Legal

Privacy Policy

How Flexsee AI collects, uses, stores, and protects personal data.

Last updated: June 15, 2026

Key points at a glance

  • Flexsee AI Ltd acts as a data processor for your store’s customer data and as a controller for merchant account data.
  • We use data only to provide AI predictions, recommendations, audience sync, Quick Pay, and related analytics — we do not sell personal data as a standalone business.
  • When you connect Shopify, we sync customer email, name, shipping/billing address, and phone (where available) for identity, checkout prefill, campaigns, and ML — only as needed for features you enable.
  • Shopify web pixel tracking honours Shopify Customer Privacy consent; optional Meta Pixel forwarding in the embedded app only runs when marketing consent is granted.
  • SMS for Quick Pay offers and verification may be sent via Twilio when you configure those flows; you must obtain required consents from recipients.
  • Billing may use Shopify App Pricing for the embedded Shopify app and/or Stripe for the Flexsee dashboard, depending on how you subscribe (see §14).
  • Data is hosted on AWS in the EU (eu-west-1) with encryption in transit and at rest; access to protected customer data is logged and limited to authorised staff.
  • You can request access, correction, deletion, or export by contacting privacy@flexsee.ai.

This Privacy Policy describes how Flexsee AI Ltd ("Flexsee", "we", "us", or "our") processes personal data when you use our website (flexsee.ai), merchant dashboard (dashboard.flexsee.ai), APIs (api.flexsee.ai), Quick Pay checkout pages, documentation, and related services (collectively, the "Service").

If you are a merchant using Flexsee, you are responsible for providing appropriate privacy notices to your end customers and obtaining any consents required under applicable law for collection of behavioural data, marketing, and data sharing with Flexsee and integrated platforms.

1. Who is responsible for your data?

For merchant account information (your name, email, organisation, billing, support communications, and platform usage), Flexsee AI Ltd is the data controller.

For personal data about your store’s customers, visitors, and order recipients that you connect via Shopify, WooCommerce, tracking pixels, or imports, we generally act as a data processor on your instructions. You remain responsible for lawful collection and for honouring data subject requests relating to your customers, while we assist as described in this policy and our Data Processing terms.

  • Legal entity: Flexsee AI Ltd
  • Contact (privacy): privacy@flexsee.ai
  • Contact (general): hello@flexsee.ai
  • Website: https://flexsee.ai

2. Definitions

  • Merchant: a business user who registers for a Flexsee organisation account.
  • End Customer: an individual whose data is processed because they shop on or interact with a Merchant’s store.
  • Personal Data: information relating to an identified or identifiable individual.
  • Processing: any operation performed on personal data, including collection, storage, use, disclosure, and deletion.
  • Integrations: third-party services you connect (e.g. Shopify, WooCommerce, Meta, Klaviyo, Stripe).

3. Information we collect

3.1 Merchant account and billing

  • Identity and contact: name, email address, phone (if provided), organisation name and identifiers.
  • Authentication: password hash, session tokens, OAuth identifiers (e.g. Google sign-in), email verification status.
  • Billing: subscription plan, Stripe customer and subscription IDs, invoice metadata, pay-as-you-go wallet balance and top-up history (payment card data is processed by Stripe; we do not store full card numbers).
  • Communications: support tickets, product feedback, and service emails you send or receive from us.

3.2 Store and catalog data

  • Products, variants, inventory signals, collections, and media URLs from connected e-commerce platforms.
  • Orders, line items, fulfilment status, refunds, and transactional metadata where your platform and permissions allow (including historical orders when your Shopify app has approved read_all_orders access).
  • Customers and profiles: email, first and last name, phone number, billing and shipping addresses, marketing consent flags, tags, and lifetime value metrics when synced from your store or webhooks.
  • We request and process only the customer fields required for enabled features (sync, predictions, Quick Pay prefill, audience export, and SMS where configured).

3.3 Behavioural and event data

  • Flexsee web pixel / ingest events: page views, product views, add-to-cart, checkout steps, session identifiers, timestamps, user agents, and referral parameters when you install our tracking on your storefront.
  • Shopify Customer Privacy: our Shopify web pixel extension declares analytics and sale-of-data purposes and only records behavioural events when the buyer’s Shopify privacy permissions allow analytics processing and applicable sale-of-data consent.
  • Optional Meta Pixel forwarding: if you configure a Meta Pixel ID in the Flexsee AI Predictions embedded app, selected storefront events may also be sent to Meta for your conversion campaigns. This forwarding respects marketing consent and is disabled unless the buyer has granted marketing permission.
  • Quick Pay events: offer views, authentication steps, checkout progression, and conversion attribution parameters.
  • Quick Pay checkout: contact and delivery details you or the shopper provide (email, name, phone, shipping and billing address) to prefill checkout, calculate shipping, process payment, and sync orders back to your store.
  • SMS (Twilio): when you enable SMS-based Quick Pay or verification, we process phone numbers and message delivery metadata to send transactional messages you configure (e.g. offer links, one-time codes). We do not use SMS data for unrelated marketing without your configuration and applicable consent.
  • Campaign and recommendation events: model predictions served, email or ad audience exports, and attribution to orders where configured.

