ZigFlow
GDPR · CCPA · Shopify

Privacy Policy

This Privacy Policy explains how ZigFlow collects, uses, shares, and protects your data. As a Shopify app, we are committed to full transparency about our data practices.

Last updated:February 18, 2026
Introduction

ZigFlow ("we", "us", or "our"), operated by RA Studio, provides the ZigFlow application (the "Service") — an AI-powered marketing automation platform available as a Shopify app and at zigflow.io. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you install our Shopify app or use our Service.

By installing ZigFlow from the Shopify App Store or using our Service, you consent to the data practices described in this policy. Terms not defined here have the same meanings as in our Terms of Service.

This policy applies to all users of ZigFlow, including Shopify merchants, their team members, and end-users who interact with content created through our platform.

Definitions

  • Service: The ZigFlow application (Shopify app and web platform at zigflow.io), including all related APIs, tools, and features.

  • Personal Data: Any information relating to an identified or identifiable natural person, such as name, email address, or store URL.

  • Usage Data: Data collected automatically from your use of the Service (e.g., pages visited, features used, timestamps).

  • Merchant Data: Data from your Shopify store accessed via Shopify APIs, including products, orders, and store configuration.

  • Cookies: Small data files stored on your device to maintain session state and preferences.

  • Data Controller: RA Studio, which determines the purposes and means of processing your personal data.

  • Data Processor: Any third-party service that processes data on our behalf (e.g., cloud hosting, AI providers).

Information We Collect

We collect information through several channels to provide and improve our Service:

Account Information

When you create a ZigFlow account (directly or via Shopify), we collect:

  • Email address and name

  • Shopify store domain and store name

  • Authentication tokens (OAuth, JWT)

  • Profile preferences (language, timezone)

Data from Shopify APIs

When you connect your Shopify store, we access the following data through Shopify's authorized APIs based on the scopes you approve:

  • Product catalog: titles, descriptions, images, prices, variants, and inventory levels (read_products, read_product_listings, read_inventory)

  • Store theme information for brand extraction (read_themes)

  • Discount and price rules for campaign context (read_price_rules, read_discounts)

  • Store configuration: name, domain, currency, and locale

Usage and Analytics Data

We automatically collect:

  • Device and browser information (type, version, screen resolution)

  • IP address and approximate geographic location

  • Pages visited, features used, and interaction timestamps

  • Campaign performance metrics (views, clicks, engagement)

Content You Create

We store content you create through ZigFlow, including:

  • Marketing campaigns and post content

  • Visual designs created in our editor

  • Video templates and generated media

  • Brand kit settings (colors, logo, voice, tagline)

How We Use Your Information

We use the collected information for the following purposes:

  • Provide and maintain the Service: Process your requests, manage your account, and deliver features you use.

  • AI-powered campaign generation: Your product data and brand settings are sent to AI services to generate personalized marketing content.

  • Social media publishing: Schedule and publish content to your connected social media accounts via our publishing partners.

  • Video generation: Create promotional videos using your product images and brand assets.

  • Analytics and insights: Track campaign performance and provide actionable marketing recommendations.

  • Service improvement: Analyze usage patterns to improve features and user experience.

  • Communication: Send transactional emails (account verification, billing notifications) and, with your consent, marketing updates.

  • Security and fraud prevention: Detect, investigate, and prevent unauthorized access or abuse of our Service.

Third-Party Service Providers

We share data with the following third-party services, strictly for operating our Service. Each provider processes data under their own privacy policy and contractual obligations:

Shopify: E-commerce platform integration — processes store data, billing, and app authentication. Privacy Policy: https://www.shopify.com/legal/privacy

Amazon Web Services (AWS): Cloud hosting, file storage (S3), email delivery (SES), and video rendering (Lambda). Data processed in the US (us-east-1 region). Privacy Policy: https://aws.amazon.com/privacy/

OpenAI: AI content generation — product data and campaign parameters are sent to generate marketing text. No personal customer data is transmitted. Privacy Policy: https://openai.com/privacy

Late.dev: Social media publishing and scheduling — post content and media are transmitted for publication to connected platforms. Privacy Policy: https://late.dev/privacy

Stripe: Payment processing — billing information is handled directly by Stripe. We do not store credit card numbers. Privacy Policy: https://stripe.com/privacy

MongoDB Atlas: Database hosting — all application data is stored on MongoDB Atlas servers in the US (us-east-1). Privacy Policy: https://www.mongodb.com/legal/privacy-policy

Google: OAuth authentication and analytics. Privacy Policy: https://policies.google.com/privacy

Brevo (formerly Sendinblue): Email marketing and CRM — email address and subscription status for transactional communications. Privacy Policy: https://www.brevo.com/legal/privacypolicy/

Cookies and Tracking

We use cookies and similar technologies to maintain your session, remember your preferences, and analyze Service usage.

