Privacy Policy

JsWorkflows is a Shopify application created and operated by YOD Solutions Pty Ltd, a limited liability company registered in Australia (ABN: 672 231 515). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you install and use the JsWorkflows application and any connected integrations.

By installing or using the Service, you agree to the practices described in this policy. If you do not agree, please do not use the Service.

Data controller and processor roles. For personal data you provide to us directly (your store domain, contact information, workflow configurations), you are the Data Controller and we act as a Data Controller alongside you. For personal data belonging to your end-customers that flows through JsWorkflows as part of webhook processing (such as order or customer data), you remain the Data Controller and we act solely as a Data Processor on your behalf.

We process the following categories of data to deliver the Service:

• Contact and store information. Upon installation through the Shopify App Store, we collect your name, email address, store name, and store plan. This is used to deliver the Service, communicate about your account, and ensure security.
• OAuth credentials and access tokens. When you connect third-party services (such as Google, Slack, or HubSpot) through the app, we receive and securely store the access tokens and refresh tokens issued by those services. Tokens are encrypted at rest and are never exposed in logs, user interfaces, or support tools.
• Secret variables. API keys, credentials, and other secrets you manually store within the app for use in your workflows. These are encrypted at rest and decrypted only inside isolated, ephemeral execution environments at runtime. They are never written to logs.
• Webhook payloads. The body of Shopify webhook events and other HTTP trigger payloads routed through JsWorkflows. Processed in-flight to execute your workflows; raw payloads — which may include end-customer data such as names, email addresses, and order details — may appear in your run logs.
• Workflow run history. Execution logs, step outputs, error messages, request/response metadata, and timing data generated each time a workflow runs. Retained for 90 days by default.
• Workflow configurations. The JavaScript code, trigger settings, step definitions, and any other workflow configuration you create within the app.
• Performance and analytical data. Aggregated metrics (workflow counts, execution counts, error rates, request duration and status) used to monitor service health and improve the platform. This data does not include customer-specific information.

Where the GDPR applies, we rely on the following lawful bases:

• Contractual necessity. Processing your store data, OAuth tokens, secrets, and workflow configurations is necessary to deliver the Service you have contracted with us for.
• Legitimate interests. We process performance and analytical data to monitor service health, investigate incidents, and improve the platform. We also retain contact information to communicate about security issues and service changes. These interests are not overridden by your rights.
• Legal obligation. We may process or retain data where required to comply with applicable law, including responding to lawful requests from authorities.
• Consent. Where we rely on consent (for example, for optional communications), you may withdraw it at any time without affecting the lawfulness of prior processing.

We use the data we hold solely to provide and improve the Service:

• Authenticate your Shopify store and maintain your session.
• Connect to third-party services on your behalf using stored OAuth tokens.
• Inject your encrypted secrets into workflow executions at runtime, only for the duration of that execution.
• Execute your workflow automations in response to triggers.
• Store and display run history so you can monitor and debug your workflows.
• Bill your account through Shopify's billing system.
• Respond to support requests and troubleshoot issues.
• Monitor service health and improve the platform using aggregated, anonymised data only.
• Communicate with you about security, service changes, or account matters.

We do not use your workflow data, webhook payloads, secrets, or OAuth tokens for advertising, marketing profiling, or any purpose other than delivering the Service.

JsWorkflows supports connecting external services via OAuth 2.0 (including but not limited to Google, Slack, and HubSpot). This section explains how we handle data accessed through those connections.

What we store. When you authorise a connection, we receive and securely store the access token and (where issued) the refresh token from that service. These are encrypted at rest.

How we use it. Tokens are used exclusively to make API calls on your behalf, as directed by your own workflow logic. We do not initiate calls to connected services independently of your workflow executions.

Minimum scopes. We request only the OAuth permission scopes strictly required for the features you enable. We do not request broad or sensitive scopes speculatively.

No advertising use. Data accessed from third-party services is never used for advertising, marketing, or user profiling.