3.4 Integration credentials and configuration

  • OAuth tokens, API keys, and webhook secrets for Shopify, WooCommerce, Meta, Klaviyo, Stripe Connect, and other integrations you enable.
  • Wizard flow, audience, and campaign configuration (rules, discounts, destinations, UTM parameters).

3.5 Technical and security logs

  • IP address, browser type, device characteristics, and request metadata when you access the dashboard or public APIs.
  • Application and audit logs for security monitoring, debugging, webhook delivery, and compliance.

5. How we use personal data

  • Provide, operate, and maintain the Service, including dashboards, APIs, and Quick Pay.
  • Train, evaluate, and run machine learning models and rules to generate predictions, product recommendations, and audience segments for your organisation only.
  • Synchronise audiences and events to Meta Ads, Klaviyo, and other integrations you authorise.
  • Process payments, commissions, and billing through Stripe.
  • Send transactional messages (verification, security alerts, billing receipts, material service changes, and merchant-configured Quick Pay SMS where enabled).
  • Provide customer support and investigate incidents.
  • Monitor usage, diagnose errors, and protect against fraud, abuse, and security threats.
  • Comply with legal obligations and enforce our Terms of Service.

6. Artificial intelligence and automated processing

Flexsee uses statistical and machine learning techniques on historical behavioural and transactional data. Outputs include propensity scores, recommended products, and audience membership flags. These outputs are probabilistic estimates, not factual determinations about individuals.

Models are trained and stored per organisation. We do not use your End Customer data to train models for other merchants unless you explicitly participate in a separate programme with informed consent.

You may contact us for more information about significant automated processing relevant to your use of the Service.

7. Sharing and disclosure

7.1 Integrations you enable

When you connect third-party services, we share data as needed to perform the integration:

  • Shopify / WooCommerce: sync products, customers, orders; receive webhooks; optional Admin API calls.
  • Meta (Facebook): hashed emails and/or phone numbers (SHA-256) for Custom Audiences; campaign and conversion API events where configured; optional Meta Pixel forwarding from the Shopify embedded app when you supply a Pixel ID.
  • Klaviyo: profile identifiers, recommendation payloads, and campaign-related properties.
  • Stripe: payment processing for Flexsee dashboard subscriptions and Quick Pay; Connect account identifiers and application fees. This is separate from Shopify App Pricing charges for the Flexsee AI Predictions embedded Shopify app.

7.2 Service providers (sub-processors)

We use trusted providers who process data on our instructions:

ProviderPurposeLocation / notes
Amazon Web Services (AWS)Hosting, databases, secrets, logsEU (eu-west-1) primary
Stripe, Inc.Payments and Stripe ConnectGlobal; SCCs / DPA available
Google (OAuth)Optional sign-inGlobal
Amazon SES / email providersTransactional emailEU / US per configuration
Twilio Inc.SMS delivery for merchant-configured Quick Pay and verification flowsGlobal; SCCs / DPA available
Sentry (if enabled)Error monitoringEU / US per configuration
Grafana Cloud (if enabled)Metrics and logsEU / US per configuration

7.3 Legal and safety

  • Law enforcement or regulators when required by applicable law, court order, or to protect rights, safety, and security.
  • Professional advisers under confidentiality (lawyers, accountants, insurers).
  • Successors in the event of a merger, acquisition, or asset sale, subject to this policy or equivalent protections.

8. International data transfers

Primary processing occurs in the European Union (Ireland — AWS eu-west-1). Where data is transferred outside the UK/EEA (for example to US-based subprocessors), we implement appropriate safeguards such as Standard Contractual Clauses, the UK IDTA addendum where applicable, and vendor data processing agreements.

9. Security

  • TLS encryption for data in transit; encryption at rest for databases and object storage.
  • Secrets and API tokens stored in managed secret stores with restricted access.
  • Role-based access controls, audit logging for sensitive operations (including access to protected customer data where applicable), and least-privilege principles for production systems.
  • Encrypted backups; separation of test and production environments for personal data.
  • Documented data retention, incident response, and data loss prevention practices.
  • Regular dependency updates and monitoring for vulnerabilities.
No method of transmission or storage is 100% secure. If you believe your account or integration credentials are compromised, contact hello@flexsee.ai immediately.

10. Data retention

Shopify mandatory webhooks (customer data request, customer redact, shop redact) trigger deletion workflows for applicable store data. Merchants may request earlier deletion subject to technical feasibility and legal holds.

