Privacy Policy
Last updated: April 10, 2026
This Privacy Policy explains what data Commerce365 collects when you connect your Shopify store and third-party services, how we use that data, and your rights under the GDPR. We built Commerce365 for Dutch mid-market Shopify brands, and we take your data — and your customers' data — seriously.
1. Who We Are
Commerce365 is operated by Flatline Agency, a company registered in the Netherlands. If you have any question about this policy, want to exercise your GDPR rights, or need to request data deletion, contact us at robin@flatlineagency.com. We respond to all data requests within 30 days.
2. What Data We Collect
Account information: your email address and organization name when you sign up. Store and marketing data via OAuth: product, order, inventory, customer, advertising, and analytics data from the platforms you choose to connect. Usage data: the chat messages you send to our AI agents, the reports they generate, and a log of agent runs so you can audit what was done and when. We only access scopes you explicitly authorize during the connection flow.
3. Third-Party Integrations and OAuth Scopes
Commerce365 connects to eight third-party platforms via OAuth. For each one, we request only the scopes required to provide the features you have enabled. The data is used solely to operate the service for you — it is never sold, shared with advertisers, or used to train AI models.
Shopify. Scopes requested: read and write access to products, orders, inventory, fulfillments, draft orders, discounts, content, metaobjects, files, and translations; read access to customers, analytics, reports, themes, locations, shipping, gift cards, returns, publications, and marketing events. Purpose: power Commerce365's specialized agents — full-stack audits across your commerce stack, auto-discovery of your store schema (metafields, languages, collections), automated product translations across Shopify locales, AI-assisted product content enrichment, and generation of weekly performance reports. All write actions go through the in-app approval workflow.
Meta Ads (Facebook and Instagram). Scopes requested: ads_read, ads_management. Purpose: read your Meta ad account structure and campaign performance so the Full-Stack Audit agent can cross-reference your ad spend against Shopify revenue, identify underperforming campaigns, and surface ROAS insights. We use the ads_management scope read-only in practice — Commerce365 does not push ad changes back to Meta automatically.
Klaviyo. Scopes requested: read and write access to campaigns, flows, lists, segments, profiles, events, templates, tags, catalogs, coupons, images, data-privacy preferences, and subscriptions; read access to metrics. Purpose: analyze email campaign and flow performance, generate reports about subscriber behavior, and enable agent-assisted campaign management via the in-app approval workflow. Write actions are never taken without your explicit per-action approval.
Google Ads. Scopes requested: adwords, userinfo.email, userinfo.profile. Purpose: read your Google Ads campaigns and performance metrics so the Full-Stack Audit agent can analyze ROAS, cross-reference paid search against organic search data from Search Console, and surface budget optimization opportunities. Used read-only in practice. userinfo is used solely to display which Google account is connected on the Integrations page.
Google Analytics 4. Scopes requested: analytics, analytics.edit, userinfo.email, userinfo.profile. Purpose: read your GA4 property data (sessions, conversions, events, traffic sources) to generate Full-Stack Audit reports, identify low-converting landing pages, and cross-reference traffic quality against Shopify revenue. In the current version of Commerce365, these scopes are used for read-only operations only — we list accessible properties and run analytical queries. No analytics properties or events are modified.
Google Search Console. Scopes requested: webmasters, userinfo.email, userinfo.profile. Purpose: the SEO agent reads your connected sites and search performance data to surface organic traffic insights. Used read-only in practice — we list sites and query search analytics. No sites are verified, sitemaps submitted, or index requests issued on your behalf.
Google BigQuery. Scopes requested: bigquery, userinfo.email, userinfo.profile. Purpose: for customers who want to run cross-source analytics against their own BigQuery data warehouse, the Analytics agent can query datasets that you explicitly connect. Access is limited to the datasets you select — Commerce365 never queries datasets you have not linked.
Google Sheets. Scopes requested: spreadsheets, drive.metadata.readonly, userinfo.email, userinfo.profile. Purpose: export Commerce365-generated reports into a spreadsheet you own. The drive.metadata.readonly scope is used only to let you pick which spreadsheet to write to — we do not read any file contents from your Google Drive.
