FlowRelay View Shopify Flow edition

Privacy

Privacy Policy

This Privacy Policy explains how FlowRelay collects, uses, shares, and retains information for the FlowRelay public website, Shopify embedded app, event intake endpoints, diagnostics, and Agent Access.

Who we are and what this policy covers

FlowRelay is operated by Ordu Labs LLC. FlowRelay for Shopify Flow helps merchants receive external JSON events, authenticate senders, validate required fields, hand a normalized trigger to Shopify Flow, keep receipt facts, support governed replay while retained data is available, and share support-safe diagnostics.

This policy covers the FlowRelay public website, the FlowRelay Shopify embedded app, FlowRelay event intake endpoints, support diagnostics, and merchant-authorized Agent Operations access for the Shopify Flow launch edition.

Ordu Labs LLC acts as a controller for account, billing, website, support, analytics, security, audit, and business-communication data. Ordu Labs LLC acts as a processor or service provider for merchant event payloads and Shopify/customer data processed through FlowRelay to provide the service.

Information FlowRelay collects

Shopify app and billing data

FlowRelay stores shop identity, shop domain, installation state, Shopify session records, billing plan and subscription state, usage meters, and Shopify Flow trigger readiness or lifecycle signals needed to operate the embedded app.

The launch app requests read_orders, read_customers, and read_products because Shopify Flow native-reference handoffs require matching scopes for order, customer, and product references. FlowRelay v1 does not query Shopify Orders, Customers, or Products to enrich events; merchants or senders provide resource IDs in signed event payloads.

Merchant and operator configuration

FlowRelay stores endpoint names, source labels, trigger family choices, required field paths, authentication mode, header names, secret verification material, secret metadata such as last four characters, one-time secret reveal audit facts, endpoint edits, deletion/tombstone state, plan and usage data, support interaction metadata, and Agent Access grant metadata.

Sender event data

External systems send JSON request bodies to merchant-owned FlowRelay endpoints. FlowRelay stores the retained raw JSON body for the replay window, redacted request headers, authentication result, content type, content length, request body hash, timestamps, correlation IDs, endpoint snapshots, mapping results, processing state, handoff result, replay attempts, diagnostics state, and audit facts.

Merchants and senders are responsible for limiting event payloads to data that is lawful, accurate, and necessary for the Shopify Flow workflow.

Diagnostics and support-safe sharing

Diagnostics are preview-first. A merchant or authorized operator reviews the package before sharing it with FlowRelay support. Diagnostics packages are redacted by default and must not include endpoint secrets, raw authorization headers, HMAC values, Shopify tokens, session data, database URLs, or raw request bodies. Event-scoped masked payload samples are optional and masked when included.

Agent Access data

If a merchant creates an Agent Access grant, FlowRelay stores grant label, purpose, authority tier, scopes, expiration mode, token hash, token last four characters, authorizing store/user context, acknowledgement state, revocation state, usage, and audit records. FlowRelay shows the full agent token only once.

Website and operational telemetry

FlowRelay may process website, request, product usage, error, security, and abuse-prevention metadata needed to operate the service. Production telemetry is designed to send sanitized context, stable codes, hashes, counts, states, and correlation IDs rather than raw payloads, secrets, auth headers, HMAC values, Shopify tokens, sessions, database URLs, or customer/order PII.

FlowRelay may use cookies or similar technologies for site operation, product analytics, security, and preference or session reliability. If FlowRelay uses advertising, retargeting, or similar targeted-advertising tools, FlowRelay will provide required notice, opt-out, or consent controls.

Information FlowRelay does not intentionally collect

  • Storefront browsing behavior, storefront cookies, pixels, or buyer session recordings.
  • Payment card numbers or payment gateway credentials.
  • Broad Shopify store data exports or enrichment pulls. FlowRelay v1 relies on merchant-provided event payloads and Shopify Flow native references.
  • Raw Shopify session material, Shopify tokens, endpoint secrets, HMAC values, full auth headers, database URLs, or raw payloads in public proof, support summaries, diagnostics, or Agent Operations reads.
  • Downstream Shopify Flow branch, condition, app action, email, fulfillment, or third-party system completion status after Shopify Flow receives the trigger.

How FlowRelay uses information

FlowRelay uses data to operate endpoints, authenticate events, validate required payload paths, create durable receipt facts, hand triggers to Shopify Flow, show event history, support replay and diagnostics, enforce plan limits, maintain audit records, provide merchant-authorized Agent Operations access, prevent abuse, improve reliability, troubleshoot support requests, and comply with legal or platform obligations.

FlowRelay does not sell personal information. FlowRelay does not use merchant event payloads to train public AI models unless a later published policy and product setting clearly says otherwise.

Retention, deletion, and Shopify privacy requests

Data type Current launch behavior
Event history and receipt rows Retained for the current 30-day event history window, then purged by scheduled reliability cleanup.
Retained raw JSON bodies Retained for replay for 30 days by default, then cleared. Receipt facts and safe metadata can remain until the event row itself is purged.
Diagnostics shares Frozen support-safe packages expire after 30 days and are purged by scheduled cleanup.
Action intents, dedupe keys, and agent grants Preview/action intent and dedupe records expire through scheduled cleanup. Agent grants are marked expired when their expiration is reached unless the merchant created a no-expiration grant.
Billing, installation, audit, and legally required records May be retained longer when needed for billing, security, audit, tax, dispute, legal, or platform compliance obligations.

When a merchant uninstalls FlowRelay, the Shopify uninstall webhook marks the installation as uninstalled while preserving receipt and support-safe history for the retention window unless deletion is required sooner. Shopify may also send mandatory privacy webhooks for customers/data_request, customers/redact, and shop/redact. FlowRelay must acknowledge valid Shopify-signed requests with a 200-series status and complete required access, deletion, or anonymization work within 30 days unless retention is legally required.

Processors and subprocessors

FlowRelay shares data only as needed to operate, secure, bill, support, and improve the service. Current providers are Shopify for app distribution, OAuth, billing, and platform webhooks; Cloudflare for hosting, Workers, Pages, routing, queues, and edge infrastructure; Supabase/Postgres for application data storage; Help Scout for support conversations; Sentry for sanitized error monitoring; and PostHog for sanitized product analytics.

Support requests may be handled directly by FlowRelay or through Help Scout. FlowRelay does not sell personal information and does not share merchant event payloads with subprocessors except as needed to operate, secure, bill, support, or improve the service.

Security practices

FlowRelay uses HTTPS/TLS, endpoint authentication by HMAC-SHA256 header or static header secret, request size limits, secret storage controls, redaction, scoped access grants, audit records, Shopify webhook HMAC verification for registered Shopify webhooks, Cloudflare Access-style protection for restricted support diagnostics, and server-only database access with Supabase row-level security hardening. These are security practices, not a claim of SOC 2, HIPAA, GDPR, CPRA, security audit, uptime, or data residency certification.

International processing

FlowRelay is operated from the United States. FlowRelay and its providers may process information in the United States and other countries where they operate. FlowRelay does not make a data residency commitment for the launch edition. Where required, FlowRelay relies on provider terms, data processing terms, and available transfer mechanisms for cross-border processing.

Privacy requests and contact

For privacy questions, access, correction, deletion, or support with a Shopify-originated request, contact support@flowrelay.app.