Privacy Policy
Contents
1. Who We Are
CRM Sync is a customer relationship management service operated by Story Story AI. CRM Sync synchronizes user identity, consent, segmentation, and campaign data across integrated commerce, CMS, analytics, and customer data platforms.
CRM Sync operates as a registered application on both the Shopify App Store and the Webflow Marketplace, subject to both platforms' privacy and compliance requirements.
| Entity | Details |
|---|---|
| Operator | Story Story AI |
| Contact Email | [email protected] |
| Data Protection Contact | [email protected] |
| Service URL | hx-crm-sync.yoonsunlee150.workers.dev |
2. Data We Collect
2.1 Data Collected from End Users (Your Customers)
| Category | Data Points | Source |
|---|---|---|
| Identity | Email address, first name, last name, avatar URL | Signup form, OAuth provider, Shopify |
| Authentication | Password hash (bcrypt), OAuth provider ID, session tokens | Auth flow |
| Consent | TOS, cookie, marketing, newsletter, CCPA preferences | Consent forms, UCP Dashboard, form bridge |
| Tags & Segments | CRM tags (status, tier, segment, campaign, consent) | Admin assignment, form bridge, auto-inference |
| Commerce | Shopify customer ID, order count, total spent, country | Shopify Admin API |
| Audit Trail | Consent changes with timestamp, source, session ID, IP address | All consent mutation endpoints |
2.2 Data Collected from Merchants (App Users)
| Category | Data Points | Source |
|---|---|---|
| Store Info | Shopify store domain, shop ID | OAuth install flow |
| Credentials | API tokens (encrypted), OAuth tokens | OAuth flows, config setup |
| Configuration | Sync settings, auth method preferences, integration toggles | Extension UI, setup wizard |
2.3 Data We Do NOT Collect
- Payment card numbers or financial account details
- Government-issued identification numbers
- Biometric data
- Health or medical information
- Precise geolocation (we store country only, from Shopify)
3. How We Collect Data
| Method | Description |
|---|---|
| Direct Input | Signup forms, login forms, profile updates, consent toggles, UCP Dashboard interactions |
| OAuth Flows | Google OAuth, Shopify Customer Account (PKCE), Shopify App OAuth, Webflow OAuth |
| Shopify Admin API | Customer data synced via cron (every 15 minutes) and webhooks (customers/create, customers/update) |
| Webflow CMS API | CMS item changes synced via registered webhooks |
| Form Bridge | Any HTML form with data-crm-form attribute on your Webflow site |
| Automated | IP address (for consent provenance), session identifiers, timestamps |
4. How We Use Your Data
| Purpose | Legal Basis (GDPR) | Data Used |
|---|---|---|
| Provide the CRM service | Contract performance | Identity, auth, tags, commerce data |
| Authenticate users | Contract performance | Email, password hash, OAuth tokens |
| Manage consent preferences | Legal obligation (GDPR Art. 6, 7) | Consent records, audit trail |
| Sync data across platforms | Legitimate interest / consent | Customer profiles, tags, metafields |
| Send transactional emails | Contract performance | Email, name (via Resend) |
| Server-side analytics | Legitimate interest / consent | Tag categories, consent state (no raw PII to GA4) |
| Adobe AEP integration | Consent (explicit opt-in) | SHA-256 hashed PII only; raw PII never transmitted |
| Compliance (GDPR/CCPA) | Legal obligation | All stored data (for data requests, redaction) |
5. Data Sharing & Third Parties
We share data only with services required to provide CRM Sync functionality. We do not sell personal data.
