Skip to content
  • Home
  • About Us
  • Clients
  • Services
  • Integrations
  • Contact Us
Log in
    Digital Project Design
    • Home
    • About Us
    • Clients
    • Services
    • Integrations
    • Contact Us

    Professional Form Manager — Privacy Policy

    Effective date: July 6, 2026    Last updated: July 6, 2026

    This Privacy Policy explains how Digital Project Design ("DPD", "we", "us", "our") handles information in connection with the Professional Form Manager application (the "App") for Shopify. It applies to merchants who install the App ("Merchants") and to the people who submit a Merchant's storefront forms ("Respondents"), whose information the App processes on the Merchant's behalf.

    The App lets a Merchant build storefront forms, collect submissions (including file attachments), optionally render a submission into a PDF, and deliver the result by email to one or more recipients the Merchant chooses.

    Our role. For the personal data a Respondent enters into a Merchant's form ("Respondent Data"), DPD acts as a data processor on behalf of the Merchant, who is the data controller. The Merchant decides what fields to collect, who receives the submissions, and how long they are kept. Each Merchant is responsible for its own privacy notice to Respondents and for any consent it is required to obtain. This policy describes what the App does so Merchants can make those disclosures accurately.

    Contents

    • 1. Information we process
    • 2. How we use information, and purpose limitation
    • 3. Automated decision-making
    • 4. How information is shared
    • 5. Data retention and deletion
    • 6. Security
    • 7. International data transfers
    • 8. Your rights
    • 9. Children's privacy
    • 10. Changes to this policy
    • 11. Contact

    1. Information we process

    a. Merchant and staff information

    • Store identifiers and configuration: your myshopify.com shop domain, App settings, branding/presentation customizations, and the form definitions you author.
    • Recipient addresses: the email addresses you configure to receive form submissions and any auto-reply/notification content you author.
    • Authentication and session data: the Shopify session issued when your staff open the embedded admin. When a staff user uses the admin, Shopify provides that user's identifier and may provide their first name, last name, and email, which are stored as part of the session so the App can attribute actions (audit log) and greet the signed-in user. This is data about your staff, not your Respondents.
    • Billing status: the subscription/entitlement state Shopify reports for your store, used to apply plan limits. Billing itself is handled by Shopify; we do not receive payment card details.

    b. Respondent information (the data your forms collect)

    The App stores the information a Respondent submits through your form. You choose what those fields are, so the categories depend on your form and can include:

    • Contact and identity details a Respondent types — for example name, email address, postal address, phone number, company, and any other text, selection, number, or date fields you define.
    • A typed signature — where you use a signature field, the App stores the name the Respondent types, the fact that they checked the accompanying agreement box, and the date/time (see the Terms of Service, §7, for what this signature is and is not).
    • File attachments the Respondent uploads (for example a document, image, or PDF), stored as files.
    • Generated PDFs — where your form produces a PDF, the App can render the submission into a PDF for email delivery, and (only if you enable stored PDFs for a form) retain a copy.
    • Submission metadata — a submission timestamp, the form and form-version submitted, and, where the form collects it, a Respondent email used for confirmation replies and to match data-subject requests.

    This is first-party data collected directly through your form. The App requests no Shopify Admin scopes and does not access Shopify "Protected customer data" (your customers' Shopify records). Respondents are storefront visitors submitting a form, not necessarily Shopify customers.

    c. Anti-abuse and technical data

    Because forms are public to anonymous visitors, the App uses Cloudflare Turnstile and a honeypot field to detect bots. Turnstile issues a token that we verify on submit; standard request metadata (such as IP address) is processed transiently by our infrastructure provider at the network edge to serve and protect the App. We do not build Respondent profiles from this data.

    d. Information we do not process

    We do not collect Respondent browsing/behavioral analytics, marketing or cross-site tracking data, or payment card details. We do not use Respondent Data for advertising or profiling.

    2. How we use information, and purpose limitation

    We use the information above solely to:

    • provide and operate the App's form functionality — render forms, accept and store submissions and attachments, optionally generate PDFs, and email submissions to the recipients you configure;
    • send the optional submitter confirmation/auto-reply email where you enable it;
    • provide the admin tools you use to review submissions (view, mask/reveal sensitive fields, export CSV, resend, and delete), and record those actions in an audit log;
    • protect the App against spam and abuse;
    • apply your plan's limits and bill the App through Shopify.

    We limit our use of personal data to these purposes. We do not use Respondent Data for advertising, marketing, profiling, or analytics, and we do not sell or rent personal data to anyone.

    3. Automated decision-making

    The App does not perform automated decision-making or profiling that produces legal or similarly significant effects for any individual. A signature field records a typed name and agreement; it does not evaluate or decide anything.

