Privacy Policy

Last updated: March 15, 2026

1. Data We Collect

FoodFlex collects the following data to provide meal customization services to your Shopify store:

  • Merchant data: Shop domain, billing plan, store settings, and meal/menu configurations
  • Customer data: Shopify customer ID, dietary preferences, saved meal favorites, and order history (when customers interact with the FoodFlex widget on your storefront)
  • Nutrition data: Ingredient nutrition information and allergen data entered by merchants
  • Analytics data: Aggregated usage metrics such as meal views, customizations, and cart additions (Enterprise plan only)

2. How We Use Your Data

  • Service delivery: Displaying meal customization options, calculating nutrition and pricing, processing orders
  • Personalization: Recommending meals based on dietary preferences and past selections
  • Analytics: Providing merchants with aggregated insights about meal popularity and customer behavior
  • Billing: Managing subscription tiers and feature access

3. Data Storage

  • Business data (meals, orders, settings) is stored in MongoDB with encryption at rest
  • Session data is stored via Prisma (PostgreSQL in production)
  • Temporary cache data may be stored in Redis for performance optimization
  • All data is hosted on secure, industry-standard cloud infrastructure

4. Data Sharing

FoodFlex does not sell, rent, or share your data with third parties. Data is only used to provide the FoodFlex service within your Shopify store.

5. Data Retention

  • Analytics events: Automatically deleted after 90 days via TTL index
  • Orders: Retained for the lifetime of the merchant’s account
  • Customer profiles: Retained until the customer requests deletion or the merchant uninstalls the app
  • Meal configurations: Retained until deleted by the merchant or the app is uninstalled

6. GDPR Compliance

FoodFlex fully complies with GDPR and Shopify’s data protection requirements:

  • Data export: We respond to customer data requests via Shopify’s customers/data_request webhook
  • Data deletion: Customer data is deleted upon receiving Shopify’s customers/redact webhook
  • Shop data deletion: All merchant data is deleted upon receiving Shopify’s shop/redact webhook after app uninstallation

7. CCPA Compliance

For California residents, FoodFlex complies with the California Consumer Privacy Act (CCPA):

  • Right to know: You may request details about the personal information we collect and how it is used
  • Right to delete: You may request deletion of your personal information
  • Right to opt-out: FoodFlex does not sell personal information. No opt-out is necessary.
  • Non-discrimination: We will not discriminate against you for exercising your CCPA rights

8. Cookies

FoodFlex uses only essential cookies required for the service to function:

  • Session cookies: Required for Shopify authentication and admin panel access
  • Preference cookies: Store your cookie consent choice and UI preferences (e.g., tour completion status)

FoodFlex does not use tracking cookies, advertising cookies, or third-party analytics cookies. No data is shared with advertising networks.

9. Security

We protect your data with:

  • HTTPS encryption for all data in transit
  • Shopify session authentication for all admin API requests
  • HMAC signature verification for storefront API requests via Shopify App Proxy
  • Rate limiting on all public-facing endpoints
  • Input validation and sanitization on all API routes

10. Contact

For privacy-related questions or data requests, contact us at: privacy@foodflex.to