Transparency You Can Trust
We take your privacy and data security seriously. Review our policies governing your use of MerchantFlow.
GDPR & Data Rights
Our Role as Data Processor
MerchantFlow acts as a data processor on your behalf when handling your ecommerce and analytics data. You (the merchant) are the data controller. We process your data solely to provide the Service, as described in our Privacy Policy.
For account data (your email, name, billing information), MerchantFlow is the data controller and processes it under the legal basis of contractual necessity (performance of our Terms of Service).
Legal Bases for Processing (GDPR Article 6)
| Data Type | Legal Basis |
|---|---|
| Account data | Contractual necessity (Art. 6(1)(b)) |
| Integration data | Contractual necessity & consent (OAuth authorization) |
| Usage analytics | Legitimate interest (Art. 6(1)(f)) - service improvement |
| Billing records | Legal obligation (Art. 6(1)(c)) - tax compliance |
| Marketing emails | Consent (Art. 6(1)(a)) - opt-in with unsubscribe |
Your Rights Under GDPR
If you are located in the EU/EEA, you have the following rights:
Right of Access
Request a copy of all personal data we hold about you.
Right to Rectification
Request correction of inaccurate personal data.
Right to Erasure
Request deletion of your personal data (subject to legal retention requirements).
Right to Restrict Processing
Request that we limit how we use your data while a concern is investigated.
Right to Data Portability
Receive your data in a structured, machine-readable format (CSV/JSON).
Right to Object
Object to processing based on legitimate interests (e.g., analytics).
Right to Withdraw Consent
Withdraw consent for optional processing (e.g., marketing) at any time.
Right to Lodge a Complaint
File a complaint with your local data protection authority.
Your Rights Under Australian Privacy Act
Under the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs), you have the right to:
- Access personal information we hold about you (APP 12)
- Request correction of inaccurate information (APP 13)
- Know how your information is collected, used, and disclosed (APP 1 & APP 5)
- Opt out of direct marketing (APP 7)
- Lodge a complaint with the Office of the Australian Information Commissioner
Your Rights Under CCPA (California)
California residents have additional rights:
- Right to know what personal information is collected, used, and shared
- Right to correct inaccurate personal information
- Right to delete personal information
- Right to opt-out of sale of personal information
- Right to non-discrimination for exercising privacy rights
We do not sell personal information to third parties.
Cookie Consent
We use the following categories of cookies and tracking technologies:
| Category | Purpose | Can Opt Out? |
|---|---|---|
| Essential | Authentication, session management, security | No (required for service) |
| Analytics & Error Monitoring | PostHog (EU-hosted) usage analytics, autocaptured DOM interactions, feature adoption, error tracking | Yes (cookie consent banner) |
| Security | Cloudflare Turnstile bot detection | No (anti-abuse) |
Data Processing Agreement (DPA)
For EU/EEA-based merchants, MerchantFlow offers a Data Processing Agreement (DPA) in compliance with GDPR Article 28. To request a copy of our DPA, contact us at [email protected] with the subject line "DPA Request".
Cross-Border Data Transfers
MerchantFlow is operated from Australia with primary infrastructure hosted by Hetzner in Finland (EU). Your data may also be transferred to the following jurisdictions through our sub-processors:
| Sub-Processor | Location | Transfer Mechanism |
|---|---|---|
| Hetzner (hosting) | Finland (EU) | No transfer required (EU-based) |
| PostHog (analytics) | EU (eu.posthog.com) | No transfer required (EU-hosted) |
| Stripe (payments) | United States | EU-US Data Privacy Framework |
| Customer.io (lifecycle email) | EU | No transfer required (EU-based) |
| OpenRouter (AI processing) | United States | Standard Contractual Clauses (SCCs) |
| Postmark (transactional email) | United States | Standard Contractual Clauses (SCCs) |
| Cloudflare (CDN & CAPTCHA) | Global edge network | Standard Contractual Clauses (SCCs) |
For EU/EEA users, transfers to Australia and the United States are protected by Standard Contractual Clauses (SCCs) as approved by the European Commission, or by the EU-US Data Privacy Framework where applicable. We do not rely on an adequacy decision for transfers to Australia as none currently exists.
How to Exercise Your Rights
To exercise any of the rights described above, contact us:
Response Time
We will respond to all data rights requests within 30 days (GDPR) or 45 days (CCPA).
We may need to verify your identity before processing your request. We will not charge a fee for reasonable requests.