Data categoryTypical retention
Merchant accountDuration of account + up to 24 months for legal/audit needs
Store catalog syncWhile store is connected; deleted after disconnect + cleanup window
End Customer eventsWhile account active; configurable deletion on request or account closure
ML models and training artifactsWhile account active; deleted on account closure or model deletion
Billing recordsAs required by tax law (typically 6–7 years)
Security logsUp to 90 days unless needed for incident investigation

11. Your rights

EEA/UK residents may contact their local authority (e.g. ICO in the UK). California residents may have additional rights under CPRA including know, delete, and correct — we do not sell personal information as defined by CPRA.

Submit requests to privacy@flexsee.ai. We may verify your identity before responding. We aim to respond within 30 days.

  • Access and portability
  • Rectification of inaccurate data
  • Erasure ("right to be forgotten")
  • Restriction of processing
  • Objection to processing based on legitimate interests
  • Withdraw consent where processing is consent-based
  • Lodge a complaint with a supervisory authority

12. End Customer privacy (merchant obligations)

  • Publish a privacy policy on your store that explains use of analytics, AI, and third-party integrations including Flexsee.
  • Provide required notices and obtain consents for marketing, tracking, and international transfers.
  • Honour opt-out, unsubscribe, and data subject requests for your customers.
  • Configure integrations only for purposes compatible with your notices.

13. Cookies and similar technologies

13.1 Flexsee dashboard and marketing site

  • Essential cookies: authentication sessions and security.
  • Analytics: understanding usage of our website and product (where enabled).

13.2 Merchant storefront tracking

When you deploy Flexsee tracking on your store, cookies or local storage may be used to identify sessions and attribute events. On Shopify, our web pixel extension integrates with Shopify’s Customer Privacy API and respects the consent choices presented by your store’s privacy banner.

You must implement appropriate consent banners where required (e.g. EEA/UK) and ensure your store privacy notice explains analytics, AI processing, optional Meta Pixel forwarding, and any international transfers.

14. Shopify apps and protected customer data

When you install Flexsee AI Predictions from the Shopify App Store (or connect via OAuth), we access Shopify Admin API resources that may contain protected customer data, including customers, orders, checkouts, and related webhooks.

Depending on app configuration and Shopify approvals, we may process End Customer email, name, billing and shipping address, and phone number to: sync data into your Flexsee organisation; train and run organisation-scoped ML models; prefill Flexsee Quick Pay checkout; create or update orders in Shopify after Quick Pay payment; export hashed or identified audiences to integrations you enable (e.g. Klaviyo, Meta); and send SMS you configure via Twilio.

We process the minimum fields needed for these features, retain them per §10, and honour Shopify mandatory privacy webhooks (customer data request, customer redact, shop redact). Unapproved API fields may be redacted by Shopify until Partner Dashboard access is granted for the specific app installation.

You must ensure your store privacy notice describes Flexsee’s processing and obtain any consents required for analytics, marketing, SMS, and international transfers.

15. Billing for Shopify app vs Flexsee dashboard

Flexsee AI Predictions, the embedded Shopify app (app.flexsee.ai), uses Shopify Managed App Pricing. Charges for that app appear in your Shopify admin billing history.

The Flexsee merchant dashboard (dashboard.flexsee.ai), advanced integrations, Quick Pay, and related platform features may be billed separately through Stripe when you subscribe outside the Shopify app listing.

Installing or using the Shopify app does not automatically create a paid Stripe subscription on the dashboard. Each surface bills only for the features you activate on that surface.

16. Quick Pay and payments

Quick Pay checkout pages may display your branding and collect contact, shipping, billing, and payment details. We may prefill email, name, phone, and address from your synced store data or from offer-link recipient details when available.

Payment card processing is handled by Stripe. We receive transaction metadata, application fees, and fraud signals necessary to operate Quick Pay. After successful payment, we may create or update orders in your connected store using the delivery details collected at checkout.

If you enable SMS, phone numbers are used to deliver messages you configure. Shoppers should review your store privacy policy in addition to this notice; you are responsible for lawful SMS consent and opt-out handling.

17. Children

The Service is not directed at individuals under 18. We do not knowingly collect children’s personal data. Contact us if you believe we have collected such data inadvertently.

18. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be notified via email or in-dashboard notice at least 14 days before they take effect where practicable. The "Last updated" date at the top reflects the current version. Continued use after the effective date constitutes acceptance.

19. Contact us

  • Privacy enquiries & data subject requests: privacy@flexsee.ai
  • General support: hello@flexsee.ai
  • Security issues: hello@flexsee.ai (subject: Security) — or privacy@flexsee.ai for data breach reports
← Back to Home Terms of Service