Privacy Policy
This policy explains what data ReviewsFlow collects when you install the app on your Shopify store, why we collect it, how we use it, and the rights you have over it. We designed ReviewsFlow to collect the minimum data needed to run a review app well — and nothing more.
1. Who we are
ReviewsFlow ("ReviewsFlow", "we", "us") is a product-review application distributed through the Shopify App Store. When a merchant installs ReviewsFlow, we act as a data processoron their behalf for customer review data, and as a data controller for account-level information we need to operate the service (billing, account email, support history).
2. Data we collect
2.1 Merchant & store data
When you install ReviewsFlow, Shopify shares the data covered by the access scopes we request. Today, those scopes are:read_products, write_products,read_script_tags, write_script_tags.
From those scopes we read and store:
- Your shop domain, plan tier and locale.
- Account-owner details provided by Shopify (first name, last name, email, user ID).
- Shopify session and access tokens needed to call the Shopify Admin API on your behalf.
- Product metadata (title, handle, featured image) for the products you want to show reviews on.
2.2 Review content
Reviews written by your customers — or imported by you from another platform — are stored in our database:
- Author name and (optional) email address.
- Star rating, review title and body.
- Uploaded photos and videos, stored on Amazon S3 (see "Sub-processors").
- Language, translations, source (manual, imported, AI-assisted) and publication status.
2.3 App-usage data
To operate the widgets on your storefront we collect a small amount of technical information per request: IP address, user agent, referring page and the product viewed. This is used for rate-limiting, debugging and abuse prevention only. It is not used for advertising or profiling.
2.4 Data we do not collect
ReviewsFlow does not collect payment data, order data, customer order history, or personally identifying information beyond what is listed above. We do not sell data to third parties under any circumstances.
3. How we use your data
We use the data described above to:
- Authenticate your Shopify store and keep sessions valid.
- Display review widgets, star badges and ratings on your storefront.
- Generate AI-assisted starter reviews when you explicitly request them from the ReviewsFlow admin.
- Translate review content when you enable translation features.
- Import historical reviews from spreadsheets you upload.
- Provide customer support, diagnose bugs and improve the product.
- Comply with legal obligations.
Legal basis (GDPR). We rely on (a) the contract between you and us (our Terms of Service) to operate the app, (b) your consent when you explicitly trigger optional features such as AI generation or Amazon-sourced imports, and (c) legitimate interest for security, fraud prevention and service improvement.
4. Sub-processors & third parties
ReviewsFlow relies on a small number of sub-processors. Each one is bound by a data-processing agreement and is only given the minimum data required for the feature it powers.
| Sub-processor | Purpose | Data shared |
|---|---|---|
| Shopify | App distribution & hosting platform | All merchant & storefront data (as the source) |
| OpenAI | AI-assisted review generation and translation | Product titles and prompts you submit; no customer PII is sent |
| Amazon Web Services (S3) | Storage of review photos and videos | Uploaded media files and their metadata |
| Amazon.com | Optional import of publicly available product reviews when you request it | Public product URLs you submit |
If you disable the optional features (AI generation, Amazon import), no data flows to those sub-processors.
5. Storage & security
Data is stored in a managed PostgreSQL database. Media files are stored in Amazon S3 with server-side encryption. Data in transit is encrypted with TLS 1.2+.
Access to production systems is limited to the engineers responsible for operating ReviewsFlow, is protected by multi-factor authentication, and is logged.
6. Data retention & deletion
We retain your data for as long as your ReviewsFlow app is installed. When you uninstall the app:
- Shopify session tokens are deleted immediately through the
app/uninstalledwebhook. - Reviews, media and configuration are retained for 30 days to allow quick reinstallation without data loss, and then permanently deleted.
- You can request immediate deletion at any time by emailing us at [email protected].
7. Your rights (GDPR / CCPA)
If you are a resident of the European Economic Area, the United Kingdom, California or a jurisdiction with comparable privacy laws, you have the right to:
- Access the personal data we hold about you.
- Request correction of inaccurate data.
- Request deletion of your data.
- Object to or restrict certain processing.
- Request a portable copy of your data.
- Withdraw consent for optional processing at any time.
To exercise any of these rights, email [email protected]. We respond to verified requests within 30 days.
If a review about your products contains personal information about a customer (for example, their name or email), the merchant is the primary controller of that data. Requests from shoppers should be directed first to the merchant, who can action them inside the ReviewsFlow admin.
9. Changes to this policy
We may update this policy to reflect new features, new sub-processors or changes in the law. If a change is material, we will notify merchants through the ReviewsFlow admin before it takes effect. The date at the top of this page always reflects the latest revision.
10. Contact us
Questions, concerns or data requests can be sent to [email protected]. We read every email and aim to respond within two business days.