    4. How information is shared

    Delivery you direct. When a Respondent submits a form, the App emails the submission — and any generated PDF or file links — to the recipient email addresses you have configured. Those recipients are chosen and controlled by you, not by us.

    Sub-processors. We share information with the infrastructure providers that run the App, acting as our sub-processors:

    Sub-processor Purpose Data location
    Shopify The platform the App runs on; billing; source of shop/staff session data Per Shopify
    Cloudflare Application hosting (Workers), database storage (D1), file-attachment storage (R2), and bot protection (Turnstile) Cloudflare global network
    Resend Transactional email delivery (submission notifications, submitter confirmations, secure download links) Resend / its providers

    We do not sell personal data, and we do not share personal data for cross-context behavioral advertising. We may disclose information if required by law.

    5. Data retention and deletion

    We retain data only as long as needed to provide the App and as configured by the Merchant:

    • Configurable retention. Each form has retention windows for submission records and for file attachments, bounded by your plan (for example, shorter fixed windows on entry plans; longer, merchant-set windows on higher plans). A nightly process deletes records and attachments that have passed their retention window, including the underlying files in Cloudflare R2.
    • Minimum-retention floor (Advanced). Where you set a statutory minimum-retention floor on a form, a matching record cannot be deleted before the floor expires; see the erasure handling below.
    • Respondent erasure requests. The primary erasure route is a direct request to the Merchant, handled with the App's in-admin delete/erasure tools. The App also processes Shopify's customers/redact request: it matches submissions by Respondent email and erases them. A submission that is under an active minimum-retention floor is restricted (hidden and use-blocked) with deletion automatically queued for the moment the floor expires, rather than being refused (GDPR Art. 17(3)(b)).
    • Data access requests. On a Shopify customers/data_request, the App compiles the submission data it holds matching the Respondent's email so the Merchant can respond within Shopify's required timeframe.
    • Uninstall. When the App is uninstalled, Shopify sends a shop/redact request (approximately 48 hours later), at which point we delete that store's entire dedicated database and its file attachments in R2, and remove its records (entitlement, sessions) from our systems.

    6. Security

    • Encryption in transit: all communication between the App, Shopify, Respondents, recipients, and our infrastructure uses HTTPS/TLS.
    • Encryption at rest: submission data (Cloudflare D1) and file attachments (Cloudflare R2) are encrypted at rest by Cloudflare.
    • Tenant isolation: each Merchant's data lives in its own dedicated, per-store database, so one Merchant's data is never co-mingled with another's.
    • File-upload safety: uploads are checked at two gates — an enforced size/type limit at upload time and a content (magic-byte) check afterward — against an allowlist you configure over an executable denylist we enforce; risky types (e.g. SVG/HTML) are forced to download rather than render.
    • Controlled access to submissions: sensitive fields can be masked and are revealed only on demand, with reveal and export actions recorded in an append-only audit log; file downloads use signed, expiring links rather than public URLs.
    • Least privilege: the App requests no Shopify Admin scopes and holds only the access it needs to run.

    No method of transmission or storage is completely secure, but we take reasonable measures to protect the information we process. Our incident-handling process is described in our Security Incident Response Policy.

    7. International data transfers

    The App runs on Cloudflare's global network and on Shopify's infrastructure, and email is delivered via Resend, so information may be processed in countries other than where the Respondent or Merchant is located. We rely on our sub-processors' safeguards for such transfers.

    8. Your rights

    Depending on where you live, you may have rights to access, correct, delete, or restrict the processing of personal data, and to object to certain processing.

    • Respondents: please direct requests to the Merchant whose form you submitted; the Merchant is the controller of your data. The App provides the Merchant with the tools described in Section 5 to honor access and deletion requests.
    • Merchants: contact us using the details in Section 11.

    9. Children's privacy

    The App is a business tool provided to Merchants and is not directed to children. We do not knowingly process the personal data of children. A Merchant is responsible for not configuring forms that solicit personal data from children without a lawful basis.

    10. Changes to this policy

    We may update this policy from time to time. When we do, we will revise the "Last updated" date above and post the new version at the published URL. Material changes will be communicated as required by applicable law.

    11. Contact

    Digital Project Design (DPD)
    Digital Project Design LLC
    10441 Chaney Ave, Downey, CA 90241, USA
    Privacy/support email: pfm@digitalprojectdesign.com
    Website: https://www.digitalprojectdesign.com

    Digital Project Design

    Enterprise-grade commerce for growing brands

    Beautiful storefronts.

    Clean data.

    Smooth ops.

    • LinkedIn
    • About Us
    • Services
    • Partners
    • Clients
    • Contact Us
    © 2026, Digital Project Design Powered by Shopify
    • Choosing a selection results in a full page refresh.
    • Opens in a new window.