Privacy Policy

Last updated: 2026-06-04

1. Who we are

COD Verifier is operated by AVBoost Agency. This policy explains how we collect, use, and protect data when you use COD Verifier to send WhatsApp order-confirmation messages to your customers.

2. Data we collect

From merchants (you)

  • Account email address and authentication credentials.
  • Store connection credentials — Shopify OAuth tokens (scopes: read_orders, write_orders, read_customers), WooCommerce API key, or PrestaShop API key. All credentials are encrypted at rest.
  • WhatsApp Business Account ID and associated phone number for the sender line.
  • Billing information processed by Stripe (we do not store raw card data).

From your customers (order data)

  • Order ID, order amount, and COD flag — received via Shopify/WooCommerce/PrestaShop order-create webhooks.
  • Customer phone number — used to send the WhatsApp confirmation. Phone numbers are hashed before storage; we never store the raw number in our database.
  • WhatsApp message delivery status and customer reply (YES / NO / no reply) — retained for 90 days, then purged.

3. How we use data

  • To send WhatsApp confirmation messages on your behalf.
  • To update order status (confirmed / auto-cancelled) via your store's API.
  • To display your COD verification dashboard and analytics.
  • To operate billing, support, and service notifications.

We do not read your product catalogue, customer financial records, or any data beyond what is listed above.

4. Data storage and security

  • All data is stored in EU (Hetzner Falkenstein, Germany).
  • Row-level security enforced per merchant tenant in Postgres.
  • Store credentials encrypted at rest (AES-256-GCM with per-tenant key).
  • Inbound webhooks HMAC-validated before processing (WhatsApp sha256=; Shopify X-Shopify-Hmac-SHA256).
  • HTTPS enforced on all endpoints. No raw credentials in logs.

5. Data retention

  • WhatsApp message content and customer reply data: 90 days.
  • Order-level verification records: retained while your account is active.
  • Account data: retained until you request deletion.
  • Aggregated analytics (no PII): retained indefinitely.

6. Third-party services

  • Meta WhatsApp Business API (Cloud API) — message delivery. Governed by Meta's terms and privacy policy.
  • Shopify, WooCommerce, PrestaShop — order data received via webhook; order status updated via API.
  • Stripe — payment processing. Governed by Stripe's privacy policy.

We comply with Shopify's mandatory GDPR webhooks: customers/data_request, customers/redact, shop/redact.

7. Your rights (GDPR)

You may request access to, correction of, or erasure of your data at any time. To exercise these rights, email [email protected]. We will respond within 30 days.

For customer data erasure requests forwarded by your customers, you are the data controller; we act as processor and will action your verified requests promptly.

8. Cookies

We use a session cookie for authenticated dashboard access only. No advertising or tracking cookies.

9. Contact

Questions about this policy: [email protected]