Skip to content

Privacy Policy

What Mulligan collects, why, and how it’s handled.

Last updated: June 1, 2026

This policy describes the factual data practices of the Mulligan Shopify app. It is provided for transparency and is not legal advice — have it reviewed by a lawyer before relying on it.

Who we are

Mulligan (“we”, “us”) is a Shopify app operated by [Your registered business name], [Your business address]. Mulligan lets a merchant’s customers make changes to their own orders shortly after checkout. This policy covers the data the app processes on behalf of merchants who install it.

Data we collect

Mulligan is designed to store the minimum needed to run. Specifically:

  • Shopify session & access token — so the app can act on the store’s behalf via the Shopify Admin API.
  • Per-shop settings — your configuration (which edits are allowed, editing window, safety rules, ChannelDock credentials, etc.).
  • Edit-event records — a log of order changes made through the app (type of edit, order reference, timestamp) used for the merchant analytics and audit trail.
  • Support messages — messages a customer sends the store through Mulligan, shown in the merchant’s admin inbox.
  • Address-validation logs — records of address checks performed (used for usage reporting and to power validation).

We do not collect or store customer payment-card data. Payments, refunds, and invoicing are handled by Shopify and its payment providers; Mulligan only triggers those actions through Shopify.

How we use data

  • To provide the order-editing features the merchant has enabled.
  • To enforce the safety rules (editing window, fulfillment holds, reverse-unpaid edits, same-country rule, discount recalculation).
  • To produce the merchant’s in-app analytics (edits over time, by type, cancellation reasons, estimated support savings).
  • To sync corrected shipping addresses to ChannelDock when a merchant has connected their ChannelDock account.

Sharing & third parties

We share data only where needed to deliver the service:

  • Shopify — the platform the app runs on; order, refund, and fulfillment actions are executed through Shopify’s APIs.
  • ChannelDock — only if the merchant connects it, and only the order/address data required to keep the fulfillment address in sync.
  • Address-validation provider — addresses are checked against a validation service (e.g. Google) to warn on undeliverable addresses.

We do not sell personal data.

Data retention

Settings and edit-event records are retained while the app is installed so analytics and audit history remain available. When a store uninstalls Mulligan, or on a valid deletion request, associated data is removed in line with the GDPR webhooks below.

GDPR & data requests

Mulligan implements Shopify’s mandatory privacy webhooks, which let a merchant or their customers exercise data rights:

  • customers/data_request — surfaces the data we hold for a given customer.
  • customers/redact — deletes a specific customer’s data on request.
  • shop/redact — deletes a store’s data after uninstall.

To make a request directly, email support@getmulligan.app.

Security

Access tokens and credentials are stored to operate the app and are not exposed to other merchants. Access is limited to what the app needs to function.

Changes to this policy

We may update this policy as the app evolves. Material changes will be reflected by the “last updated” date above.

Contact

Questions about privacy? Email support@getmulligan.app.