SessionFlow (“SessionFlow”, “we”, “our”, or “us”) provides a Shopify-compatible application that enables merchants to maintain customer login continuity, account experiences, and event accuracy across sessions.
This Privacy Policy explains how personal data is processed when merchants use SessionFlow on Shopify stores and how privacy requirements are respected in accordance with Shopify App Store policies and applicable privacy laws.
1. Roles & Responsibilities
SessionFlow acts primarily as a data processor on behalf of Shopify merchants. Merchants remain the data controllers and are responsible for determining the purposes and lawful bases for processing personal data.
SessionFlow acts as a limited independent controller solely for security, fraud prevention, service reliability, and aggregated non-identifiable product analytics.
2. Data Processed
SessionFlow may process customer identifiers (such as Shopify customer ID), contact information provided by users, session and login data, cart state, event metadata, IP address, and browser/device information, strictly on merchant instruction.
3. Identification & Session Continuity
SessionFlow supports session continuity for logged-in users and temporary identifiers for anonymous visitors. Anonymous identifiers are limited in retention and scope unless consent is provided or an account is created.
4. Advertising & Analytics
Where enabled by merchants, SessionFlow may enrich event data sent to platforms like Meta to improve match quality. Enrichment is strictly consent- and region-aware and disabled where required by law.
5. Cookies & Tracking
SessionFlow uses first-party cookies and similar technologies necessary for core functionality. Non-essential processing is restricted based on consent signals provided via Shopify Customer Privacy API or merchant CMPs.
6. Consent Withdrawal
If consent is withdrawn, SessionFlow immediately disables any processing relying on that consent. Previously processed data is not retroactively deleted unless required by law.
7. Data Retention
Data is retained only as long as necessary to provide the service. Logged-in identifiers persist until account deletion. Anonymous identifiers are retained for limited periods.
8. Sharing & Subprocessors
SessionFlow uses vetted infrastructure providers and subprocessors bound by contractual safeguards. No data is sold or shared across merchants.
9. International Transfers
Data may be processed in the United States or other jurisdictions using appropriate legal safeguards.
10. User Rights
Users should contact the merchant directly to exercise their privacy rights. SessionFlow assists merchants in fulfilling valid requests.
11. Security
SessionFlow applies industry-standard security measures to protect personal data.
12. Changes
This policy may be updated periodically.
13. Contact
support@getsessionflow.com
