Shipturtle is hosted on AWS, built to Shopify's security standards, and complies with GDPR and PCI requirements. This article summarizes what protections are in place for your marketplace data and your customers' information.
Who this is for
- Merchant: Review this if a customer, enterprise buyer, or auditor asks about Shipturtle's security posture or data handling.
What's covered
Customer data protection Shipturtle meets Shopify's Customer Data Protection requirements (Level 3). Customer personal data — names, email addresses, phone numbers, order details, and delivery addresses — is handled according to Shopify's protected customer data standards. See Shopify's documentation for the full specification.
GDPR compliance Shipturtle is GDPR compliant. As a listed Shopify app, Shipturtle follows lawful and transparent data processing, minimizes data collection to what's operationally necessary, stores data securely, and supports the rights of individuals to access, correct, or delete their data.
Infrastructure All Shipturtle services run on Amazon Web Services (AWS). The infrastructure includes automated backups, redundancy, high availability, continuous monitoring, and access controls. See aws.amazon.com for AWS's own security documentation.
PCI compliance and encryption Shipturtle is PCI compliant. All sensitive data is encrypted at rest and in transit using industry-standard protocols. Shipturtle does not store raw payment card data — all payment processing flows through Shopify and the connected payment gateway (Stripe, PayPal, Razorpay, etc.).
Data sharing Shipturtle does not share customer or business data with third parties for commercial or marketing purposes. Data is shared with third-party services only when you explicitly enable an integration, and only for the specific operational purpose of that integration — for example, sharing order addresses with a shipping carrier to generate a label, or sending order notifications via WhatsApp through an enabled integration.
Legal documents
FAQs
Can I get a copy of your DPA for enterprise onboarding or audit purposes? Yes. The DPA is publicly available at shipturtle.com/dpa. If you need a countersigned version or additional compliance documentation, contact team@shipturtle.com.
Does Shipturtle access my customers' payment card details? No. Payment processing happens entirely within Shopify and your connected payment gateway. Shipturtle receives order confirmation and payment status from Shopify, not raw card data.
What happens to my data if I uninstall Shipturtle? Shipturtle retains your marketplace data for 3 days after uninstall to allow for a change-of-mind reinstall. After 3 days, all data is permanently deleted. See Uninstall and pause Shipturtle for the full data retention policy.
Related articles
- Uninstall and pause Shipturtle — includes data retention timeline after uninstall.
- Shopify and Shipturtle — how Shipturtle and Shopify divide data responsibilities.
If you’re stuck, reach us at team@shipturtle.com or open a ticket on the support page.