Privacy Policy

Last Updated: October 23, 2025

Introduction

Shopflow AB is a SaaS platform that helps businesses aggregate and manage customer reviews from multiple platforms. Our mission is to provide businesses with efficient tools to monitor, analyze, and respond to customer feedback.

Your personal data is very important to us. You can rest assured that we make every effort to process your personal data in accordance with GDPR principles and with any other relevant privacy legislation.

GDPR

GDPR (Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC) can be considered as the world's strongest set of data protection rules, which enhance how people can access information about them and places limits on what organizations can do with personal data. The regulation exists as a framework for laws across the continent and replaced the previous 1995 data protection directive. GDPR came into force on May 25, 2018.

GDPR Key Principles

At the core of GDPR are seven key principles laid out in Article 5 of the legislation, which have been designed to guide how people's data can be handled. When processing personal data, we comply with all principles below:

Lawfulness, fairness and transparency - We must identify valid grounds under GDPR for collecting and using personal data.
Purpose limitation - We must be clear about our purposes for processing from the start. Personal data can be used for only one purpose, which must be specified in our privacy notice.
Data minimization - We should not collect more personal information than we need from our users. This principle is designed to ensure we don't overreach with the type of data we collect.
Accuracy - We take all reasonable steps to ensure the personal data is not incorrect or misleading as to any matter of fact.
Storage limitation - Data must not be kept for longer than we need or are obligated to keep.
Integrity and confidentiality (security) - Personal data must be protected against "unauthorized or unlawful processing," as well as accidental loss, destruction or damage. This means that appropriate information security protections must be put in place.
Accountability - It makes us responsible for complying with the GDPR and we must be able to demonstrate our compliance.

Personal Data

This is information that allows a living (natural) person to be directly, or indirectly, identified from data that's available. This can be something obvious, such as a person's name, location data, or a clear online username, or it can be something that may be less instantly apparent: IP addresses and cookie identifiers can be considered as personal data.

Controller

Controller is the main decision-maker. They exercise overall control over the purposes and means of the processing of personal data. Shopflow AB is a Controller to your data in cases:

When you visit our website,
When you apply for a job with us or,
When you are a potential client looking for our services,
When you are our client, we are the Controller of your employees (who use our platform) personal data.

Processor

Processor acts on behalf of, and only on the instructions of, the relevant Controller. Shopflow AB acts as a Processor when we process review data from platforms such as Google and Facebook on behalf of our clients. This includes:

Aggregating and displaying customer reviews
Generating AI-powered response suggestions
Providing analytics and insights based on review data
Facilitating the publication of responses to reviews

When acting as a Processor, we process data only according to our clients' instructions and for the purposes they have determined.

Your Rights / Data Subject Rights

GDPR gives you, as a Data Subject, several rights which guarantee you that you have control over your data and you know that data is processed in accordance with legal requirements. You have the right to:

be informed about the collection and use of your personal data.
access and request copies of your personal data.
request inaccurate or outdated personal information to be updated or corrected.
request your personal data be deleted. Note that this is not an absolute right and may be subject to exemptions based on certain laws.
request the restriction or suppression of your personal data.
ask for your data to be transferred to another controller or provided to you. The data must be provided in a machine-readable electronic format.
object to the processing of your personal data.
object to decisions being made with your data solely based on automated decision making or profiling.
make a complaint to relevant Data Protection Authorities, if you think that Shopflow AB has not complied with your data protection rights.

Not all of these rights can be exercised in all situations, depending on factors such as the basis for the processing of personal data, but Shopflow AB makes every effort to ensure that your rights are respected.

Why Does Shopflow AB Collect Personal Data and What is the Legal Basis?

As stated above, Shopflow AB, acting as Controller or Processor, will require or will be obligated by law or contractual obligations to collect personal data from you. Information we collect includes both information you knowingly and actively provide us when using or participating in any of our services, and any information automatically sent by your devices in the course of accessing our platform.

