Deliver+

Privacy Policy

Last updated: April 9, 2026 · Effective: April 9, 2026

In short: Deliver+ processes order and customer data only to deliver your digital products. We never sell data. We never market to your customers. Your files are stored securely on Cloudflare. When you uninstall, we delete everything within 30 days.

1. Introduction

This Privacy Policy describes how Latte & Launch ("we," "us," "our"), the developer of the Deliver+ Shopify application ("the App," "the Service"), collects, uses, stores, shares, and protects information when you install and use our App or visit our website at latteandlaunch.com.

By installing or using Deliver+, you agree to the collection and use of information in accordance with this policy. If you are a merchant using Deliver+, you are responsible for ensuring your own customers are informed about how their data is processed through our Service.

2. Definitions

  • Merchant: A Shopify store owner who installs and uses Deliver+
  • End Customer: A customer of the Merchant who purchases a digital product and receives a download email
  • Personal Data: Any information that can identify an individual, directly or indirectly
  • Sub-processor: A third-party service provider that processes Personal Data on our behalf
  • Service: The Deliver+ application and all related features, APIs, and tools

3. Scope

This policy applies to:

  • The Deliver+ Shopify application and its embedded admin interface
  • The latteandlaunch.com website and landing pages
  • Any APIs or services operated by Deliver+
  • Email communications sent by the Service on behalf of Merchants

This policy does not apply to third-party websites linked from our Service, the Shopify platform itself (governed by Shopify's privacy policy), or any merchant's own privacy practices.

4. Our Role: Data Controller vs. Data Processor

Understanding our role is important for your rights:

When we act as a Data Processor

When processing End Customer data (names, email addresses, order information) on behalf of a Merchant, we act as a Data Processor. The Merchant is the Data Controller. We process this data solely on the Merchant's behalf and according to their instructions to fulfill digital product delivery.

When we act as a Data Controller

We act as a Data Controller for:

  • Merchant account information (store name, admin email, billing data)
  • Download analytics we collect for security and reporting purposes (IP addresses, timestamps, user agents)
  • Data collected through our marketing website and email opt-in forms
  • Usage data related to how Merchants interact with our dashboard

5. Information We Collect

5a. Information Merchants Provide

  • Shopify store name, domain, and admin email address (via Shopify OAuth)
  • Digital product files uploaded to the Service (PDFs, ZIPs, images, videos, etc.)
  • Product names, descriptions, and configuration settings
  • Email template customizations (colors, logos, text, social links)

5b. Information Collected from End Customers via Merchants

  • Customer name and email address (from Shopify order data)
  • Order number and purchased product details

We receive this data from the Shopify API when an order is placed. We do not collect data directly from End Customers except when they access a download page.

5c. Information Collected Automatically

  • IP address (when accessing download pages)
  • Browser user agent string
  • Download timestamps and frequency
  • Referring URL

5d. Information from Third Parties

  • Shopify API data: order details, product information, store configuration (limited to our declared API scopes)

5e. Marketing Website

  • Email addresses voluntarily submitted through our opt-in form
  • We do not use cookies or tracking pixels on our landing page

6. How We Use Information

DataPurposeLegal Basis (GDPR)
Customer name & emailSend download emails, generate download pagesContract performance (on behalf of Merchant)
Order detailsFulfill digital product deliveryContract performance
Uploaded filesStore and deliver digital productsContract performance
IP address & user agentDownload analytics, fraud prevention, rate limitingLegitimate interest (security)
Download timestampsAnalytics dashboard, link expiration enforcementLegitimate interest
Store info & admin emailAccount management, service communicationsContract performance
Marketing email signupsNewsletter and product tipsConsent

7. Information Sharing and Disclosure

7a. Sub-processors

We use the following third-party services to operate Deliver+:

ServicePurposeLocationData Processed
Cloudflare R2File storage and deliveryUnited States / Global edgeUploaded files, download requests
ResendTransactional email deliveryUnited StatesCustomer email, name, download links
VercelApplication hostingUnited StatesApplication data, API requests
ShopifyPlatform, billing, authenticationCanada / United StatesStore data, order data, billing

Each sub-processor is bound by their own privacy policies and data processing agreements. By using Deliver+, Merchants authorize us to use these sub-processors.

7b. We Do NOT

  • Sell, rent, or trade Personal Data to any third party
  • Use End Customer data for our own marketing purposes
  • Share data with advertisers or data brokers
  • Use customer email addresses to send marketing emails
  • Access Merchant files for any purpose other than delivery

7c. When We May Disclose Data

  • Legal requirements: If required by law, regulation, legal process, or government request
  • Safety: To protect the rights, property, or safety of our users or the public
  • Business transfer: In connection with a merger, acquisition, or sale of assets (with prior notice)
  • With consent: When you explicitly authorize us to share information

8. International Data Transfers

Deliver+ is operated from the United States. Our sub-processors (Cloudflare, Resend, Vercel) are primarily based in the United States with global infrastructure. If you are located outside the United States, your data will be transferred to and processed in the United States.

