← Flow Fill

Privacy Policy — Flow Fill

Last updated: 28 June 2026

Flow Fill ("the App", "we", "us") is a Shopify application that audits a merchant's

Klaviyo email/SMS lifecycle flows against the standard set of ecommerce flows and,

on paid tiers, generates draft email copy for the flows that are missing. This

policy explains exactly what data the App accesses, why, how long we keep it, and

your rights. It is written to reflect what THIS app actually does — nothing more.

Who we are

Flow Fill is operated by the app developer (contact below). The App runs at

https://flowfill.syncerp.work and is installed from the Shopify App Store into

your Shopify admin.

Protected Customer Data level

Level 0. Flow Fill does not request, read, store, or process any Shopify

Protected Customer Data. It never requests the read_orders, read_customers,

read_all_orders, or any customer/order scope, on Shopify or in Klaviyo.

Shopify data we access (scopes)

Flow Fill requests these minimal Shopify access scopes, and only these:

| Scope | Why we need it |

|---|---|

| read_products | To read your product titles/catalog as brand context so the email copy we generate sounds like your store. |

| read_content | To read your shop's pages/blog/brand content as brand context for the same grounding. |

We do not request orders, customers, checkouts, fulfilments, payments, or any

Protected Customer Data scope. We use the Shopify Admin GraphQL API only; we do not

use the REST API.

Klaviyo data we access

To audit your flows, you provide your own Klaviyo private API key (read access

to Flows). With it, Flow Fill reads flow metadata only — each flow's **name and

status** (live / draft / manual). That is the entirety of what we read from Klaviyo.

We do not read Klaviyo profiles, subscribers, events, campaigns, segments, or

any customer personal data.

Your Klaviyo private key is:

redacts key-shaped strings);

immediately.

How we use the data

flows you have live, have only as a draft, or are missing, and a predicted

revenue-opportunity weighting to help you prioritise.

AI that drafts missing-flow email copy, so it matches your voice.

We do not sell your data, do not use it for advertising, and do not share it except

with the sub-processors below strictly to provide the App's function.

Sub-processors

We send only your shop name and brand context plus the flow type to be written; we

send no customer or order data. The API is used with zero data-retention /

no-training settings where available.

data is stored in a PostgreSQL database and a Redis instance on that server.

use of Klaviyo is governed by Klaviyo's own terms and privacy policy.

No customer personal data is ever sent to any of the above.

Data retention

or uninstall.

history work, until you uninstall.

(about 48 hours after uninstall) we cascade-delete all data for your shop,

including the encrypted Klaviyo key, audits and drafts.

answered truthfully: we hold no customer data, so there is nothing to return

or redact.

GDPR / your rights

Because Flow Fill processes no customer personal data, the main personal data

involved is the merchant's own account context. You may at any time:

EU/UK merchants are afforded these rights under the GDPR/UK GDPR. We act as a data

processor for the brand context we handle on your behalf.

Security

All data in transit is TLS-encrypted. Secrets (your Klaviyo key, any Shopify offline

token) are encrypted at rest with AES-256-GCM and are never exposed to the browser

or logs. Access to production infrastructure is restricted and key-based.

Changes to this policy

We may update this policy; material changes will be reflected here with a new "last

updated" date.

Contact

Email: gheorghe.beschea@overheat.agency

In-app data disclosure: https://flowfill.syncerp.work/docs/protected-customer-data