Privacy policy
Effective July 12, 2026 · Written in plain language, because you should actually be able to read it.
OrderTask is a Shopify app that creates and updates tasks in your ClickUp workspace when orders are placed or change in your store. This policy describes exactly what data we handle to do that — no more, no less. You (the merchant) stay the owner and controller of your store's data; OrderTask processes it on your instructions.
What we collect, and why
Order data, including customer details. When Shopify notifies us about an order, the notification includes order fields (order number, line items, totals, shipping method, note, tags) and customer fields: customer name, customer email, and shipping address. Name and email are Shopify "protected customer data" fields, and we access them for exactly one purpose: writing them into the ClickUp task you configured — the task name (for example #1042 — Jane Doe ($86.00)) and your mapped custom fields. We deliberately do not request customer phone numbers.
Your ClickUp connection. When you connect ClickUp we store the OAuth access token for your workspace, encrypted at rest with AES-256-GCM.
Your Shopify session. Standard Shopify app session tokens, used to authenticate your store.
Sync records. A log of every sync attempt (order ID, timestamp, success or failure, and a sanitized error message that is scrubbed of personal data) and a map linking each order ID to its ClickUp task ID. The map contains IDs only — no customer information.
We collect nothing else. No analytics profiles of your customers, no browsing data, no data sales — full stop.
Where your data goes
- Your ClickUp workspace. This is the product: order details are written into tasks in the List you chose. That transfer happens at your direction, and everything written there is yours, in your ClickUp account, under ClickUp's own privacy terms.
- Fly.io — hosts the application and its database.
- Cloudflare R2 — stores continuously replicated, encrypted database backups.
Those are the only subprocessors. We never share, sell, or use your store's data for anything other than running your syncs.
How long we keep it
- Order notifications are processed and then deleted from our queue. Notifications that repeatedly fail are kept for troubleshooting and automatically pruned after 30 days.
- Sync logs and the order↔task ID map are kept while the app is installed so that your sync history and updates keep working.
- The ClickUp token is kept only while your connection is active.
Deletion — automatic, not on request only
OrderTask implements all of Shopify's mandatory privacy webhooks:
- When a customer asks their store to erase their data(
customers/redact): we delete every queued or failed order notification and every sync-log entry for that customer's orders. The ID-only order↔task map remains, since it contains no personal data. - When a customer requests their data(
customers/data_request): we hold no searchable customer profile — we report what we hold (ID mappings and any still-queued order notifications) so the merchant can fulfill the request from Shopify and ClickUp, where the data actually lives. - When you uninstall: your sessions and queued jobs are deleted and the ClickUp token is disconnected immediately. About 48 hours later Shopify sends
shop/redact, and we permanently delete everything else — jobs, sync logs, ID mappings, and your shop record. Tasks already created in your ClickUp workspace are untouched; they're yours.
Security
ClickUp tokens are encrypted at rest (AES-256-GCM). Webhooks are verified with HMAC signatures before processing. Backups are encrypted in transit and at rest. Production and development data are kept separate.
Contact
Questions, requests, or complaints about your data:support@ordertask.app. A human — the person who built the app — reads and answers every message.