  • Essential Cookies: Required for authentication, session management, and core Service functionality. Cannot be disabled.

  • Preference Cookies: Store your language, theme, and display settings across sessions.

  • Analytics Cookies: Help us understand how you use the Service to improve features and performance (Google Analytics).

You can control cookies through your browser settings. Disabling essential cookies may prevent the Service from functioning properly.

Data Sharing and Disclosure

We do not sell, trade, or rent your personal data. We may share information in the following limited circumstances:

  • Service Providers: With third-party vendors listed above, solely for operating the Service under contractual safeguards.

  • Legal Requirements: When required by law, court order, or governmental authority.

  • Rights Protection: To protect the rights, property, or safety of ZigFlow, our users, or the public.

  • Business Transfer: In connection with a merger, acquisition, or sale of assets, with prior notice to affected users.

Data Security

We implement industry-standard security measures to protect your data, including: encryption in transit (TLS 1.2+) and at rest, secure authentication with JWT tokens and OAuth 2.0, access controls and principle of least privilege, regular security monitoring and logging, HMAC signature verification for all webhooks.

While we employ commercially reasonable measures, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security but are committed to promptly addressing any security incidents.

Data Retention

We retain your data according to the following schedule:

  • Account data: Retained while your account is active. Deleted within 30 days of account deletion request.

  • Shopify store data: Product catalog and store information are synced periodically. All store data is deleted within 48 hours of app uninstallation (per Shopify requirements via shop/redact webhook).

  • Campaign content and media: Retained while your account is active. Deleted with your account or upon request.

  • Usage logs and analytics: Retained for up to 12 months for service improvement, then anonymized or deleted.

  • Billing records: Retained as required by applicable tax and accounting laws (typically 7 years).

International Data Transfers

Your data is processed and stored on servers located in the United States (AWS us-east-1 region, MongoDB Atlas us-east-1). If you are located outside the United States, your data will be transferred to and processed in the US. We ensure appropriate safeguards are in place for international transfers, including Standard Contractual Clauses (SCCs) where required by GDPR.

Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal data:

GDPR
Rights under GDPR (EEA Residents)

  • Access: Request a copy of the personal data we hold about you.

  • Rectification: Request correction of inaccurate or incomplete personal data.

  • Erasure: Request deletion of your personal data ("right to be forgotten").

  • Restriction: Request that we limit the processing of your personal data.

  • Objection: Object to processing based on legitimate interests or for direct marketing.

  • Portability: Request your data in a structured, machine-readable format.

  • Withdraw Consent: Withdraw consent at any time for processing based on consent.

CCPA
Rights under CCPA (California Residents)

  • Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected.

  • Right to Delete: Request deletion of your personal information, subject to legal exceptions.

  • Right to Opt-Out: We do not sell personal information. No opt-out is necessary.

  • Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise any of these rights, contact us at info@zigflow.io. We will respond within 30 days (GDPR) or 45 days (CCPA).

Shopify App Compliance

As a Shopify app, we comply with Shopify's mandatory privacy requirements:

  • Data Access Requests: When a merchant's customer requests their personal data, we respond through Shopify's customers/data_request webhook within 30 days.

  • Data Erasure: When a merchant requests customer data deletion, we erase the relevant data through Shopify's customers/redact webhook within 30 days.

  • App Uninstallation: When a merchant uninstalls ZigFlow, we receive Shopify's shop/redact webhook and delete all store-specific data within 48 hours.

  • HMAC Verification: All Shopify webhook communications are verified using HMAC-SHA256 signatures to ensure authenticity.

  • Minimal Scopes: We only request read-only API scopes necessary for our functionality. We never request write access to your store.

Children's Privacy

ZigFlow is a B2B service designed for business use. We do not knowingly collect information from anyone under the age of 16. If you believe a minor has provided us with personal data, please contact us at info@zigflow.io and we will promptly delete it.

Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify you of material changes by posting the updated policy on this page with a new effective date, and by sending a notification through the Service or via email. We encourage you to review this policy periodically.

Contact Us

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or need to report a data concern, please contact us:

Email: info@zigflow.io

RA Studio
Montréal, QC, Canada

We will acknowledge your request within 5 business days and respond substantively within 30 days.

© 2026 ZigFlow — All rights reserved.
ZigFlow

AI-powered social media campaigns for e-commerce. Never ask "What should I post?" again.

ShopifyShopify
WooCommerceWooCommerce
Powered by ZigFlow AI
hello@zigflow.io

© 2026 ZigFlow. All rights reserved.

FacebookInstagramYouTubeLinkedIn

We use cookies to improve your experience on our site. By continuing to browse, you accept our use of cookies. Read more