No human access. JsWorkflows personnel do not read or access data retrieved from your connected accounts (such as Google Sheets or Drive contents) unless you explicitly share it with us for support purposes.

No AI/ML training. Data obtained through third-party OAuth connections is not used to train, evaluate, or improve any machine learning or AI models.

No unauthorised sharing. Data obtained through connected services is not transferred to other parties except as directed by your own workflow logic or as strictly necessary to operate the Service.

You may revoke any connected integration at any time from within the JsWorkflows app or directly from the third-party service's account settings. Upon revocation, stored tokens for that integration are deleted. The third-party service's own privacy policy governs their side of the data exchange.

JsWorkflows' use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, data received from Google APIs is:

• Used only to provide or improve the specific workflow feature for which you authorised access.
• Not transferred to third parties except as directed by your workflows or as required to operate the Service.
• Not used for serving advertisements or for any advertising-related purpose.
• Not used to train or improve any AI or machine learning models.
• Not accessed by humans except where you explicitly provide data to us for support troubleshooting.

Shopify webhooks (such as order, customer, checkout, and product events) may contain personal data belonging to your end-customers — including names, email addresses, shipping addresses, and order details. When such data flows through JsWorkflows as part of your workflow executions:

• You remain the Data Controller for your customers' personal data. We act solely as a Data Processor, processing that data on your behalf and under your instructions.
• We process end-customer data only to the extent necessary to execute your workflows.
• End-customer data that appears in run logs is subject to the same 90-day retention and security measures as all other run data.
• We do not use end-customer data for any purpose beyond executing your workflows.
• You are responsible for ensuring your workflows handle end-customer data in compliance with applicable privacy laws, including notifying your customers as required.

JsWorkflows complies with Shopify's mandatory GDPR webhook requirements. We have implemented handlers for all three required endpoints:

• customers/data_request. When a merchant's customer submits a data access request through Shopify, we receive notification and identify any data we hold related to that customer (such as references in run logs). We respond to the merchant within the required timeframe so they can fulfil the request.
• customers/redact. When a merchant's customer requests deletion of their data, we redact or delete any identifiable customer data held in our systems related to that customer.
• shop/redact. Sent by Shopify 48 hours after a merchant uninstalls the app. Upon receipt, we permanently delete all data associated with that store, including OAuth tokens, secret variables, workflow configurations, and run history.

If you are a merchant and need to respond to a customer data request involving JsWorkflows, contact us at privacy@jsworkflows.com.

We share data only as necessary to deliver the Service or as required by law:

• Infrastructure providers. The Service runs on enterprise-grade cloud infrastructure. Providers process data as sub-processors under data processing agreements that include security, confidentiality, and data protection obligations.
• Shopify. We access your store via the Shopify API under the permissions you grant at installation. Shopify's privacy policy governs their handling of your data.
• Services called by your workflows. If your JavaScript workflows make HTTP calls to external APIs, data may be sent to those services. You are responsible for the privacy compliance of your own workflow logic.
• Legal requests. We may disclose data to legally authorised entities (courts, regulators, law enforcement) where required by applicable law or valid legal process.
• Legal defence. We may share data with courts, government institutions, or legal advisors where necessary to establish, exercise, or defend legal claims.
• Business operations. We may share data with auditors, advisors, consultants, insurers, or in connection with a merger, acquisition, or sale of business assets, subject to confidentiality obligations.

Your personal data is never sold to third parties.

JsWorkflows staff may access your workflow configurations, run logs, and related data when you contact us for support, or when we respond to automated monitoring alerts affecting your store. Access is limited to what is necessary to resolve the issue and is subject to confidentiality obligations.

Staff do not access the contents of your stored secret variables or OAuth tokens in plaintext under any circumstances. These are decrypted only within isolated execution environments at runtime.