| Service | Data Shared | Purpose | Location |
|---|---|---|---|
| Shopify | Customer tags, metafields, consent state | Commerce sync | Global (Shopify CDN) |
| Xano | User profiles, consent records, tags, extras | Database (source of truth) | US |
| Webflow | Customer CMS items (name, email, tags, consent) | CMS publishing | US |
| Google Analytics (GA4) | Tag categories, consent state, events (no raw PII) | Analytics | US |
| Google Ads (Customer Match / Smart Bidding) | SHA-256 hashed email, conversion value, consent state | Consent-gated advertising audiences — only with your marketing consent; excluded entirely by a Do-Not-Sell/Share opt-out | US |
| Adobe Experience Platform | SHA-256 hashed PII, consent state, commerce events | CDP (if enabled) | Per tenant AEP region |
| Resend | Email address, name | Transactional email | US |
| Cloudflare | KV config, request metadata | Worker hosting, KV storage | Global (edge) |
We never share data with data brokers or any party not listed above. Advertising audience sharing (Google Ads, above) happens only under your explicit marketing consent, is suppressed the moment that consent is revoked, and is blocked outright — regardless of consent — when you enable Do Not Sell or Share My Personal Information (Privacy & Permissions → Privacy). Every inclusion or exclusion is recorded as an audited consent event.
6. Data Storage & Security
6.1 Where Data Is Stored
| Data Type | Storage | Encryption |
|---|---|---|
| User profiles, consent records | Xano (managed database) | Encrypted at rest (Xano managed) |
| Config, tokens, OAuth state | Cloudflare KV | Encrypted at rest (Cloudflare managed) |
| Passwords | Xano (as bcrypt hash) | One-way hashed, not reversible |
| Session tokens | HTTP-only cookies | JWT signed with HS256; Secure, SameSite flags |
6.2 Security Measures
- Encryption in transit: All connections use HTTPS (enforced by Cloudflare edge)
- Authentication: JWT sessions with configurable expiry, idle timeout with warning
- Webhook verification: HMAC-SHA256 signature verification on all Shopify webhooks and GDPR handlers
-
Admin access: Bearer token (
ADMIN_KEY) required on all admin and write endpoints -
Key management & rotation: Scoped, revocable access credentials (admin-equivalent delegate keys and tenant-scoped
crm_t_tokens) with independent rotation, fail-closed authorization, and a documented key-rotation lifecycle — secrets never appear in logs, transcripts, or read-backs (see Access-Governance Model) - Zero Trust: Cloudflare Access with email-based OTP on worker admin URLs
- OAuth security: State parameter CSRF protection, PKCE for Shopify Customer Account, shop domain validation
-
Secret masking:
GET /configmasks all credentials; embed HTML strips all API keys - PII protection: No PII logged to browser console or server logs
- Tenant isolation: Multi-tenant config stored in isolated KV keys; no cross-tenant data access
- Token management: Shopify expiring tokens (60-min access, 90-day refresh) with proactive refresh
7. Data Retention
| Data Type | Retention Period | Deletion Method |
|---|---|---|
| User profiles | Until account deletion or merchant request | PII anonymization via redaction endpoint |
| Consent records | Indefinite (audit requirement) | Append-only; preserved after user redaction |
| OAuth tokens | Access: 60 min; Refresh: 90 days | Auto-expired, overwritten on refresh |
| Password reset tokens | 1 hour (reset) / 24 hours (welcome) | KV TTL auto-deletion |
| OAuth state nonces | 5–10 minutes | KV TTL auto-deletion |
| Adobe IMS tokens | Per Adobe TTL (typically 24 hours) | KV TTL auto-deletion |
| Sync timestamps | Indefinite (operational) | Overwritten on each sync cycle |
8. Your Rights
In-product access: your consent and interaction history is visible at any time in Privacy & Permissions → Me → Activity log (every grant, revocation, preference save, and form interaction, timestamped and attributed to its channel), and Privacy → Export my data downloads the same records with your profile and tags — no support request required.