For transfers from the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Our sub-processors' compliance with applicable data transfer frameworks
  • Appropriate technical and organizational safeguards

9. Data Retention and Deletion

DataRetention Period
Merchant account dataDuration of app installation + 30 days
Uploaded filesUntil deleted by Merchant or app uninstallation + 30 days
End Customer data (name, email)Duration of app installation + 30 days
Download analyticsPer plan: 7 days (Free), 30 days (Starter), 90 days (Growth), unlimited (Pro)
Download security logs (IP, user agent)90 days
Marketing email addressesUntil unsubscribe or deletion request

Shopify GDPR Webhooks

We implement all three mandatory Shopify GDPR webhooks:

  • customers/data_request: We compile and return all stored data for the specified customer within 30 days
  • customers/redact: We permanently delete all data associated with the specified customer within 30 days
  • shop/redact: We permanently delete all store data, files, and analytics within 30 days of receiving the webhook (triggered 48 hours after app uninstallation)

10. Data Security

We implement the following security measures:

  • Encryption in transit: All data is transmitted over HTTPS/TLS
  • Encryption at rest: Files stored on Cloudflare R2 are encrypted at rest
  • Secure download tokens: 256-bit cryptographic tokens with configurable expiry
  • Webhook verification: All Shopify webhooks verified via HMAC-SHA256 with timing-safe comparison
  • Rate limiting: Per-IP rate limits on all public endpoints to prevent brute-force attacks
  • File validation: MIME type verification and executable file blocking
  • Access controls: Application access limited to authenticated Shopify merchants for their own store data only

11. Data Breach Notification

In the event of a data breach affecting Personal Data:

  • We will notify affected Merchants via email within 72 hours of becoming aware of the breach (as required by GDPR)
  • We will provide details of the breach, data affected, and remediation steps
  • We will cooperate with Merchants to notify their End Customers and relevant supervisory authorities as required

12. Your Rights

For Merchants (Data Controller relationship)

You may at any time:

  • Access, export, or delete your data from the Deliver+ dashboard
  • Delete individual products, files, and customer records
  • Uninstall the app to trigger full data deletion
  • Contact us to request a complete data export

Under GDPR (EEA, UK, Switzerland residents)

You have the right to:

  • Access your Personal Data
  • Rectify inaccurate data
  • Erase your data ("right to be forgotten")
  • Restrict processing in certain circumstances
  • Data portability - receive your data in a machine-readable format
  • Object to processing based on legitimate interest
  • Withdraw consent at any time (for consent-based processing)
  • Lodge a complaint with your local data protection supervisory authority

Under CCPA/CPRA (California residents)

You have the right to:

  • Know what Personal Information we collect and how it is used
  • Delete your Personal Information
  • Correct inaccurate Personal Information
  • Opt out of the sale or sharing of your Personal Information (we do not sell or share your data)
  • Non-discrimination for exercising your privacy rights

We do not sell Personal Information. We do not share Personal Information for cross-context behavioral advertising.

Under PIPEDA (Canadian residents)

You have the right to access your Personal Data, challenge its accuracy, and withdraw consent. You may file a complaint with the Office of the Privacy Commissioner of Canada.

How to Exercise Your Rights

Contact us at deliver-support@latteandlaunch.com. We will respond to all requests within 30 days. We may need to verify your identity before processing your request.

13. Cookies and Tracking

The Deliver+ application and landing page do not use cookies for tracking or advertising purposes. We do not use analytics pixels, retargeting scripts, or social media tracking on our landing page.

The Deliver+ app running inside the Shopify admin may use strictly necessary cookies for session management, which are governed by Shopify's cookie policy.

14. Children's Privacy

Deliver+ is a business-to-business service intended for use by Shopify merchants. We do not knowingly collect Personal Data from children under the age of 16. If we become aware that we have collected data from a child under 16, we will delete it promptly.

15. Data Processing Agreement

By installing Deliver+, Merchants enter into a data processing relationship with us as described in Section 4. We process End Customer data solely on your behalf and in accordance with your instructions (as expressed through your use and configuration of the Service). For Merchants who require a formal Data Processing Agreement (DPA), please contact us at deliver-support@latteandlaunch.com.

16. Third-Party Links

Our Service may contain links to third-party websites or services (such as the Shopify App Store). We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies.

17. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify Merchants of material changes by email to the Shopify store admin address and by updating the "Last updated" date at the top of this page. Continued use of the Service after changes constitutes acceptance of the updated policy.

18. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of the United States. For users in the European Economic Area, nothing in this policy affects your rights under GDPR.

19. Contact Us

If you have questions about this Privacy Policy, your data, or wish to exercise your privacy rights:

Email: deliver-support@latteandlaunch.com

Developer: Latte & Launch

Website: latteandlaunch.com

App listing: Shopify App Store

Deliver+