Privacy Policy

1. Who we are

BLV Flows ("we", "us", "our") is a customer-engagement automation platform for Shopify e-commerce stores. We help store owners ("Merchants") send email, WhatsApp, and AI-assisted messages to their own customers ("Customers"). The Merchant is the data controller for their Customer data; BLV Flows acts as a data processor on the Merchant's instructions.

2. What we collect

When a Merchant connects their Shopify store to BLV Flows, we receive:

• Customer name, email address, and phone number
• Order history, abandoned-cart data, and product purchase records
• Inbound and outbound WhatsApp / email conversation history
• Delivery, open, click, and bounce events from email and WhatsApp providers
• Birthday or other custom fields the Merchant chooses to share

We do not collect payment-card numbers, government IDs, or biometric data.

3. How we use it

We process Customer data only to perform the services contracted by the Merchant. Concrete uses:

• Send abandoned-cart-recovery messages
• Send order confirmation, shipping update, and cash-on-delivery confirmation messages
• Power AI-driven customer-support conversations on the Merchant's behalf
• Track delivery receipts, opens, and clicks for Merchant analytics
• Honour opt-out and unsubscribe requests

We do not sell Customer data and we do not use it for our own marketing.

4. Who we share it with

We share Customer data with the following sub-processors:

• Meta Platforms, Inc. — to deliver messages via the WhatsApp Business Cloud API.
• Resend, Inc. — to deliver email messages.
• OpenRouter — to power AI-assisted customer conversations.
• Supabase, Inc. — our database and authentication host (data centre region: EU-West-2).
• Vercel, Inc. — our application hosting provider.
• Upstash, Inc. — our queue and rate-limit infrastructure (no Customer PII processed).

5. Your rights

Under the Egyptian Personal Data Protection Law (No. 151/2020) and, where applicable, the EU General Data Protection Regulation (GDPR), Customers may:

• Request a copy of their data — contact the Merchant (the data controller). Merchants forward the request to us if needed.
• Request deletion — Shopify forwards GDPR deletion requests to us via the customers/redact webhook.
• Opt out of WhatsApp messages — reply STOP, UNSUBSCRIBE, or إيقاف to any BLV-sent WhatsApp message.
• Opt out of email — click unsubscribe in any email footer.

6. Retention

Customer data is retained for as long as the Merchant's BLV Flows subscription is active. On Merchant cancellation, all tenant-scoped data is deleted within 30 days. Aggregate, anonymised analytics may be retained indefinitely.

7. Security

• All data in transit is encrypted via TLS 1.2 or higher.
• Database access is enforced by row-level security policies on every tenant-scoped table.
• API tokens (Shopify, WhatsApp, Resend, OpenRouter) are stored encrypted at rest.
• Service-role credentials are stored as environment secrets and are never committed to source control.

8. International transfers

Our primary infrastructure is hosted in the European Union (Supabase EU-West-2). Some sub-processors (Meta, Vercel, Upstash, OpenRouter) operate globally. Where data is transferred outside the EU/Egypt, it is protected by the relevant Standard Contractual Clauses or each provider's equivalent transfer mechanism.

9. Children

BLV Flows is a B2B platform. We do not knowingly process data from individuals under 16.

10. Changes

We may update this policy. The "Last updated" date above always reflects the current version. Material changes will be notified to Merchants via the dashboard.

11. Contact

Privacy questions: privacy@blvflows.com
General support: support@blvflows.com