Skip to content
  • DIFFERENCE
  • HOW
  • MISSION
  • DOCS
    Docs Index Ask the Docs Spec Source
  • CART
  • LOGIN

Privacy Policy

CRM Sync — Effective Date: May 17, 2026 · Last Updated: May 17, 2026

Contents

  1. Who We Are
  2. Data We Collect
  3. How We Collect Data
  4. How We Use Your Data
  5. Data Sharing & Third Parties
  6. Data Storage & Security
  7. Data Retention
  8. Your Rights
  9. Cookies & Tracking
  10. California Privacy Rights (CCPA)
  11. Children's Privacy
  12. Changes to This Policy
  13. Contact Us

1. Who We Are

CRM Sync is a customer relationship management service operated by Story Story AI. CRM Sync synchronizes user identity, consent, segmentation, and campaign data across integrated commerce, CMS, analytics, and customer data platforms.

CRM Sync operates as a registered application on both the Shopify App Store and the Webflow Marketplace, subject to both platforms' privacy and compliance requirements.

Entity Details
Operator Story Story AI
Contact Email [email protected]
Data Protection Contact [email protected]
Service URL hx-crm-sync.yoonsunlee150.workers.dev

2. Data We Collect

2.1 Data Collected from End Users (Your Customers)

Category Data Points Source
Identity Email address, first name, last name, avatar URL Signup form, OAuth provider, Shopify
Authentication Password hash (bcrypt), OAuth provider ID, session tokens Auth flow
Consent TOS, cookie, marketing, newsletter, CCPA preferences Consent forms, UCP Dashboard, form bridge
Tags & Segments CRM tags (status, tier, segment, campaign, consent) Admin assignment, form bridge, auto-inference
Commerce Shopify customer ID, order count, total spent, country Shopify Admin API
Audit Trail Consent changes with timestamp, source, session ID, IP address All consent mutation endpoints

2.2 Data Collected from Merchants (App Users)

Category Data Points Source
Store Info Shopify store domain, shop ID OAuth install flow
Credentials API tokens (encrypted), OAuth tokens OAuth flows, config setup
Configuration Sync settings, auth method preferences, integration toggles Extension UI, setup wizard

2.3 Data We Do NOT Collect

  • Payment card numbers or financial account details
  • Government-issued identification numbers
  • Biometric data
  • Health or medical information
  • Precise geolocation (we store country only, from Shopify)

3. How We Collect Data

Method Description
Direct Input Signup forms, login forms, profile updates, consent toggles, UCP Dashboard interactions
OAuth Flows Google OAuth, Shopify Customer Account (PKCE), Shopify App OAuth, Webflow OAuth
Shopify Admin API Customer data synced via cron (every 15 minutes) and webhooks (customers/create, customers/update)
Webflow CMS API CMS item changes synced via registered webhooks
Form Bridge Any HTML form with data-crm-form attribute on your Webflow site
Automated IP address (for consent provenance), session identifiers, timestamps

4. How We Use Your Data

Purpose Legal Basis (GDPR) Data Used
Provide the CRM service Contract performance Identity, auth, tags, commerce data
Authenticate users Contract performance Email, password hash, OAuth tokens
Manage consent preferences Legal obligation (GDPR Art. 6, 7) Consent records, audit trail
Sync data across platforms Legitimate interest / consent Customer profiles, tags, metafields
Send transactional emails Contract performance Email, name (via Resend)
Server-side analytics Legitimate interest / consent Tag categories, consent state (no raw PII to GA4)
Adobe AEP integration Consent (explicit opt-in) SHA-256 hashed PII only; raw PII never transmitted
Compliance (GDPR/CCPA) Legal obligation All stored data (for data requests, redaction)
PII Hashing for Adobe AEP: When Adobe Experience Platform integration is enabled, personal data (email, phone, name) is hashed using SHA-256 before transmission. Raw PII never leaves our worker. The hashing occurs server-side using the Web Crypto API.

5. Data Sharing & Third Parties

We share data only with services required to provide CRM Sync functionality. We do not sell personal data.

