Privacy Policy
Last updated July 7, 2026
ExemptGuard ("we", "us") is a Shopify app built by 8th Origin LLC that collects, validates, stores, and tracks US sales-tax exemption and resale certificates for a merchant's store. Because that is the app's whole job, it necessarily stores certificate records — including some personal information about the merchant's wholesale buyers. This policy explains exactly what we hold, why, and how it is deleted.
What we collect
- Store information — your
.myshopify.comdomain, provided by Shopify when you install, plus the app settings you configure (reminder schedule, email templates, automation toggles). - Staff account — the name and email of the staff member who signs in, from your Shopify session, used only to authenticate you into the app.
- Certificate records — the data on each exemption or resale certificate you or your buyer submit: purchaser/entity name, buyer name and email, certificate number, state(s), entity type, issue and expiry dates, validation results, and review notes.
- Certificate files — the uploaded certificate document itself (PDF or image), stored so you can produce it in an audit.
- Audit trail — a timestamped history of what happened to each certificate (uploaded, validated, approved, reminded, exported). This is the app's core "audit insurance" record.
- Customer link — if you connect a certificate to a Shopify customer, we store that customer's ID so the app can set their tax-exempt status in Shopify.
We do not collect payment details, browsing behavior, or anything beyond what the certificate workflow needs. We request only the Shopify permissions the app uses: reading and updating customers (to apply tax-exempt status) and reading orders.
How we use it
Solely to operate the app for you: validate certificates, warn you before they expire, send renewal-request emails to your buyers on your behalf, apply tax-exempt status to customers you approve, and build your audit export. We do not sell data, share it for advertising, or use it to train anything.
AI-assisted extraction (OCR)
When a certificate file is uploaded, we send that document to Anthropic's API once to read fields off it (state, number, dates). The extracted values are suggestions you confirm — nothing is trusted to OCR alone. Under the API terms we use, the document is not used to train models.
Sub-processors
We share the minimum necessary with the infrastructure that runs the app: Shopify (platform and APIs), Vercel (application hosting), Neon (database hosting), Cloudflare R2 (certificate file storage), Anthropic (OCR field extraction), and Resend (renewal emails). Each processes data only to provide its service to us.
Retention & deletion
Certificate records are audit documents, so we keep them while the app is installed. When you uninstall, Shopify sends us a shop/redact request and we delete your store's data — certificate records, stored files, audit trail, and settings. When Shopify sends a customers/redact request for one of your buyers, we delete that buyer's certificate records and stored files. A customers/data_request is logged so you can respond to the buyer with what is on file.
Security
Data is transmitted over HTTPS. Certificate files live in private object storage and are served only through short-lived signed links to your authenticated session. Access tokens are stored server-side.
Your choices
You can delete any certificate from inside the app, export your records at any time, and remove everything we hold by uninstalling ExemptGuard. For any privacy request, email us and we will respond promptly.
Security & incident response
All traffic is encrypted in transit (TLS), and certificate files and database records are stored on infrastructure that encrypts data at rest. Access to personal data is limited to the operator of the service, and exports and sensitive actions are recorded in the audit trail. If we become aware of a security incident affecting personal data, we will investigate promptly and notify affected merchants without undue delay.
Changes
If this policy changes, we will update the date above and, for material changes, notify installed merchants.
Contact
8th Origin LLC — danny@8thorigin.com