How we handle your data.

Flintmere is a trading name of Eazy Access Ltd, a company registered in England and Wales (Companies House number 13205428). Flintmere is the data controller for personal data you share with our website, the public scanner at audit.flintmere.com, and the Shopify app at app.flintmere.com.

Questions, access requests, or complaints: send a message via our contact form (Privacy topic). Accountable director: Abdur-Rahman Morris.

We collect five categories of data:

• Scanner input. The Shopify store URL you submit, the IP address that submitted it (for rate limiting and abuse prevention), and the public data we then fetch from that store (/products.json, sitemap, JSON-LD samples).
• Lead capture. If you submit your email for the full report, we store that email, the scan ID it relates to, and your stated consent flags. That’s it — we do not ask for your name, company size, or phone number.
• Contact form messages. If you send us a message via the contact form, we store your name, email, message, optional company and Shopify domain, the topic you picked, and a SHA-256 hash of your IP address (no raw IP) plus your user agent for abuse investigation. The IP-hash signal used to rate-limit the form itself lives only in process memory and is never written to disk.
• Shopify app data. If you install the Shopify app, we receive an OAuth access token, your shop domain, and — scope-limited to read_products and write_products — your product catalog, variants, and metafields. We do not request customer, order, or financial scopes.
• Google Merchant Center data (only if you connect). If you grant us read-only access to your Google Merchant Center via Google’s OAuth flow, we receive a refresh token plus account-level and product-level diagnostic data: your GMC account ID, per-product disapproval status, the disapproval reasons Google has recorded, and aggregate destination counts. We do not request, receive, or store customer-level GMC data or financial reports, and we do not call any GMC method that writes to your account. Full treatment in clause 11.
• GMC pre-verification waiting list (only if you ask). While Google’s Trust & Safety review of our integration is still in flight, the connect surface offers a request-access form instead of starting the OAuth flow. If you submit, we store your email, the audit ID that brought you to the page, your shop URL, and any optional message you leave. We use this only to email you when access opens. Full treatment in clause 11.

We do not collect special-category data, children’s data, or payment card data (Stripe handles payment data directly; we only see the payment reference).

• Scanner (public fetch + results display): legitimate interest — you actively entered a URL to have it analysed.
• Lead capture emails: consent — you tick the box before we send the report.
• Contact form messages: legitimate interest — you sent us a message asking for a reply, so we have a clear basis to handle it. Where the message becomes a continuing conversation, performance of pre-contractual or contractual steps applies.
• Shopify app: contract performance — we cannot deliver the service you installed without processing the catalog data.
• Google Merchant Center integration: consent — your OAuth grant via Google’s consent screen is the lawful basis. You can revoke at any time and we honour the revoke within seconds (clause 11).
• Sub-processor sharing: necessary for performance of the contract above.

• Scanner results: 90 days, then deleted.
• Email leads: until you unsubscribe (one-click RFC 8058 in every report email), then purged within 30 days.
• Contact form messages: kept while the conversation is open. Resolved threads (responded, archived, or marked spam) are retained for up to 24 months from last contact, then hard- deleted by a daily scheduled job. Open threads (new or acknowledged) are not purged on a schedule — those still need a reply. The IP-hash and user-agent on each row are deleted with the row. Right to erasure (clause 09) applies — request deletion at any time and we honour it within 30 days.
• Shopify access token: scrubbed within 60 seconds of the app/uninstalled webhook.
• Shopify catalog snapshot + scores: 30-day grace window after uninstall (so a reinstall is seamless), then fully purged.
• Google Merchant Center refresh token: kept until you disconnect (or Google revokes access on your behalf), then zeroed at rest within seconds and the row purged within 30 days for audit-trail purposes.
• Google Merchant Center diagnostic data: joins your scan record under the same 90-day retention as scanner results; deleted on the same schedule.
• GMC pre-verification waiting-list entries: kept until we send the access-opens notification, then deleted within 30 days. Maximum lifetime 12 months from creation regardless of notification status. Right to erasure (clause 09) applies — ask via the contact form (Privacy topic) and we honour within 30 days.
• Stripe concierge audit records: kept for 7 years (HMRC requirement for invoices).
• Server logs: 90 days hot, then archived to cold storage for up to 13 months for fraud and abuse investigations.

We use the following processors. Each is bound by a written data processing agreement. None receive more data than required.

• Google Vertex AI (europe-west1) — LLM inference for Tier 2 enrichments.
• OpenAI, OpenAI Ireland Operations Limited (US routing) — LLM fallback when Vertex AI errors. Project-scoped key, store: false on every request to suppress application-state retention. OpenAI’s separate abuse-monitoring retention (up to 30 days) applies; we do not have a Zero Data Retention amendment on this account tier. Triggered on <1% of LLM calls. Per ADR 0010.
• Resend (EU) — transactional email (report delivery, app alerts).
• Stripe (UK/Ireland) — payment processing for concierge audits, Agency, and Plus tiers.
• Sentry (EU) — error tracking. PII scrubbed at source.
• Plausible Analytics (Plausible Insights OÜ, Estonia · EU) — cookieless product analytics. No IP storage, no cross-site tracking, no advertising profile. Per ADR 0013.
• BetterStack (EU) — uptime monitoring (no user data).
• Digital Ocean (UK) + Coolify — infrastructure.
• GS1 GEPIR (optional, rate-limited) — GTIN verification.

