COA Vault — Privacy Policy

Last updated: June 10, 2026

This policy describes what information the COA Vault application (“the Service”), operated by Lot Foundry, collects and how it is used. It is written for the merchants who install the Service and for the shoppers who use its public batch lookup.

If you are a shopper using a batch lookup page

The lookup is anonymous by design. When you enter a batch number or scan a QR code, we record only the batch number searched, whether a document was found, whether the search came from a QR code or a typed form, and the time. We do not collect or store your name, email address, IP address, location, order history, or any other personal information, and we do not set cookies or use trackers on lookup pages.

If you are a merchant using the Service

We store the following for your store:

• Your store’s domain and the authentication tokens Shopify issues so the Service can operate (standard for all Shopify apps).
• The records you create: document titles and metadata (lab name, test and expiry dates), batch and lot numbers, optional product links, and internal notes.
• References to the document files you upload. The files themselves are stored in your own store’s Shopify file storage, not on our servers.
• Anonymous lookup statistics as described above.
• Standard technical logs (such as requests and errors) generated automatically by our hosting providers to operate and debug the Service, retained briefly and not used for profiling.

We do not access your customers’ personal data, orders, or payment information, and we do not request Shopify permissions that would allow it.

How information is used

Solely to operate the Service: displaying your documents to your customers, generating QR codes, and showing you usage statistics. We do not sell or rent any data, use it for advertising, or share it with third parties except the service providers below.

Service providers

• Shopify — app platform, file storage, and billing.
• Vercel — application hosting (USA).
• Supabase — database hosting (USA).

Data retention, deletion, and location

We retain your store’s records for as long as the Service is installed. All data is processed and stored in the United States. If you uninstall the Service, Shopify notifies us and all records we hold for your store — documents metadata, batches, and lookup history — are permanently deleted in accordance with Shopify’s mandatory data removal process. Document files remain in your own store’s file storage under your control. You may also request deletion at any time using the contact below.

GDPR and CCPA

The Service responds to Shopify’s standard privacy webhooks, including customer data requests and redaction requests. Because the Service does not collect shopper personal data, such requests ordinarily return no records. Merchants and shoppers may contact us directly with privacy requests.

Changes

We may update this policy from time to time; material changes will be indicated by updating the date above.

Contact

Privacy questions or requests: support@lotfoundry.com