VariantFlowVariantFlow← Back to Home
Legal

Privacy Policy

Last updated: March 21, 2026

1. Introduction

Welcome to VariantFlow ("we", "our", or "us"). VariantFlow is a Shopify application that displays product variants as individual product cards on your storefront. This Privacy Policy explains how we collect, use, and protect information when you install and use our app.

By installing VariantFlow from the Shopify App Store, you agree to the terms described in this policy.

2. Information We Collect

Store Information

When you install VariantFlow, we receive basic information about your Shopify store, including:

  • Store domain (e.g., yourstore.myshopify.com)
  • Shop name and contact email
  • Shopify access token (used to authenticate API requests)

Product & Variant Data

To deliver its core functionality, VariantFlow reads your product catalog and variant information via the Shopify API. This data is used solely to generate variant cards on your storefront and is never stored permanently on our servers beyond what is needed for session-level operations.

App Configuration

Settings you configure within the app (e.g., which collections display variant cards, per-product override rules) are stored in our database and associated with your shop domain.

Usage Data

We may collect anonymized, aggregated usage data (e.g., number of active stores, feature adoption rates) to improve the app. This data cannot be used to identify individual merchants or customers.

3. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the VariantFlow service
  • Authenticate your store and authorize API requests on your behalf
  • Store your app configuration and preferences
  • Send transactional communications related to the service (e.g., billing alerts, critical security notices)
  • Comply with legal obligations and enforce our Terms of Service

We do not sell, rent, or share your personal or store data with third parties for marketing purposes.

4. Data Storage & Security

Your data is stored on secure cloud infrastructure. We implement industry-standard security measures including:

  • HTTPS/TLS encryption for all data in transit
  • Encrypted storage for sensitive credentials
  • Access controls limiting who can view store data
  • Regular security reviews and dependency updates

While we take reasonable precautions, no system is completely secure. In the event of a data breach, we will notify affected merchants in accordance with applicable law.

5. Shopify API Scopes

VariantFlow requests only the minimum Shopify API scopes necessary to function:

  • read_products — to read your product catalog and variants
  • write_script_tags — to inject the variant display script into your storefront

We do not request access to customer personal data, payment information, or order history.

6. Third-Party Services

VariantFlow is built on the Shopify platform and operates within Shopify's ecosystem. Your store data is subject to Shopify's Privacy Policy in addition to ours.

We may use infrastructure providers (e.g., hosting, databases) as data processors. These providers are contractually obligated to keep your data secure and confidential.

7. Data Retention & Deletion

We retain your store's data for as long as the app is installed. When you uninstall VariantFlow, a webhook is triggered and we delete your store's configuration and access token from our systems within 30 days.

You may also request immediate deletion of your data by contacting us at the address below.

8. Customer Data (GDPR & CCPA)

VariantFlow does not collect, process, or store end-customer personal data. We operate purely at the merchant level. If a customer submits a data request or erasure request to your store, it is your responsibility as the data controller to fulfill it.

In compliance with Shopify's Partner requirements, we support the following mandatory webhooks:

  • customers/data_request — we respond that no customer data is held
  • customers/redact — acknowledged; no action required as we hold no customer data
  • shop/redact — we delete all store data upon receipt

9. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or an in-app notice at least 14 days before taking effect. Continued use of VariantFlow after the effective date constitutes acceptance of the updated policy.

10. Contact Us

If you have questions about this Privacy Policy or wish to exercise any data rights, please contact us:

VariantFlow Support

Email: [email protected]