KriLabs KriLabs OrderPing Docs
KriLabs home FAQ Install on Shopify

Privacy Policy

How OrderPing collects, uses, shares, and retains data — for Shopify merchants who install the app and for the end customers who receive WhatsApp messages from merchants using it.

Effective date: 19 April 2026
Last updated: 19 April 2026

1. Who we are

OrderPing is a Shopify app operated by KriLabs (“KriLabs”, “we”, “us”). OrderPing sends transactional WhatsApp messages — including Cash-on-Delivery (COD) order verification and order lifecycle notifications (created, shipped, delivered, etc.) — on behalf of Shopify merchants.

For any privacy question, contact us at support@kri-labs.com.

2. Scope — and who the “data subject” is

OrderPing processes two kinds of personal data, and our role under data protection law differs for each:

  • Merchant data — information about the Shopify store owner/staff who installs OrderPing (name, email, Shopify shop domain, billing info, WhatsApp Business Account credentials they configure). For this, KriLabs is the data controller.
  • End-customer data — information about the shoppers who place orders with a merchant and receive WhatsApp messages from OrderPing (name, phone number, order details). For this, the merchant is the data controller and KriLabs is a data processor acting on the merchant’s instructions. The merchant’s own privacy policy governs this data.

3. Data we collect

3a. Merchant data

  • Shopify account data — shop domain (e.g. yourstore.myshopify.com), shop owner name & email, store country, currency, timezone, plan name. Provided by Shopify when you install the app.
  • Shopify OAuth session tokens — used to make authenticated API calls on your behalf. Stored encrypted.
  • WhatsApp Business credentials — phone number ID, WhatsApp Business Account ID, and access token that you enter in Settings. Stored encrypted (AES-256-GCM) at rest.
  • App configuration — lifecycle stage settings, WhatsApp template configurations, quiet hours, test mode, tag rules.
  • Billing data — your subscription plan, quota usage, invoice records. Payment itself is handled by Shopify; we do not see or store card details.
  • Support communications — emails you send to support@kri-labs.com and any information you include in them.

3b. End-customer data (processed on the merchant’s behalf)

When a merchant installs OrderPing, Shopify sends us order webhooks. From each relevant order we store:

  • Customer first name, last name
  • Customer phone number (normalized to E.164)
  • Shopify order ID, order number, total amount, currency, payment method
  • Line items, shipping address fields used in templates (city, country)
  • COD confirmation token (for the customer-facing confirmation link), confirmation/decline status, timestamps
  • WhatsApp send status, delivery receipts, error codes returned by Meta

We do not collect or store: credit card numbers, CVVs, government ID numbers, health data, or any special-category data.

3c. Automatically collected data

  • Logs — HTTP request logs, error logs, job execution logs (IP address, user agent, timestamps, request path). Used for debugging and abuse prevention.
  • Cookies — OrderPing is an embedded Shopify app; we use only strictly necessary session cookies required to keep you signed in. We do not use advertising or analytics cookies on the admin app. The public documentation site (kri-labs.com) is static HTML and does not set tracking cookies.

4. Why we use this data (legal basis)

PurposeLegal basis (GDPR)
Deliver the core service (send WhatsApp messages, process confirmations)Contract (Art. 6(1)(b)) with the merchant; legitimate interest of the merchant in confirming orders with their customers (Art. 6(1)(f))
Billing and subscription managementContract (Art. 6(1)(b))
Security, abuse prevention, debuggingLegitimate interest (Art. 6(1)(f))
Comply with Shopify GDPR webhooks, law enforcement requestsLegal obligation (Art. 6(1)(c))
Product improvements based on aggregated, non-identifying usageLegitimate interest (Art. 6(1)(f))

We do not use end-customer data for marketing, profiling, or any purpose beyond sending the transactional messages configured by the merchant.

5. Sub-processors

We use the following sub-processors to run OrderPing. All have contractual data protection obligations at least as strong as those in this policy.

Sub-processorPurposeData region
ShopifySource of merchant & order data; app hosting platform; billingGlobal
MongoDB AtlasPrimary database (sessions, orders, notifications, settings)Configurable; currently AWS region set at deploy time
RailwayApp & worker hostingUS / EU regions
Redis (managed)Background job queue (BullMQ)Same region as the app
Meta Platforms, Inc. (WhatsApp Cloud API)Delivery of WhatsApp messagesGlobal — Meta’s infrastructure
CloudflareDNS, CDN, static site hosting (kri-labs.com and this docs site)Global edge network
Google WorkspaceSupport email (support@kri-labs.com)Global

We will update this list when sub-processors change. Material changes are announced in the changelog and via the app’s admin UI.