Service Data Shared Purpose Location
Shopify Customer tags, metafields, consent state Commerce sync Global (Shopify CDN)
Xano User profiles, consent records, tags, extras Database (source of truth) US
Webflow Customer CMS items (name, email, tags, consent) CMS publishing US
Google Analytics (GA4) Tag categories, consent state, events (no raw PII) Analytics US
Google Ads (Customer Match / Smart Bidding) SHA-256 hashed email, conversion value, consent state Consent-gated advertising audiences — only with your marketing consent; excluded entirely by a Do-Not-Sell/Share opt-out US
Adobe Experience Platform SHA-256 hashed PII, consent state, commerce events CDP (if enabled) Per tenant AEP region
Resend Email address, name Transactional email US
Cloudflare KV config, request metadata Worker hosting, KV storage Global (edge)

We never share data with data brokers or any party not listed above. Advertising audience sharing (Google Ads, above) happens only under your explicit marketing consent, is suppressed the moment that consent is revoked, and is blocked outright — regardless of consent — when you enable Do Not Sell or Share My Personal Information (Privacy & Permissions → Privacy). Every inclusion or exclusion is recorded as an audited consent event.

6. Data Storage & Security

6.1 Where Data Is Stored

Data Type Storage Encryption
User profiles, consent records Xano (managed database) Encrypted at rest (Xano managed)
Config, tokens, OAuth state Cloudflare KV Encrypted at rest (Cloudflare managed)
Passwords Xano (as bcrypt hash) One-way hashed, not reversible
Session tokens HTTP-only cookies JWT signed with HS256; Secure, SameSite flags

6.2 Security Measures

  • Encryption in transit: All connections use HTTPS (enforced by Cloudflare edge)
  • Authentication: JWT sessions with configurable expiry, idle timeout with warning
  • Webhook verification: HMAC-SHA256 signature verification on all Shopify webhooks and GDPR handlers
  • Admin access: Bearer token (ADMIN_KEY) required on all admin and write endpoints
  • Key management & rotation: Scoped, revocable access credentials (admin-equivalent delegate keys and tenant-scoped crm_t_ tokens) with independent rotation, fail-closed authorization, and a documented key-rotation lifecycle — secrets never appear in logs, transcripts, or read-backs (see Access-Governance Model)
  • Zero Trust: Cloudflare Access with email-based OTP on worker admin URLs
  • OAuth security: State parameter CSRF protection, PKCE for Shopify Customer Account, shop domain validation
  • Secret masking: GET /config masks all credentials; embed HTML strips all API keys
  • PII protection: No PII logged to browser console or server logs
  • Tenant isolation: Multi-tenant config stored in isolated KV keys; no cross-tenant data access
  • Token management: Shopify expiring tokens (60-min access, 90-day refresh) with proactive refresh

7. Data Retention

Data Type Retention Period Deletion Method
User profiles Until account deletion or merchant request PII anonymization via redaction endpoint
Consent records Indefinite (audit requirement) Append-only; preserved after user redaction
OAuth tokens Access: 60 min; Refresh: 90 days Auto-expired, overwritten on refresh
Password reset tokens 1 hour (reset) / 24 hours (welcome) KV TTL auto-deletion
OAuth state nonces 5–10 minutes KV TTL auto-deletion
Adobe IMS tokens Per Adobe TTL (typically 24 hours) KV TTL auto-deletion
Sync timestamps Indefinite (operational) Overwritten on each sync cycle

8. Your Rights

In-product access: your consent and interaction history is visible at any time in Privacy & Permissions → Me → Activity log (every grant, revocation, preference save, and form interaction, timestamped and attributed to its channel), and Privacy → Export my data downloads the same records with your profile and tags — no support request required.

