Privacy Policy

Effective Date: March 2026

LockerWise ("the App") is a Shopify app developed by MALVI DESIGN that enables Greek merchants to offer pickup-point and locker delivery options at checkout via Skroutz Last Mile (SLM), ACS Courier, and Box Now. This Privacy Policy describes what data we access, what we store, and how we use it.

1. Data We Access

To provide its core functionality, LockerWise requests the following Shopify permissions:

• read_orders / write_orders — To detect pickup-point orders, read shipping lines, and write tracking metadata to orders.
• write_shipping — To register the app as a carrier service and return real-time shipping rates at checkout.
• write_merchant_managed_fulfillment_orders — To create fulfillments with carrier tracking numbers on behalf of the merchant.

At checkout, the app receives the customer's destination (city, postal code, country) to calculate distances to nearby pickup points. When a shipment is created, recipient details (name, address, phone) are read from the Shopify order and forwarded directly to the selected carrier API (SLM, ACS, or Box Now) to generate the shipping voucher. This data is used only for the shipping transaction and is not stored by LockerWise.

2. Data We Store

LockerWise stores only the minimum data necessary to operate:

• Shopify session tokens — Stored temporarily to maintain authenticated sessions with the Shopify API.
• Merchant settings — API credentials (tokens, keys) for SLM, ACS, and Box Now are stored in Shopify shop metafields, which are owned and controlled by the merchant's Shopify account. A local cache copy is kept in the app database solely to serve real-time checkout rate requests without additional API calls.
• Order index records — For each detected pickup-point order we store: Shopify order ID, order name (e.g. #1001), carrier (SLM/ACS/Box Now), and shipment status. No customer PII is stored — no names, addresses, phone numbers, or email addresses.
• Carrier point caches — Lists of pickup point locations (locker addresses, coordinates) fetched from carrier APIs and cached for up to one hour to improve checkout response times.

3. Data We Do Not Store

LockerWise never persists the following in its own database:

• Customer names, addresses, phone numbers, or email addresses
• Payment information or order totals
• Any other personally identifiable information (PII)

4. Third-Party Data Sharing

When a merchant creates a shipment, recipient shipping details (name, address, postal code, phone) are transmitted to the relevant carrier API — Skroutz Last Mile, ACS Courier, or Box Now — as required to generate the shipping label. These carriers operate under their own privacy policies and data handling practices. LockerWise does not sell, rent, or share customer data with any party other than the carrier selected by the merchant.

5. Data Retention & Deletion

Order index records are retained for 60 days for operational purposes (shipment tracking, billing). Merchant settings cached in our database are deleted when the app is uninstalled. Upon receiving a data erasure request via Shopify's GDPR compliance webhooks, we delete all associated records from our database.

Because customer PII is never stored in our database, customer data erasure requests result in confirmation that no data was held.

6. Security

Merchant API credentials are stored in Shopify-controlled metafields (encrypted at rest by Shopify) and in our application database, which is hosted on infrastructure with industry-standard security controls. Access is restricted to authenticated, authorised requests only.

7. GDPR Compliance

LockerWise implements all mandatory Shopify GDPR webhooks:

• customers/data_request — We confirm no customer PII is held.
• customers/redact — We process deletion requests (no PII to delete).
• shop/redact — We delete all shop data upon uninstall.

8. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted at this URL with an updated effective date. Continued use of the app after changes constitutes acceptance of the updated policy.

9. Contact

If you have any questions about this Privacy Policy or how your data is handled, please contact us at dev@mal-vi.com.