GDPR Compliance - Data Protection
MerchantFlow GDPR compliance documentation covering data retention policies, user rights, Shopify and Meta GDPR webhooks, and how to exercise data protection rights.
GDPR Compliance
Effective Date: December 27, 2025
MerchantFlow Pty Ltd ("MerchantFlow", "we", "us") is committed to compliance with the General Data Protection Regulation (GDPR). This page outlines our data protection practices, retention policies, and your rights as a data subject. MerchantFlow processes personal data as both a data controller (for account and usage data) and a data processor (for integration data processed on behalf of our users).
Data Retention Policies
Automatic Data Purge
MerchantFlow automatically purges data based on configurable retention policies, ensuring that data is not retained longer than necessary for its intended purpose.
Retention Periods by Entity Type
| Entity Type | Description | Purpose |
|---|---|---|
| audit_log | User and system audit trails | Security and compliance tracking |
| sync_log | Integration synchronization records | Debugging and sync history |
| analytics_snapshot | Point-in-time analytics data | Historical trend analysis |
| product_metrics_cache | Cached product performance data | Dashboard performance optimization |
| integration_log | Integration activity records | Troubleshooting and monitoring |
When a retention period expires, the corresponding data is automatically and permanently deleted.
Manual Data Deletion
You can request manual deletion of specific data at any time by contacting [email protected].
Platform-Specific GDPR Compliance
Shopify GDPR Compliance
MerchantFlow complies with Shopify's data protection requirements by handling the following automatically:
- Customer Data Requests - when a Shopify store customer requests their data, MerchantFlow processes the request and provides any relevant data held
- Customer Data Deletion - when a customer requests data deletion, all associated data is permanently removed
- Store Data Deletion - when a store uninstalls MerchantFlow, all data associated with the shop is permanently deleted and integration credentials are revoked
Meta Data Deletion
MerchantFlow supports Meta's data deletion requirements. When Meta sends a data deletion request, all associated Meta Ads data is permanently removed.
Your Rights Under GDPR
Right of Access
You have the right to request a copy of all personal data we hold about you, including account information, integration data, and usage logs.
How to exercise: Email [email protected] with the subject "GDPR Data Access Request."
Right to Rectification
You can update most account information directly through Settings > Profile. For other corrections, contact us.
Right to Erasure (Right to be Forgotten)
You can request deletion of your personal data when the data is no longer necessary, you withdraw consent, you object to processing, or the data has been unlawfully processed.
Exceptions: We may retain data where required by legal obligation or for the defense of legal claims.
Right to Data Portability
You can receive your personal data in standard formats (CSV, JSON) using built-in export features or by requesting a full data export.
Right to Restriction of Processing
You can request that we restrict processing in certain circumstances, including while we verify contested data accuracy or while we consider an objection to processing.
Right to Object
You can object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds.
Legal Basis for Processing
| Legal Basis | Data Processed | Purpose |
|---|---|---|
| Contract performance | Account data, integration data | Providing the MerchantFlow service |
| Legitimate interests | Usage data, analytics | Service improvement, security |
| Consent | Marketing communications | Product updates, newsletters |
| Legal obligation | Financial records, audit logs | Tax compliance, regulatory requirements |
Data Processing Agreements
MerchantFlow enters into Data Processing Agreements (DPAs) with sub-processors who handle personal data and with customers who require a DPA for their own GDPR compliance.
To request a DPA, contact [email protected].
Sub-Processors
- Cloud hosting - infrastructure and data storage
- Payment processing - Stripe (PCI-compliant)
- Email services - transactional email delivery
- Error monitoring - application performance and error tracking
Cross-Border Data Transfers
When personal data is transferred outside the European Economic Area (EEA):
- Transfers are governed by Standard Contractual Clauses (SCCs)
- Adequate safeguards are in place as required by GDPR
- Data protection impact assessments are conducted where necessary
Data Protection Officer
For GDPR-specific inquiries:
- Email: [email protected]
- Response time: within 72 hours
- GDPR requests: [email protected] with subject "GDPR Request"
Breach Notification
In the event of a personal data breach:
- We assess the breach within 24 hours of discovery
- Supervisory authorities are notified within 72 hours where required
- Affected data subjects are notified without undue delay when the breach poses a high risk
- Full documentation of the breach, its effects, and remedial actions is maintained
How to Exercise Your Rights
- Email [email protected]
- Subject line: Include "GDPR" and the specific right (e.g., "GDPR Data Access Request")
- Identification: We may need to verify your identity before processing
- Response time: Within 30 days of receiving your verified request
- No charge: Exercising your rights is free, except in cases of manifestly unfounded or excessive requests
Right to Lodge a Complaint
If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority in the EU member state of your habitual residence.
Frequently Asked Questions
Is MerchantFlow a data controller or data processor?
MerchantFlow acts as a data controller for account and usage data, and as a data processor for integration data processed on behalf of users.
Can I get a Data Processing Agreement?
Yes. Contact [email protected] to request a DPA. Standard DPAs include GDPR compliance clauses and are available for all customers.
How long does MerchantFlow retain my data after account deletion?
After account deletion, data enters a 30-day grace period for reactivation. After that, all personal data is permanently deleted. Backups are removed within 90 days.
Does MerchantFlow comply with Shopify's mandatory GDPR webhooks?
Yes. MerchantFlow handles all three Shopify GDPR webhooks: customer data request, customer data deletion, and shop data deletion (on app uninstall).
Related Resources
Last updated: March 14, 2026
Terms of Service - MerchantFlow
MerchantFlow Terms of Service covering service usage, subscription billing, acceptable use, intellectual property, liability limitations, and termination.
Data Security Practices
MerchantFlow data security practices including 2FA authentication, AES-256 encryption, session management, tenant isolation, and OAuth token security.