4. Shopify Protected Customer Data
Commerce365 accesses read_customers and read_orders, which include Protected Customer Data under Shopify's tier system. This data is used only for inventory analysis, order trend detection, customer cohort reporting, and anomaly monitoring. It is never sold, shared with third parties, or used for advertising or profile-building. Customer data is deleted within 30 days of app uninstall or account deletion. Commerce365 implements all mandatory Shopify GDPR webhooks — customers/data_request, customers/redact, and shop/redact — and verifies each webhook using HMAC-SHA256 with timing-safe comparison to prevent spoofing.
5. Shopify Write Access and the Approval Workflow
Commerce365 requests write scopes on products, orders, inventory, fulfillments, draft orders, discounts, content, metaobjects, files, and translations. These scopes power agent-assisted write tools in the in-app chat. Write actions are never taken automatically. Every write action is proposed by an AI agent as a specific, auditable action (for example: "Update product ABC price to €24.99") and requires your explicit human approval via the approval workflow in the Commerce365 dashboard before it executes. You can revoke approval at any time, review the full audit log of executed actions under Settings, or disable write tools globally for your organization.
6. Google API Services Limited Use Disclosure
Commerce365's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Specifically, we do not use Google user data for serving ads, for any purpose unrelated to the Commerce365 features you have enabled, or to develop, improve, or train generalized AI or machine-learning models. We do not allow humans to read your Google user data except where (a) you have given explicit consent to read specific messages, (b) it is necessary for security purposes such as investigating abuse, (c) it is necessary to comply with applicable law, or (d) the data has been anonymized so no individual user can be identified.
7. Meta Platform Data Use
When you connect a Meta Business account, Commerce365 reads ad account structure, campaign metadata, and performance metrics for the purpose of generating ROAS analyses and budget reallocation recommendations. We do not use Meta data for user profiling, ad targeting, retargeting, data resale, or secondary marketing purposes. Your Meta data is stored only as long as your Commerce365 subscription is active and is deleted within 30 days of disconnection.
8. Klaviyo Data Use
When you connect Klaviyo, Commerce365 reads campaign, flow, list, segment, profile, and event data to power performance reports and customer-cohort insights. Write scopes are used only for agent-assisted campaign management via the approval workflow — no automatic sends, list modifications, or profile updates happen without your explicit per-action approval. Klaviyo data is never resold, shared with third-party marketers, or used outside the Commerce365 service.
9. How Long We Keep Your Data
Active accounts: we retain your data for the duration of your subscription plus 30 days after cancellation to handle billing reconciliation and GDPR webhook responses. Uninstall or account deletion: all associated data is deleted within 30 days in line with Shopify's Protected Customer Data requirements. OAuth token revocation is immediate and propagates to Supabase Vault within seconds. You can request earlier deletion by emailing robin@flatlineagency.com.
10. Where Your Data Is Stored and How We Secure It
All your data is stored in Supabase in the European Union region, encrypted at rest and in transit (TLS 1.2+). OAuth tokens are stored encrypted in Supabase Vault, a secrets-management layer that is separate from the application database. Row-level security (RLS) is enforced at the database level so that one organization can never read another organization's data, even in the event of an application bug. We use httpOnly, secure, sameSite cookies for session management and require CSRF state parameters on every OAuth callback.
11. Third-Party Processors
Anthropic: used for AI analysis and chat. Your data is sent to the Anthropic Claude API for processing but is not used to train their models under the Anthropic commercial terms. Supabase: our primary database and vault host (EU region). Stripe: payment processing only. We do not store your credit card details. Sentry: error monitoring — no personally identifiable information is included in error reports. Resend: transactional email (signup confirmations, weekly digests). Inngest: durable scheduling for agent runs. We have data processing agreements in place with each processor.
12. Your GDPR Rights
Under the General Data Protection Regulation you have the right to: access a copy of all data we hold about you; rectify inaccurate data; request deletion of your account and all associated data; receive your data in a portable, machine-readable format; object to processing; and restrict processing. To exercise any of these rights, email robin@flatlineagency.com. We respond within 30 days and will not charge a fee for reasonable requests. If you believe we have mishandled your data, you also have the right to file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
13. Changes to This Policy
We may update this policy as the product evolves, as new integrations are added, or as compliance requirements change. Material changes will be communicated via email to the primary contact on your organization at least 14 days before they take effect. The "Last updated" date at the top of this page always reflects the current version. Continued use of Commerce365 after a material change constitutes acceptance of the updated policy.