8.1 For End Users (Customers)
Under GDPR, CCPA, and other applicable privacy laws, you have the following rights:
| Right | How to Exercise | Implementation |
|---|---|---|
| Access (GDPR Art. 15) | Contact the merchant or email us |
POST /gdpr/data-request compiles complete user record |
| Rectification (GDPR Art. 16) | Update via UCP Dashboard or Account page |
POST /auth/profile updates name, language |
| Erasure (GDPR Art. 17) | Self-service: Account → Delete Account |
POST /auth/delete-account or POST /gdpr/customer-redact
|
| Portability (GDPR Art. 20) | Contact the merchant or email us |
POST /gdpr/data-request returns structured JSON |
| Withdraw Consent (GDPR Art. 7) | UCP Dashboard consent toggles | Each toggle change logged to audit trail |
| Restrict Processing (GDPR Art. 18) | Contact us | We will suspend processing on request |
| Object (GDPR Art. 21) | Contact us | We will cease processing for the objected purpose |
8.2 For Merchants (App Users)
- Uninstall: Uninstall the app from Shopify Admin or Webflow Workspace at any time
-
Data deletion: Upon uninstall, Shopify sends a
shop/redactwebhook. We acknowledge and delete stored shop data within 48 hours. - Export: Contact us to receive a complete export of your configuration and customer data
9. Cookies & Tracking
Consent fires first. Measurement on our sites is denied by default and loads only after your stored consent decision is applied — on every visit, before any analytics script runs. Your choice is changeable at any time via the footer Cookie Preferences control, and fully resettable via Reset Consent. See the Consent, Cookies & Preferences guide for the full behavior.
9.1 Cookies We Set
| Cookie | Purpose | Type | Duration |
|---|---|---|---|
crm_session |
JWT session token for authentication | Essential | Configurable (default 7 days) |
We set one cookie for authentication. It is httpOnly, Secure, and SameSite=None. It cannot be read by client-side JavaScript.
9.2 Cookie Consent
CRM Sync provides a configurable cookie consent banner. Users can accept or reject cookies. Cookie consent state is logged to the audit trail with provenance metadata.
9.3 Server-Side Analytics
We use Google Analytics 4 Measurement Protocol for server-side event tracking. This means:
- No GA4 cookies are set on the user's browser by CRM Sync
- No raw PII is sent to GA4 — only tag categories and consent state
- Events are attributed using a synthetic client ID (
crm-sync.{userId}) - Analytics respects user consent state — marketing events are only sent when consent is granted
10. California Privacy Rights (CCPA)
Do Not Sell or Share My Personal Information. Signed-in users can enable this opt-out at Privacy & Permissions → Privacy (avatar menu → My Account & Privacy). It is enforced as an independent plane from cookie consent: when on, cross-context behavioral-advertising sharing — advertising audiences (Google Customer Match / Smart Bidding), partner identifier projections, and peer or AI-agent cross-context sharing — is blocked fail-closed even while your marketing consent remains granted. First-party services you consented to continue to work. The opt-out and any later change are kept as audited, timestamped consent events.
If you are a California resident, you have additional rights under the California Consumer Privacy Act:
| Right | Implementation |
|---|---|
| Right to Know | Data request endpoint compiles all stored data |
| Right to Delete | Customer redaction endpoint anonymizes all PII |
| Right to Opt-Out of Sale | CCPA toggle in consent settings (UCP Dashboard and compliance page). We do not sell personal data. |
| Non-Discrimination | No features are gated based on privacy choices |
11. Children's Privacy
CRM Sync is not directed at children under 16 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately and we will delete it.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes:
- We will update the "Last Updated" date at the top of this page
- For significant changes, we will notify merchants via email or in-app notification
- Continued use of the service after changes constitutes acceptance of the updated policy
13. Contact Us
For any questions about this Privacy Policy, to exercise your data rights, or to report a privacy concern:
| Channel | Contact |
|---|---|
| General Support | [email protected] |
| Data Protection | [email protected] |
| Mailing Address | Story Story AI, United States |
We aim to respond to all inquiries within 5 business days and to all formal data subject requests within 30 days.