8.1 For End Users (Customers)

Under GDPR, CCPA, and other applicable privacy laws, you have the following rights:

Right How to Exercise Implementation
Access (GDPR Art. 15) Contact the merchant or email us POST /gdpr/data-request compiles complete user record
Rectification (GDPR Art. 16) Update via UCP Dashboard or Account page POST /auth/profile updates name, language
Erasure (GDPR Art. 17) Self-service: Account → Delete Account POST /auth/delete-account or POST /gdpr/customer-redact
Portability (GDPR Art. 20) Contact the merchant or email us POST /gdpr/data-request returns structured JSON
Withdraw Consent (GDPR Art. 7) UCP Dashboard consent toggles Each toggle change logged to audit trail
Restrict Processing (GDPR Art. 18) Contact us We will suspend processing on request
Object (GDPR Art. 21) Contact us We will cease processing for the objected purpose

8.2 For Merchants (App Users)

  • Uninstall: Uninstall the app from Shopify Admin or Webflow Workspace at any time
  • Data deletion: Upon uninstall, Shopify sends a shop/redact webhook. We acknowledge and delete stored shop data within 48 hours.
  • Export: Contact us to receive a complete export of your configuration and customer data
Response Time: We respond to all data subject requests within 30 days, as required by GDPR. For CCPA requests, we respond within 45 days.

9. Cookies & Tracking

Consent fires first. Measurement on our sites is denied by default and loads only after your stored consent decision is applied — on every visit, before any analytics script runs. Your choice is changeable at any time via the footer Cookie Preferences control, and fully resettable via Reset Consent. See the Consent, Cookies & Preferences guide for the full behavior.

9.1 Cookies We Set

Cookie Purpose Type Duration
crm_session JWT session token for authentication Essential Configurable (default 7 days)

We set one cookie for authentication. It is httpOnly, Secure, and SameSite=None. It cannot be read by client-side JavaScript.

9.2 Cookie Consent

CRM Sync provides a configurable cookie consent banner. Users can accept or reject cookies. Cookie consent state is logged to the audit trail with provenance metadata.

9.3 Server-Side Analytics

We use Google Analytics 4 Measurement Protocol for server-side event tracking. This means:

  • No GA4 cookies are set on the user's browser by CRM Sync
  • No raw PII is sent to GA4 — only tag categories and consent state
  • Events are attributed using a synthetic client ID (crm-sync.{userId})
  • Analytics respects user consent state — marketing events are only sent when consent is granted

10. California Privacy Rights (CCPA)

Do Not Sell or Share My Personal Information. Signed-in users can enable this opt-out at Privacy & Permissions → Privacy (avatar menu → My Account & Privacy). It is enforced as an independent plane from cookie consent: when on, cross-context behavioral-advertising sharing — advertising audiences (Google Customer Match / Smart Bidding), partner identifier projections, and peer or AI-agent cross-context sharing — is blocked fail-closed even while your marketing consent remains granted. First-party services you consented to continue to work. The opt-out and any later change are kept as audited, timestamped consent events.

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

Right Implementation
Right to Know Data request endpoint compiles all stored data
Right to Delete Customer redaction endpoint anonymizes all PII
Right to Opt-Out of Sale CCPA toggle in consent settings (UCP Dashboard and compliance page). We do not sell personal data.
Non-Discrimination No features are gated based on privacy choices

11. Children's Privacy

CRM Sync is not directed at children under 16 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes:

  • We will update the "Last Updated" date at the top of this page
  • For significant changes, we will notify merchants via email or in-app notification
  • Continued use of the service after changes constitutes acceptance of the updated policy

13. Contact Us

For any questions about this Privacy Policy, to exercise your data rights, or to report a privacy concern:

Channel Contact
General Support [email protected]
Data Protection [email protected]
Mailing Address Story Story AI, United States

We aim to respond to all inquiries within 5 business days and to all formal data subject requests within 30 days.

CRM Sync Docs Terms of Service Support

CRM Sync — Story Story AI · Last updated July 2026

Keep me posted

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Docs
Mission
How it works
Difference
Reset my preferences
Reset my cookies
Privacy
Terms of Service

Your cart is empty

Have an account? Log in to check out faster.

Continue shopping

Search

Products

  • Download App
    Download App

    Download App

    $90.00
    Regular price  Sale price  $90.00