gotasale
Legal

Privacy Policy

Last updated: February 2026

Overview

Got A Sale ("we", "us", "our") provides an order notification service for WooCommerce and Shopify stores that delivers order alerts to Telegram, Discord, Slack, webhooks, and browser push notifications. This privacy policy explains what data we collect, how we use it, and your rights.

Data We Collect

Store Registration — WooCommerce

When you activate the Got A Sale WordPress plugin, the following data is sent to our server:

  • A unique site token (UUID generated by the plugin)
  • Your store URL
  • Your store name

Store Registration — Shopify

When you install Got A Sale from the Shopify App Store, we complete an OAuth handshake with Shopify and receive:

  • Your shop domain (e.g. yourstore.myshopify.com)
  • Your shop name
  • An OAuth access token for the Shopify Admin API

The access token is encrypted using AES-256-GCM before storage and is used to fetch orders and shop information via the Shopify GraphQL Admin API.

Order Notifications

When an order event occurs (new order, status change, etc.), order details are sent to our server for routing to your connected destinations. This includes:

  • Order ID, number, status, total, currency, and payment method
  • Customer name, email, and phone number
  • Order items (names, quantities, totals, SKUs)
  • Billing and shipping addresses (city, state, country)

Order data is not stored on our servers. It is processed in-memory and forwarded to your configured destinations in real time. For the Got A Sale mobile app, orders are fetched live from your store's API (WooCommerce REST API or Shopify GraphQL Admin API) and are never cached or persisted on our servers.

WooCommerce API Credentials

The WordPress plugin creates WooCommerce REST API keys with read/write permissions and sends them to our server. These credentials are encrypted using AES-256-GCM before storage and are used to enable live order viewing and status management from the Got A Sale web app. You can revoke these keys at any time from WooCommerce > Settings > Advanced > REST API.

Shopify API Data Accessed

For Shopify stores, we use the OAuth access token to access the following data via the Shopify GraphQL Admin API:

  • Orders — order details, line items, fulfillments, and transactions (for notifications and the mobile app)
  • Shop — shop name, domain, and currency (for display purposes)

We do not access or store customer data beyond what is included in individual order notifications. Customer personally identifiable information (PII) is not persisted — orders are fetched live via the API and displayed in real time.

User Accounts

If you create a Got A Sale account (required for paid tiers), we store:

  • Your email address
  • A hashed password (if you set one) — we use bcrypt
  • Session tokens for authentication

Push Notification Subscriptions

If you enable browser push notifications in the Got A Sale web app, we store your push subscription endpoint and encryption keys. These are used only to deliver push notifications you opted into.

Payment Data

Payment processing is handled entirely by Stripe. We do not store credit card numbers, bank details, or other payment credentials. We receive your Stripe customer ID and subscription status for tier management.

How We Use Your Data

  • Notification delivery: Routing order events to your configured Telegram chats, Discord channels, Slack workspaces, webhooks, and push subscriptions
  • Order viewing & management: Using encrypted API credentials to proxy live order data and process status updates from the Got A Sale web app
  • Account management: Authentication, session management, and subscription billing
  • Service operation: Error logging, rate limiting, and abuse prevention

Data Retention

  • Order data: Not stored. Processed in real time and discarded.
  • Store registrations: Retained while the integration is active. Removed upon request or app uninstall.
  • API credentials (WooCommerce & Shopify): Encrypted and stored while active. Deleted when you uninstall the app/plugin or request deletion.
  • User accounts: Retained until you request deletion.
  • Push subscriptions: Automatically cleaned up when they expire or fail delivery.
  • Sessions: Expire after 30 days of inactivity.

Third-Party Services

We use the following third-party services:

  • Shopify Admin API — to receive webhooks and fetch order/shop data for Shopify stores
  • Telegram Bot API — to deliver notifications to Telegram chats
  • Discord API — to deliver notifications to Discord channels
  • Slack API — to deliver notifications to Slack workspaces
  • Stripe — for payment processing and subscription management
  • DigitalOcean — server hosting infrastructure

Each service has its own privacy policy governing their handling of data.

Your Rights

You have the right to:

  • Access your data — request a copy of what we store about you
  • Delete your data — request complete removal of your account and associated data
  • Revoke API access — for WooCommerce, remove API keys from WooCommerce settings; for Shopify, uninstall the app from your Shopify admin panel
  • Unsubscribe from push notifications — manage in your browser settings or the Got A Sale app
  • Cancel your subscription — via the Stripe Customer Portal at any time

Data Deletion

WooCommerce Stores

To request deletion of all your data:

  1. Uninstall the Got A Sale plugin from WordPress (this removes local settings and WC API keys)
  2. Email us at help@gotasale.io requesting deletion of your server-side data, including your site token

Shopify Stores

To request deletion of all your data:

  1. Uninstall Got A Sale from your Shopify admin panel (Settings > Apps and sales channels). This triggers automatic deletion of your encrypted access token and store data from our servers.
  2. For complete account deletion (including user profile and notification preferences), email us at help@gotasale.io

We will process deletion requests within 30 days.

Shopify GDPR Compliance

Got A Sale complies with Shopify's mandatory GDPR webhook requirements. We handle the following compliance events:

  • Customer data request (customers/data_request) — We respond with any data associated with the specified customer. Since we do not store customer PII (orders are fetched live and not persisted), the response will typically confirm no data is held.
  • Customer data erasure (customers/redact) — We delete any data associated with the specified customer from our systems.
  • Shop data erasure (shop/redact) — When a merchant uninstalls the app, we delete all store data including the encrypted access token, channel links, notification preferences, and any associated configuration within 30 days.

Security

  • All communications use HTTPS/TLS encryption in transit
  • API credentials (WooCommerce keys and Shopify OAuth tokens) are encrypted at rest using AES-256-GCM
  • Passwords are hashed using bcrypt
  • Webhook payloads are signed with HMAC-SHA256 for integrity verification
  • Shopify webhooks are verified using HMAC-SHA256 with the app's client secret
  • Sessions use httpOnly secure cookies

Contact

For any privacy-related questions or data requests, contact us at:

help@gotasale.io