The design rule behind our storage is simple: we never keep a record connecting a person to an address. Names, emails, and phone numbers don’t enter our database at all. Here’s the complete inventory of what we do keep, and the reasoning.
The address cache: addresses without people
When we verify an address, we keep the verification result so the next check of the same address is instant and doesn’t need a fresh lookup. That cache entry is keyed by a one-way cryptographic hash of the normalized address, and its value holds the verdict plus the corrected form of the address where one exists.
What it doesn’t hold: any name, any order number, any customer identifier, or even which store the check came from. A cache entry is closer to reference data about a building than to a customer record. It says “this address verifies, and its standard form is X”, and nothing about who, when, or why anyone shipped there.
Cache entries also expire on their own: verified addresses after 90 days, undeliverable ones after 30, and suggested corrections after 7, so the freshest data backs the prompts buyers act on.
Per-shop records: counters, not addresses
For your store, we keep what billing and the dashboard need, none of it containing address text:
- A billing ledger: one row per verified order (the order reference and whether it was charged), which is what makes one charge per order enforceable.
- Analytics events: one row per check, holding only the decision and a timestamp. No address, no order reference.
- Prompt resolutions: per order, whether the buyer accepted a fix or kept their address, so no surface ever re-asks. No address text, no buyer identity.
- Your settings: rule configuration and custom messages.
Where the customer’s address actually lives
It lives on the order, in Shopify, like always. When a buyer accepts a correction, we write the fixed address onto the Shopify order and keep no copy of our own. The recipient’s name and phone never even pass through the buyer-facing prompt; the order update merges them server-side from data that stays inside Shopify.
This split is deliberate. Shopify is already the system of record for who ordered what and where it ships. Duplicating that into our database would create a second copy of personal data with no benefit to you, and the strongest privacy posture for a copy is for it not to exist.
What this means in practice
If our database were printed out, you could learn that certain addresses exist and verify, and that certain stores ran certain volumes of checks. You could not reconstruct a single fact of the form “this person lives here” or “this customer bought from this store”, because no table contains it. The details of how this interacts with deletion requests are in GDPR and redaction.