Most processing is within the UK/EU (including our Vertex AI region pin to europe-west1). Any transfer outside the UK/EEA happens only under an adequacy decision or Standard Contractual Clauses (SCCs) as published by the European Commission, supplemented where required. We do not transfer data to countries without adequate safeguards.

Under UK GDPR you have the right to:

• Ask what we hold about you (subject access request)
• Have inaccurate data corrected
• Have your data deleted (right to be forgotten)
• Restrict or object to our processing
• Receive your data in a machine-readable format (portability)
• Withdraw consent at any time

Send a message via our contact form (Privacy topic). We respond within 30 days and usually within three working days.

Eazy Access Ltd is registered with the Information Commissioner’s Office (ICO) as a data controller — registration number ZC137268.

If you’re not satisfied with our response you can complain to the ICO: ico.org.uk/make-a-complaint.

Shopify access tokens and Google Merchant Center refresh tokens are encrypted at rest with AES-256-GCM, each under a separate environment-held key isolated from the other (a compromise of one key does not expose the other). All webhooks are HMAC-verified. All traffic uses TLS 1.2 or higher. We run regular dependency scans and follow a documented incident-response procedure. Full details: flintmere.com/security.

We use one functional cookie on audit.flintmere.com for CSRF protection. We do not use tracking, analytics, or advertising cookies on the marketing site. Full details: flintmere.com/cookies.

We operate a free one-time-secret tool at flintmere.com/secret for transferring sensitive values from sender to recipient through a single-use URL. We built it originally for handing read-only Shopify Admin API tokens to the audit team during concierge fulfilment, and it stayed nice enough to publish — anyone can use it for any one-shot secret transfer between consenting parties. The flow is zero-knowledge by design:

• Encryption happens in your browser before anything leaves your device. We use AES-256-GCM via the Web Crypto API.
• The decryption key sits in the URL fragment (the part after #), which by RFC 3986 §3.5 is never sent to our servers. We hold the ciphertext only and have no way to decrypt past secrets, even with full database access.
• Retention: each secret burns on first read (atomic claim — only one viewer wins) or expires 24 hours after creation, whichever comes first. After consumption or expiry, only an opaque ID and timestamps remain in the database for ~30 days for abuse investigation, never the ciphertext.
• What we log: a SHA-256 hash of the IP address that created the secret (for rate limiting), and the consumption timestamp. Never the secret content; we cannot log what we cannot read.

Acceptable-use rules — what the tool is for, and what gets you banned — live in our Terms (clause 05).

If you choose to connect your Google Merchant Center (GMC) account to us, we receive read-only diagnostic data about your product feed directly from Google. This integration is optional, granted by you through Google’s standard OAuth consent screen, and revocable at any time.

Pre-verification waiting list. While Google’s Trust & Safety review of our integration is still in flight, the connect surface captures expressions of interest instead of starting the OAuth flow. If you submit your details there, we store your email, the audit ID that brought you to the page, your shop URL, and any optional message you leave. We use this only to write to you the day access opens — at most a single email, after which the row’s purpose is fulfilled. You can ask us to delete your row at any time via the contact form (Privacy topic); retention details in clause 04.

Scope. We request a single OAuth scope: https://www.googleapis.com/auth/content — Google’s Content API for Shopping scope. We restrict our use to read-only API methods: accounts.list, accountstatuses.get, productstatuses.list, and accounts.reports.search. We do not call any method that writes to your GMC account, products, settings, or feeds. Google does not currently publish a separate read-only variant of this scope; the read-only commitment is enforced at our call-site.

Data we receive. Your GMC account ID, per-product status (approved / disapproved / pending), the human-readable disapproval reasons Google records against each product, and aggregate counts. We do not receive customer data, order data, financial reports, or any data Google holds about your buyers.

How we use it. Strictly to produce your audit deliverable — the report we hand back to you with the issues we found and the fixes we recommend. Google’s ground-truth replaces our modelled estimates where we have it, so you get a sharper diagnostic.

Storage. Your refresh token is encrypted at rest using AES-256-GCM with a key held outside the database. Access tokens are never written to disk — they are rotated on demand from the refresh token and held only in process memory. The diagnostic data Google returns joins your scan record under the same retention as your other scan results.

Limited Use compliance. Our use of information received from Google APIs adheres to Google API Services User Data Policy, including the Limited Use requirements:

• We do not allow humans to read GMC data except (a) with your specific consent, (b) for security purposes such as investigating abuse, (c) when required by law, or (d) when the data has been aggregated and anonymised for product improvement.
• We do not transfer GMC data to others except as necessary to provide or improve the audit, and only under written contract with the same Limited Use commitments.
• We do not use GMC data for advertising, including retargeting, personalised advertising, or interest-based advertising.
• We do not sell GMC data to anyone, ever, under any circumstance.

Your control. You can disconnect at any time — either from your Flintmere audit dashboard or directly from your Google Account at myaccount.google.com/permissions. When you disconnect, we revoke the token at Google, zero the stored ciphertext within seconds, and purge the row within 30 days. The diagnostic data Google previously returned to us continues under its existing 90-day scan retention, or earlier if you exercise your right to erasure (clause 07).

Sub-processing. Google is the upstream source of this data, not our sub-processor — you authorise the data flow directly via OAuth. The diagnostic data we receive flows through the same UK/EU infrastructure listed in clause 05; no additional third party sees it.

If we make material changes, we’ll email Shopify app users 30 days in advance and update the “Last updated” date at the top of this page. Non-material corrections (typos, clarifying language) are pushed without notice but always reflected in the date.