Our Privacy Policy
This policy explains what data Commerce365 collects when you connect your Shopify store and third-party services, how we use it, and your rights under the GDPR. Commerce365 is operated by Flatline Agency, a company registered in the Netherlands.
Last updated on April 10, 2026
Information We Collect
Account information: your email address and organization name when you sign up. Store and marketing data via OAuth: product, order, inventory, customer, advertising, and analytics data from the platforms you choose to connect. Usage data: the chat messages you send to our AI agents, the reports they generate, and an audit log of agent runs. We only access the scopes you explicitly authorize during the connection flow.
How We Use Your Information
We use the data you connect solely to operate Commerce365 for you:
Running AI agents that audit your stack, automate repetitive work, and generate reports. Powering AI chat so you can query your data in plain language. Cross-referencing ad spend against real Shopify revenue. We never sell your data, share it with advertisers, or use it to train AI models.
Data Security
All your data is stored in Supabase in the European Union, encrypted at rest and in transit (TLS 1.2+). OAuth tokens are stored encrypted in Supabase Vault, separate from the application database. Row-level security is enforced at the database level so one organization can never read another's data. Every write action to your store requires your explicit approval before it runs.
Integrations and Processors
Commerce365 connects to Shopify, Meta Ads, Google Ads, Google Analytics 4, Search Console, BigQuery, Google Sheets, and Klaviyo via OAuth, requesting only the scopes needed for the features you enable. We rely on sub-processors including Anthropic (AI analysis; not used to train their models), Supabase (EU database and vault), Stripe (payments), Sentry, Resend, and Inngest, each under a data processing agreement. Your data is never sold.
Shopify Protected Customer Data
Commerce365 accesses customer and order data, which include Protected Customer Data under Shopify's tiers. It is used only for inventory analysis, order-trend detection, cohort reporting, and anomaly monitoring - never sold, shared, or used for advertising. We implement all mandatory Shopify GDPR webhooks (customers/data_request, customers/redact, shop/redact) and delete customer data within 30 days of app uninstall or account deletion.
Your GDPR Rights and Data Retention
Under the GDPR you can access, rectify, delete, export, object to, or restrict processing of your data - email robin@flatlineagency.com and we respond within 30 days. We retain data for the duration of your subscription plus 30 days after cancellation; OAuth token revocation is immediate. We may update this policy as the product evolves; the date above always reflects the current version.