Data We Collect for Our Review Management Platform

Purpose	Types of Personal Data	Legal Basis
Client Account Management To provide access to our platform	• Company information • Employee names and email addresses • Account credentials • Billing information	Contract performance - necessary to provide our services to you
Review Aggregation To collect reviews from connected platforms	• Reviewer name (as published on platform) • Review text content • Star rating • Review timestamp • Review ID • Platform source (Google, Facebook, etc.)	We process this on behalf of our clients. Our clients' legal basis is typically: • Legitimate interest (reputation management) • Processing of publicly available data
AI Response Suggestions To generate suggested responses	• Review text and context • Response patterns	Contract performance - part of our service offering Note: We do not train AI models on your data
Analytics and Insights To provide review statistics and trends	• Aggregated review data • Response metrics • Trend information	Contract performance - part of our service offering
Platform Integration To connect with review platforms	• API credentials and access tokens • Platform account identifiers	Contract performance - necessary to access review data on your behalf

How Long Will Shopflow AB Keep Your Personal Data?

We keep your personal data only for as long as we need to or we are obligated by law or contractual requirements. This time period may depend on what we are using your information for. If your personal data is no longer required, we will delete it or make it anonymous by removing all details that identify you (data anonymization).

Specifically for our review management platform:

Client account data: Retained for the duration of your subscription and for 7 years thereafter for accounting and legal compliance purposes as required by Swedish law.
Review data: Retained for as long as you maintain an active account with us. Upon account cancellation, review data is deleted within 30 days unless you request immediate deletion or have a legal obligation to retain the data.
AI-generated suggestions: Not stored permanently; generated in real-time based on current review content.
Analytics data: Aggregated statistics may be retained for up to 24 months to provide trend analysis.

However, if necessary, we may be obligated to retain your personal data for our compliance with a legal or contractual obligation.

Who Do We Share Your Personal Data With?

Shopflow AB is a Swedish company and we store and process data within Sweden and the European Economic Area (EEA). We take responsible steps to ensure that personal data is protected and any transfer complies with GDPR.

Service Providers and Subprocessors

We may share your personal data with carefully selected service providers and subprocessors who assist us in operating our platform. These include:

Cloud hosting and database providers
AI service providers for response suggestions
Payment processing services
Customer support tools

All our subprocessors guarantee that appropriate technical and organizational measures are implemented in a manner that subprocessing meets the requirements of GDPR. Our primary infrastructure providers maintain servers within Sweden and the EEA.

Review Platform Providers

To provide our services, we connect to review platforms such as Google and Facebook through their official APIs. When you authorize us to access these platforms:

We only access review data that is publicly available on these platforms
The platforms' own privacy policies and terms apply to data stored on their systems
You can revoke our access at any time through your platform account settings

Data Transfers

Shopflow AB transfers and maintains personal data on servers or databases inside the European Economic Area ("EEA"). Our service providers are contractually obligated to store our databases in European located infrastructure. However, in case of transfer outside the EEA, your personal data will still be covered by GDPR, since our partners have adopted Standard Contractual Clauses (SCCs adopted by the European Commission) in order to achieve compliance with the General Data Protection Regulation.

Legal Obligations

Shopflow AB may be obligated to share your personal data with public authorities to comply with relevant legislation.

Data Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, accidental loss, destruction, or alteration. These measures include:

Encryption of data in transit and at rest
Access controls and authentication
Regular security assessments
Secure hosting within Sweden
Employee training on data protection

Third-Party Platform Access

When you connect your business accounts from platforms like Google and Facebook to Shopflow:

You explicitly authorize us to access publicly available review data through official APIs
We only request the minimum permissions necessary to provide our service
You maintain full control and can revoke access at any time
The data accessed is limited to: reviewer names, review text, ratings, timestamps, and review IDs
We do not access any other data from these platforms beyond what is necessary for review management

Automated Decision-Making

Our AI-powered response suggestion feature is a tool designed to assist you in crafting responses to reviews. It does not make automated decisions on your behalf. You maintain full control over:

Whether to use suggested responses
Editing or modifying any suggestions
When and how to publish responses

The AI suggestion feature does not train on your data or make decisions that produce legal or similarly significant effects.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make changes, we will update the "Last Updated" date at the top of this policy and notify our clients through email or platform notifications for significant changes.

Contact Information

Shopflow AB
Organization Number: 559471-3028
Address: Lund, Sweden
Email: joel@shopflow.se

Questions or Concerns?

If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or want to understand more about how we process your data, please contact us at joel@shopflow.se.

We will respond to all requests within 7 days.