies a cash-on-delivery (COD) fee to eligible orders based on rules configured by the merchant. This policy describes how the App handles data for merchants who install it and for their customers whose orders the App processes.
The App is designed around data minimization: it stores no customer personal information on our servers, and merchant configuration lives inside the merchant's own Shopify store.
2. Information We Collect
When you install the App, we collect and store:
- Your store's .myshopify.com domain and the OAuth access token Shopify issues to the App, which are required for the App to communicate with your store.
To apply COD fees, the App processes order data in real time:
- Order details received via Shopify webhooks when an order is created — including the order ID, line items, order totals, shipping information, and the payment method names used to detect cash-on-delivery orders.
- This order data is processed transiently in memory to decide whether a COD fee applies. It is not stored on our servers.
Merchant configuration — fee amount, free-shipping threshold, detection keywords, rules, and display settings — is stored as metafields inside your own Shopify store, not in our database.
We do not collect or store customer names, emails, addresses, phone numbers, or payment details on our servers.
3. How We Use Data
We use the data described above to:
- Detect whether a new order was placed with a cash-on-delivery payment method
- Calculate and apply the COD fee to the order according to your configured rules, using Shopify's order editing API
- Tag processed orders and record the applied fee amount and reason as order metafields in your store
- Display fee activity and settings to you inside the App's admin dashboard
- Diagnose errors and keep the App reliable
We do not sell any data. We do not share data with third parties for marketing or advertising purposes, and we do not use it for profiling or tracking.
4. Data Storage & Security
- The App runs on infrastructure hosted in the European Union (Fly.io, Frankfurt region), with session data stored in a managed PostgreSQL database (Supabase).
- All data transfers between your store, Shopify, and our servers are encrypted in transit using TLS.
- Webhook requests from Shopify are verified using HMAC signatures before any processing occurs.
- Access to production systems is limited to authorized WeCraft personnel.
5. Third Parties
The App relies on the following service providers to operate:
- Shopify — the platform the App is built on; order data originates from and is written back to your Shopify store under Shopify's own privacy policy.
- Fly.io — application hosting (EU region).
- Supabase — managed PostgreSQL database used solely for Shopify session storage.
These providers process data only to run the App's infrastructure and are not permitted to use it for their own purposes.
6. Data Retention & Deletion
- Order data is processed in memory only and is never retained on our servers.
- Store sessions and access tokens are retained only while the App is installed.
- When you uninstall the App, Shopify sends us a deletion request and all remaining session data for your store is permanently removed from our database within 48 hours.
- Configuration metafields and order tags written by the App remain in your Shopify store under your control and can be removed at any time.
7. GDPR Compliance
The App implements Shopify's mandatory privacy webhooks and responds to them as follows:
- Customer data request — because we store no customer personal data, there is no customer data to export from our systems.
- Customer redaction — because we store no customer personal data, there is nothing to erase from our systems.
- Shop redaction — all data associated with a store is deleted from our database after uninstallation.
Merchants and their customers in the EU/EEA have the rights granted by the GDPR, including access, rectification, erasure, and objection. Since the App stores no customer personal data, most requests can be fulfilled directly through Shopify; for anything else, contact us using the details below.
8. Changes to This Policy
We may update this policy as the App evolves. Material changes will be reflected on this page, and continued use of the App after changes take effect constitutes acceptance of the updated policy.
9. Contact
For privacy questions, data requests, or support, email us at hello@wecraft.dev.