Flow Trigger Extensions Flow Trigger Extensions by Code Creation Labs
Built for Shopify

Privacy Policy

Last updated: 24 February 2026

Controller

Code Creation Labs GmbH
Friedensstr. 1, 47647 Kerken, Germany
Email: support@codecreationlabs.com
Website: codecreationlabs.com

We operate the following Shopify applications:

  • Flow Trigger Extensions
  • Flow Trigger Extensions
  • Flow Action Extensions

This Privacy Policy explains how we collect, process, and store data when merchants install and use our apps.

Scope of This Policy

This Privacy Policy applies to:

  • Merchants using our Shopify apps
  • Data processed through Shopify Flow integrations
  • Data processed via webhook payloads sent to our infrastructure

We act as a data processor on behalf of the merchant (Shopify store owner) for any personal data contained in webhook or Flow payloads.

Data We Process

Shopify Account Information (Merchant Data)

When a merchant installs one of our apps, we may receive:

  • Store name
  • Store URL
  • Store email address
  • Shopify store ID
  • App configuration settings
  • Shopify API access tokens

Purpose of processing: provide and maintain app functionality, authenticate API requests, provide support.

Webhook and Flow Payload Data

Our apps process webhook and Shopify Flow payloads that may include order data, product data, customer information, addresses, email addresses, custom fields configured by the merchant, and other store data included in the payload.

We do not actively collect personal data directly from customers. However, payloads configured by the merchant may contain personal data.

Purpose of processing: execute app functionality, provide webhook forwarding, enable Flow triggers and actions, provide payload history to merchants, debugging and support.

Payload Storage

We store webhook and Flow payloads to provide merchants with a history log, allow troubleshooting and debugging, and improve reliability of our services.

Retention: payload data is stored only as long as necessary to provide app functionality. Merchants may request deletion of stored data.

What We Do Not Collect

  • We do not store visitor IP addresses.
  • We do not build customer profiles.
  • We do not sell data.
  • We do not use payload data for advertising purposes.

Analytics and Usage Data

We collect limited internal analytics such as which Flow triggers or actions are used, feature usage frequency, error rates, and app performance metrics.

This data is used solely to improve our apps, is not shared with third parties for marketing, and is not used to identify end customers.

Legal basis under GDPR: Legitimate interest (Article 6(1)(f) GDPR) in improving our services.

Legal Basis for Processing (GDPR)

For merchants located in the European Union, we process data based on:

  • Article 6(1)(b) GDPR — performance of a contract (providing the app service)
  • Article 6(1)(f) GDPR — legitimate interest (security, analytics, service improvement)
  • Article 28 GDPR — data processing on behalf of the merchant (processor relationship)

Merchants remain the data controllers for their customer data.

Data Hosting and Security

All app infrastructure is hosted in Germany (European Union).

We implement appropriate technical and organizational measures, including encrypted connections (HTTPS/TLS), secure server infrastructure, access control restrictions, and regular system updates and monitoring.

If subprocessors are used (for example, hosting providers), they are GDPR-compliant and located within the EU or protected via appropriate legal safeguards.

Data Sharing

We do not sell or trade data. We may share data only with subprocessors necessary to operate the apps, if required by law, or to enforce legal claims.

Data Retention

Merchant account data is stored for the duration of the app installation.

Payload history is stored to provide functionality and is deleted upon merchant request, app uninstallation, or expiration of a defined retention period.

Merchant Responsibilities

Merchants are responsible for ensuring they have a lawful basis to process their customers' data, informing their customers about data transfers to third-party apps, and entering into a Data Processing Agreement (DPA) with us if required. We provide a DPA upon request.

Data Subject Rights (EU/EEA)

If personal data of EU individuals is processed, the following rights apply:

  • Right of access (Article 15 GDPR)
  • Right to rectification (Article 16 GDPR)
  • Right to erasure (Article 17 GDPR)
  • Right to restriction (Article 18 GDPR)
  • Right to data portability (Article 20 GDPR)
  • Right to object (Article 21 GDPR)

Requests should generally be directed to the merchant (store owner). We assist merchants in fulfilling such requests where legally required.

Data Deletion

Merchants may request deletion of stored data by contacting support@codecreationlabs.com. Upon app uninstallation, stored payload data is deleted within a reasonable timeframe unless legal obligations require retention.

International Transfers

Our infrastructure is located in Germany. Data is processed within the European Union.

Changes to This Policy

We may update this Privacy Policy from time to time. The latest version will always be available on our website.

Contact

For privacy-related inquiries:
Email: support@codecreationlabs.com
Code Creation Labs GmbH, Friedensstr. 1, 47647 Kerken, Germany