6. How we share data

We share personal data only:

  • With the sub-processors listed above, strictly to operate the service.
  • With the merchant — they see all the end-customer data tied to their store in the OrderPing admin.
  • If required by law, court order, or valid legal process, or to protect the rights, safety, or property of KriLabs or others.
  • In the event of a merger, acquisition, or asset sale, in which case we will notify affected merchants before personal data becomes subject to a different privacy policy.

We do not sell personal data and we do not share it for cross-context behavioural advertising.

7. International data transfers

KriLabs operates from India. Sub-processors may process data in other countries including the United States and the EU. Where personal data is transferred out of the EEA / UK, we rely on the European Commission’s Standard Contractual Clauses (SCCs) and equivalent UK IDTA safeguards, plus the data protection commitments each sub-processor makes in their own Data Processing Addendum.

8. Retention

  • Active merchant data & orders — kept for as long as the app is installed.
  • After uninstall — data is retained for 30 days in case you reinstall, then permanently deleted. You can request immediate deletion earlier.
  • Shopify GDPR webhooks — we honor customers/data_request, customers/redact, and shop/redact. On customers/redact and shop/redact, relevant records are deleted within 30 days of receiving the webhook, as required by Shopify.
  • Logs — request logs are retained up to 30 days; error logs up to 90 days.
  • Billing records — retained for the period required by applicable tax and accounting law (typically up to 8 years in India).
  • Support emails — retained for 24 months unless you ask us to delete them sooner.

9. Security

  • All traffic is served over TLS 1.2+.
  • WhatsApp access tokens and other secret credentials are encrypted at rest with AES-256-GCM using a separate encryption key.
  • MongoDB Atlas encrypts data at rest and is accessible only via IP-allowlisted connections from our infrastructure.
  • Webhook endpoints verify Shopify HMAC signatures before processing any payload.
  • Production access is restricted, MFA-protected, and logged.

No system is perfectly secure. If we discover a breach affecting your personal data, we will notify affected merchants without undue delay and, where required, the relevant supervisory authority.

10. Your rights

Depending on where you live, you have rights under laws such as the EU/UK GDPR, India’s Digital Personal Data Protection Act, 2023 (DPDP Act), and comparable frameworks. These typically include:

  • Access — a copy of your personal data.
  • Rectification — correcting inaccurate data.
  • Erasure — deletion of your data (subject to legal retention obligations).
  • Restriction / Objection — limiting or objecting to certain processing.
  • Portability — receiving your data in a machine-readable format.
  • Withdraw consent — where processing is based on consent, you can withdraw it at any time.
  • Complain — to a supervisory authority (e.g. your local EU DPA, the UK ICO, or India’s Data Protection Board once operational).

To exercise any of these rights, email support@kri-labs.com. If you are an end customer of a merchant that uses OrderPing, please contact that merchant first — they control your data. We will assist them in fulfilling your request.

11. Children

OrderPing is a B2B tool; it is not directed at children under 16 and we do not knowingly process children’s personal data. If you believe a child has provided personal data through a merchant using OrderPing, contact us and we will delete it.

12. WhatsApp & Meta

To deliver messages, OrderPing passes end-customer phone numbers, names, order numbers, and other template variables to Meta Platforms, Inc. via the WhatsApp Business Cloud API. Meta’s handling of that data is governed by Meta’s own WhatsApp Business Solution Terms and WhatsApp Privacy Policy. The WhatsApp Business Account used to send messages belongs to the merchant, not to KriLabs.

13. Shopify

OrderPing is installed from the Shopify App Store and operates inside the Shopify embedded-app framework. Shopify’s own Privacy Policy applies to the data Shopify collects about merchants and their customers. We only receive the data you explicitly authorize via the app’s scopes (read_orders, write_orders).

14. Changes to this policy

We will update this policy when our practices change. Material changes are announced in the changelog and shown in the admin UI on your next sign-in. The “Last updated” date at the top reflects the most recent revision.

15. Contact

KriLabs
Email: support@kri-labs.com
Website: kri-labs.com

For data protection questions specifically, use the same email and include “Privacy” in the subject line.

Related
FAQ — Data & compliance
Short answers on storage, exports, uninstall
Connect WhatsApp
How your WhatsApp credentials are stored
Install OrderPing
Scopes and first-launch flow
Last updated 2026-04-19