We retain different categories of data for the following periods:

• Workflow run logs. 90 days from the date of execution, then permanently deleted.
• Workflow configurations, secrets, and OAuth tokens. Retained for the duration of your use of the Service, then deleted upon uninstall or within 30 days of a shop/redact webhook.
• Contact and account data. Retained for the duration of your use of the Service and up to 5 years thereafter for legal claim protection or as required by applicable law.
• Financial and billing records. Up to 7 years from the end of the relevant financial year, as required for accounting and tax purposes.
• Customer support correspondence. Up to 5 years, or as needed to protect against legal claims.

You may request earlier deletion of your data at any time by contacting privacy@jsworkflows.com.

We implement appropriate technical and organisational measures to protect your data:

• OAuth access tokens, refresh tokens, and secret variables are encrypted at rest using modern encryption standards.
• Secrets are decrypted only within isolated, ephemeral execution environments and are never written to logs or persistent storage in plaintext.
• All data in transit is encrypted via TLS.
• Access to production systems is restricted to authorised personnel, subject to access controls and audit logging.

Data breach notification. In the event of a data breach that poses a high risk to your rights and freedoms, we will notify affected users within 72 hours of becoming aware of the breach, describing the nature of the incident and the specific data involved. We will also notify the relevant supervisory authority where required by law.

No method of internet transmission or electronic storage is 100% secure. Once data is permanently destroyed, it cannot be recovered.

Your data may be processed in data centres outside your country of residence. Our infrastructure providers operate globally and implement appropriate safeguards for cross-border data transfers — including adherence to the EU-U.S. Data Privacy Framework, standard contractual clauses, and adequacy decisions where applicable.

Third-party providers used to deliver the Service follow stringent data protection standards appropriate to their role as sub-processors.

By using the Service, you consent to such international transfers, subject to the protections described in this policy.

If you are located in the EU, EEA, or UK, you have the following rights regarding your personal data:

• Access. Request a copy of the personal data we hold about you. Self-service access is available within the app; our support team can assist with data not accessible in-app.
• Rectification. Correct inaccuracies directly within the app or by contacting us.
• Erasure. Request deletion of your personal data ("right to be forgotten"), subject to legal, accounting, and security retention requirements.
• Restriction. Request that we cease processing your data except for storage.
• Portability. Receive your data in a structured, commonly used, machine-readable format, or request transfer to another provider.
• Object. Object to processing based on legitimate interests or for direct marketing purposes.
• Withdraw consent. Where processing is consent-based, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact privacy@jsworkflows.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority (for example, the ICO in the UK, or your national DPA in the EU).

JsWorkflows is operated by YOD Solutions Pty Ltd, registered in Australia. We comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

Under the Australian Privacy Act, you have the right to request access to and correction of your personal information. Requests can be submitted to privacy@jsworkflows.com. We will respond within a reasonable period (generally 30 days). If we refuse a request, we will provide written reasons.

If you believe we have breached the Australian Privacy Principles, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to know. Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, the business purpose, and the categories of third parties with whom it is shared.
• Right to delete. Request deletion of personal information we have collected, subject to certain exceptions.
• Right to correct. Request correction of inaccurate personal information.
• Right to opt out of sale or sharing. We do not sell or share personal information for cross-context behavioural advertising.
• Right to non-discrimination. We will not discriminate against you for exercising any of your CCPA rights.

To exercise these rights, contact privacy@jsworkflows.com. We will respond within 45 days.

The Service is intended for use by businesses and is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected such data, please contact us immediately and we will delete it promptly.

The JsWorkflows embedded app (within Shopify Admin) does not use tracking cookies or third-party analytics cookies. Session cookies may be set by Shopify's embedded app framework as required for authentication. Our public marketing website uses Google Analytics to understand aggregate website usage and improve the site. Google Analytics may set analytics cookies or use similar technologies, subject to Google's own privacy controls and policies.

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or in-app notice at least 14 days before they take effect. The effective date at the top of this page always reflects the most recent revision.

Your continued use of the Service after the effective date of changes constitutes acceptance of the updated policy.

For questions, concerns, or privacy rights requests, please contact us: