2.1 Account Information

When you create an account, we collect:

• Email address and name
• Company/business name
• Password (securely hashed - we never store plaintext passwords)
• Billing information (processed and stored by Stripe - we do not store card details)

2.2 Integration Data

When you connect third-party services via OAuth, we access and store:

• Google Analytics 4: Website traffic, conversion data, user behavior metrics, property IDs
• Google Search Console: Search queries, impressions, click-through rates, site URLs
• Google Merchant Center: Product feed data, listing issues, merchant IDs
• Google Ads: Campaign metrics, ad spend, product performance data, customer account IDs
• Shopify: Product catalog, orders (including customer names, email addresses, phone numbers, and shipping addresses), revenue, inventory, cost data, shop domain
• WooCommerce: Product catalog, orders (including customer names, email addresses, and shipping addresses), revenue
• Meta Ads: Campaign performance, ad spend, account IDs
• Snapchat Ads: Campaign metrics, ad spend, account IDs
• TikTok Ads: Campaign metrics, ad spend, account IDs

2.3 Usage Data

We automatically collect:

• Log data (IP address, browser type, pages visited)
• Device information
• Product usage analytics via PostHog (EU-hosted) - includes page views, feature usage, button clicks, and DOM interactions via autocapture
• Error tracking and performance monitoring via PostHog (EU-hosted) - captures unhandled errors and stack traces

2.4 OAuth Tokens

We store OAuth access tokens and refresh tokens to maintain connections to your integrated services. These tokens are encrypted at rest using AES-256 encryption with a dedicated encryption key.

2.5 Order and Customer Data

When you connect a commerce platform (Shopify, WooCommerce), we sync and store order data to calculate profitability and attribution metrics. This includes:

• Order details (amounts, dates, payment status, line items)
• Customer names and email addresses (stored for order search and GDPR compliance)
• Customer phone numbers and shipping addresses (encrypted at rest using AES-256)
• Attribution data (UTM parameters, referrer, landing page)

We store this data solely to provide accurate P&L reporting, margin calculations, and order-level analytics. Sensitive personal data (phone numbers, shipping addresses) is encrypted at rest. We support Shopify-mandated customer data redaction and deletion requests.

2.6 AI Assistant Data

If you use AI-powered features, your prompts and contextual business data (including revenue figures, product margins, channel performance, ad spend, and cohort data) may be sent to OpenRouter, which routes requests to underlying AI model providers such as Anthropic, OpenAI, or Google. We do not use your MerchantFlow customer data to train our own AI models. The specific model provider handling your request depends on our configuration at the time of the query.

3.1 Communications

We send two categories of electronic communications:

Transactional and Service Communications (sent regardless of marketing preferences):

• Account security alerts (login from new device, password changes, suspicious activity)
• Billing confirmations, receipts, payment failures, and subscription changes
• Integration status notifications (sync failures, disconnected accounts, credential expiry)
• Service disruptions, maintenance windows, and incident updates
• Regulatory or legal notices required by law
• Responses to your support requests
• Onboarding guidance and setup instructions for features you have activated
• Daily performance summaries and anomaly alerts you have configured
• Data export and account deletion confirmations

These communications are essential to the operation, security, and integrity of your account. You cannot opt out of transactional communications while maintaining an active account, as they are necessary to fulfill our contractual obligations to you.

Marketing and Product Communications (opt-out available):

• Product announcements, new feature releases, and platform updates
• Tips, guides, and best practices for using MerchantFlow
• Surveys and feedback requests
• Promotional offers and partnership announcements

You may opt out of marketing communications at any time by clicking the "Unsubscribe" link in any marketing email, updating your preferences in Settings → Notifications, or emailing [email protected]. Opting out of marketing communications does not affect transactional communications.

4.1 Legal Requirements

We may disclose your information if required by:

• Legal process (subpoena, court order)
• Government requests
• Protection of our rights or safety of others
• Investigation of fraud or security issues

4.2 Business Transfers

If MerchantFlow is acquired or merged, your information may be transferred to the new entity. You will be notified via email and dashboard notification of any such change at least 30 days in advance.

6.1 Storage Location

Your information may be processed in Australia, the European Union, the United States, and other countries where we or our service providers operate. MerchantFlow is operated by MerchantFlow Pty Ltd from Adelaide, South Australia.

6.2 Security Measures

We use technical and organisational safeguards designed to protect data, including:

• AES-256-GCM encryption at rest for OAuth tokens, customer phone numbers, and shipping addresses
• Tenant isolation at the database layer (all queries are scoped to your tenant)
• Rate limiting on API endpoints
• Security headers (CSP, HSTS, X-Frame-Options)
• Passwords hashed with bcrypt
• Automated monitoring, error tracking, and encrypted backups

6.3 Data Breach Notification

In compliance with the Australian Notifiable Data Breaches (NDB) scheme, if we experience a data breach that is likely to result in serious harm, we will notify the Office of the Australian Information Commissioner (OAIC) and all affected individuals as soon as practicable.

6.4 Data Retention

See our Data Retention Policy for full details. Summary:

• Active Accounts: Data retained while account is active
• After Account Deletion: Personal information deleted or de-identified from active systems within a reasonable period, generally within 30 days, subject to backup retention, legal obligations, dispute resolution, fraud prevention, and legitimate business record-keeping requirements
• Backup Data: Removed from backups within 90 days

7.1 Access and Portability

You have the right to:

• Access your personal data
• Export your analytics data in CSV format
• Request a machine-readable copy of your information

7.2 Correction and Deletion

You can:

• Update account information in Settings
• Disconnect integrations at any time
• Delete your account through your account settings or by contacting support
• Request data deletion by contacting [email protected]

7.3 Communication Preferences

You can opt out of marketing communications at any time by:

• Clicking the "Unsubscribe" link in any marketing email
• Updating your preferences in Settings → Notifications
• Emailing [email protected]

Transactional and service communications (account security, billing, integration status, configured alerts) cannot be opted out of while your account is active, as they are necessary to fulfill our contractual obligations. See Section 3.1 for the full list of communication types.

7.4 GDPR Rights (EU/EEA Users)

If you are located in the EU/EEA, you have additional rights under GDPR:

• Right to rectification
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing
• Right to withdraw consent
• Right to lodge a complaint with a supervisory authority

See our GDPR & Data Rights page for more details.

7.5 Australian Privacy Principles

Under the Australian Privacy Act 1988, you have the right to access and correct your personal information. If you believe we have breached the APPs, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

7.6 California Privacy Rights (CCPA)

California residents have the right to:

• Know what personal information is collected
• Know if personal information is sold or disclosed
• Access personal information
• Correct inaccurate personal information
• Delete personal information
• Opt-out of sale of personal information
• Non-discrimination for exercising privacy rights

We do not sell personal information to third parties.