Last updated: July 2026
CashTrail audits cash-on-delivery (COD) settlements for Shopify merchants by comparing store orders against courier settlement files the merchant uploads.
With the merchant's permission (read_orders scope), CashTrail reads order metadata from the Shopify API: order numbers, amounts, payment method names, fulfillment status, and tracking numbers. Orders are read live for each audit and are not stored on our servers.
Per shop, we store: app settings (rate cards, tolerances, carrier mappings), audit history summaries (date, file names, flag counts, totals), and detected carrier labels. We do not store customer names, emails, phone numbers, or addresses — CashTrail requests no customer PII.
Courier settlement files are parsed in memory to produce the audit and are not retained after processing.
When the app is uninstalled, Shopify's shop/redact process triggers deletion of everything we hold for that shop. Merchants can also request deletion at any time via the support email below. We honor all mandatory Shopify privacy webhooks (customers/data_request, customers/redact, shop/redact); as we hold no customer-level data, customer requests are acknowledged with nothing to export or erase.
Data is processed on our hosting provider (Railway) and stored in a managed PostgreSQL database. Depending on hosting region, processing may occur in the EU or the United States under standard contractual safeguards. We do not sell merchant data, and we do not share it with any third party except the infrastructure providers named above.
CashTrail is operated from Denmark. For order metadata read via the Shopify API, we act on the merchant's behalf solely to provide the auditing service; for account data (settings, audit history), we act as data controller within the meaning of the EU General Data Protection Regulation (GDPR).
We process data to perform our contract with the merchant (Art. 6(1)(b) GDPR — providing the auditing service the merchant installed) and, for service security and improvement, on the basis of legitimate interest (Art. 6(1)(f) GDPR).
Shop settings and audit history are retained while the app is installed and are deleted after uninstallation via Shopify's shop/redact process, or earlier on request. Server logs are retained by our hosting provider for a limited operational period.
Merchants and individuals may request access, rectification, erasure, restriction of processing, data portability, or object to processing by contacting the email below. You also have the right to lodge a complaint with a supervisory authority — in Denmark, Datatilsynet (www.datatilsynet.dk), or the authority of your own EU member state.
CashTrail uses only essential session cookies required for secure login inside the Shopify admin. We use no advertising, analytics, or tracking cookies.
We may update this policy as the service evolves; the "Last updated" date above reflects the current version. Material changes will be reflected on this page.
Questions or deletion requests: explorermind23@gmail.com