Legal & Privacy - MerchantFlow Policies
MerchantFlow legal documents including terms of service, privacy policy, GDPR compliance, data security practices, and cookie policies.
Legal & Privacy
MerchantFlow legal and privacy documentation covers all policies, compliance standards, and data protection practices that govern your use of the platform. MerchantFlow is committed to transparent data handling, enterprise-grade security, and full regulatory compliance.
Legal Documents
- Terms of Service - user agreement and service terms
- Privacy Policy - how we collect, use, and protect your data
- GDPR Compliance - European data protection rights and retention policies
- Data Security - technical and organizational security measures
Our Privacy Commitments
What We Never Do
- Sell your data to third parties
- Share data with advertisers
- Use your data for unrelated purposes
- Access your data without permission
What We Always Do
- Encrypt data in transit (TLS 1.2 or higher) and at rest (AES-256)
- Request minimum necessary permissions (read-only access for all integrations)
- Provide transparent privacy practices
- Give you control over your data (access, export, delete)
Security Standards
MerchantFlow meets industry security standards:
- GDPR compliant - full European data protection compliance
- PCI DSS compliant - payment processing through Stripe
- Regular security audits and penetration testing
- OAuth 2.0 for all third-party integrations with encrypted token storage
Compliance
MerchantFlow complies with:
- General Data Protection Regulation (GDPR)
- California Consumer Privacy Act (CCPA)
- CAN-SPAM Act
- Payment Card Industry Data Security Standard (PCI DSS)
What Data We Collect
Account information: Email address, name, company name, password (encrypted).
Integration data: Product information, analytics metrics, order data, advertising performance. All accessed through read-only OAuth connections.
Usage data: Pages viewed, features used, session duration, device and browser info.
What we do NOT collect: Customer personal information from your store, payment card details (handled by Stripe), or unnecessary personal information.
Your Privacy Rights
You have the right to:
- Access your data
- Correct inaccurate data
- Delete your data (with exceptions for legal compliance)
- Export your data in standard formats (CSV, JSON)
- Object to processing
- Withdraw consent for marketing communications
Exercise rights: Email [email protected] with your specific request. We respond within 30 days.
Data Retention
Active accounts: Data retained for the duration of your subscription.
Closed accounts: 30-day grace period for reactivation, then permanently deleted. Backups removed within 90 days.
Automatic purge: Certain data types (audit logs, sync logs, analytics snapshots) are subject to automatic retention policies. See GDPR Compliance for details.
Cookie Policy
Essential cookies: Authentication, security features, load balancing.
Analytics cookies: Aggregated usage statistics, feature adoption, performance monitoring.
Preference cookies: Dashboard settings, timezone, currency preferences.
No advertising cookies are used.
Contact for Legal Inquiries
- General legal questions: [email protected]
- Privacy concerns: [email protected]
- GDPR requests: [email protected] (Subject: GDPR Request)
- Security issues: [email protected]
Frequently Asked Questions
Is MerchantFlow GDPR compliant?
Yes. MerchantFlow is fully GDPR compliant as both a data controller and data processor. We offer Data Processing Agreements, support data subject rights (access, rectification, erasure, portability), and implement Standard Contractual Clauses for cross-border transfers.
Does MerchantFlow sell my data?
Never. MerchantFlow does not sell, rent, or trade your personal information or business data to any third party. Data is shared only with essential service providers (AWS for hosting, Stripe for payments) and as required by law.
Where is my data stored?
Primary data is stored in AWS US East region. Backups are encrypted across multiple AWS regions. EU data residency options are available on request for enterprise customers.
Can I delete all my data from MerchantFlow?
Yes. Cancel your subscription and request data deletion from [email protected]. After the 30-day grace period, all data is permanently deleted. Backups are removed within 90 days.
Does MerchantFlow have write access to my store or ad accounts?
No. MerchantFlow requests read-only access for all integrations. We never modify your data, create campaigns, or make changes to your connected platforms.
Related Resources
Last updated: March 14, 2026
Fix Sync Failures in MerchantFlow
Resolve data sync failures in MerchantFlow caused by expired tokens, rate limits, API errors, and timeouts. Includes sync schedules and prevention tips.
Privacy Policy - MerchantFlow
MerchantFlow Privacy Policy explains how we collect, use, store, and protect your personal data, integration information, and business analytics data.