What does TouchDrop's privacy policy cover?

TouchDrop's privacy policy describes what customer data we collect from Shopify, Klaviyo, and uploaded CSV lists, how it's encrypted at rest and in transit, who it's shared with (only the print fulfilment partner), and how Australian customers can request access, correction, or deletion under the Australian Privacy Act 1988.

Privacy Policy

How TouchDrop collects, uses, stores, and protects your data.

Last updated: 1 April 2026

Introduction

TouchDrop ("we", "us", or "our") operates the TouchDrop platform, a direct-mail marketing automation service for Shopify merchants. This Privacy Policy explains how we collect, use, store, and protect your information when you use our platform, website, and Shopify application. By using TouchDrop, you agree to the practices described in this policy.

What Data We Collect

We collect the following categories of information:

Merchant Account Information

Business name, email address, and contact details provided during registration
Shopify store URL and OAuth access tokens for store integration
Billing details managed through Stripe for payment processing

Customer Data (from Your Shopify Store)

Customer names and mailing addresses used for direct-mail campaigns
Order history and purchase data used for audience targeting (e.g., retention, winback, acquisition segments)
Email addresses used for suppression and deduplication purposes only

Campaign & Usage Data

Campaign configurations, artwork uploads, and template selections
Print job statuses, delivery tracking, and QR code scan data
Attribution and conversion metrics linked to campaigns

How We Use Your Data

To create, send, and track direct-mail postcard campaigns on your behalf
To build and filter audience segments based on your Shopify customer and order data
To process payments and manage your postage balance
To apply suppression rules, validate addresses, and remove duplicate recipients
To generate campaign reports, attribution analytics, and performance insights
To communicate with you about your account, campaigns, and platform updates
To improve our platform, troubleshoot issues, and provide customer support

Data Storage & Security

We take the security of your data seriously and implement industry-standard measures to protect it:

Sensitive data fields are encrypted at rest using industry-standard encryption
All data in transit is protected using secure HTTPS connections
Shopify OAuth tokens and API credentials are stored in encrypted form and never exposed to the frontend
Our infrastructure is hosted on secure, managed cloud platforms with regular security updates
Access to production systems is restricted and monitored

Third-Party Services

We share data with the following third-party service providers, strictly as needed to operate the platform:

Shopify

We connect to your Shopify store via OAuth to read customer, order, and product data required to build campaign audiences and track conversions. We only request the permissions necessary for our service.

Stripe

We use Stripe to process payments and manage subscriptions. Your payment card details are handled entirely by Stripe and are never stored on our servers. See Stripe's Privacy Policy.

SmartComm (Print Partner)

We share recipient names, mailing addresses, and postcard artwork with our Australian print partner, SmartComm, solely for the purpose of printing and posting your direct-mail campaigns. SmartComm does not use this data for any other purpose.

Intercom (In-App Support & Messaging)

We use Intercom to power the in-app help widget and respond to merchant support requests. When you are signed in, we share a limited, allow-listed set of account attributes with Intercom — your email, name, brand name, plan, integration connection status, postage balance, and aggregate campaign counts — so our team can help you faster. We never share your end customers' personal data (names, addresses, or recipient lists) with Intercom. The widget is suppressed entirely on internal admin pages. See Intercom's Privacy Policy. You may request deletion of your Intercom contact record at any time by contacting support@touchdrop.com.au; closing your TouchDrop account also removes your Intercom contact automatically.

Data Retention & Deletion

Campaign data and analytics are retained for the duration of your active account to enable reporting and historical insights
Customer data synced from your Shopify store is refreshed periodically and updated to reflect changes in your store
If you uninstall the TouchDrop app or close your account, we will delete your stored data within 30 days of your request
You may request deletion of specific data at any time by contacting us at support@touchdrop.com.au

Your Rights

As a merchant using TouchDrop, you have the right to:

Access the personal and business data we hold about you
Request correction of inaccurate information
Request deletion of your data, subject to any legal obligations we may have to retain certain records
Withdraw consent for data processing at any time by uninstalling the app or contacting us
Export your campaign data and reports

To exercise any of these rights, please contact us at support@touchdrop.com.au.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes, we will notify you via email or through a notice on our platform. We encourage you to review this page periodically.

Contact Us

If you have questions about this Privacy Policy or how we handle your data, please reach out:

Email: support@touchdrop.com.au

Need more help? Contact us at support@touchdrop.com.au