Privacy Policy
Last updated: 21 June 2026
This Privacy Policy explains how flizz.ai ("flizz.ai", "we", "us", or "our") collects, uses, discloses, and protects personal data when you visit our website, create an account, or connect your Shopify store and Klaviyo account to our service (the "Service"). We are committed to processing personal data in accordance with the EU General Data Protection Regulation (GDPR) and other applicable data protection laws. This policy should be read together with our Data Processing Addendum (DPA) and our Terms of Service.
1. Introduction and scope
flizz.ai is a self-serve AI application for Shopify merchants. Once you connect your Shopify store and Klaviyo account, the Service analyses your brand and store data and then builds, deploys, and optimises Klaviyo flows, forms, campaigns, and templates on your behalf. This policy applies to our marketing website, the merchant application, and the backend services that operate the Service. It does not apply to the third-party platforms you connect (such as Shopify and Klaviyo), which are governed by their own privacy policies.
2. Who we are
flizz.ai is a service operated by JMR Capital ApS, a company registered in Denmark under company registration (CVR) number 41595868, with its registered office at Automatikvej 1, 2860 Søborg, Denmark. We have not appointed a Data Protection Officer; data-protection enquiries can be sent to privacy@flizz.ai. Our lead supervisory authority is Datatilsynet (the Danish Data Protection Agency).
3. Our role: controller and processor
flizz.ai acts in two distinct roles depending on the data:
- Processor. When you use the Service as a merchant, you are the data controller for your customers' personal data, and flizz.ai acts as a data processor on your behalf. This processing is governed by our Data Processing Addendum, which forms part of our agreement with you.
- Controller. With respect to your own account information (the people who administer a merchant account), our billing and support records, security and authentication logging, and our website visitors, flizz.ai is the data controller and processes that data under this Privacy Policy.
4. Data we collect
Depending on how you interact with us, we may process the following categories of personal data.
(a) Account data. Name, business name, and work email address for the people who administer a merchant account (sign-in is passwordless — we send a one-time code / magic link to the account email, so we do not hold an account password), billing details, plus the encrypted access tokens and API keys we hold to connect to your Shopify and Klaviyo accounts.
(b) Data accessed via the Shopify Admin API. Flizz.ai requests only nine minimum-necessary, non-Protected-Customer-Data scopes: store and brand configuration, products and catalog, theme and brand assets (theme settings, logo, colours, product images), pages and articles, locales, metaobjects, and discount/voucher codes. We do not request or access any Shopify customer data (no customer name, email address, phone number, or address) and no order, checkout, or fulfilment data. The Service therefore reads no Protected Customer Data at all.
(c) Connected marketing data (Klaviyo). Subscriber lists, segments, catalog items, templates, coupon codes, and aggregate campaign and flow performance, accessed via the Klaviyo API strictly within your own Klaviyo account. End-customer profile PII remains in your Klaviyo account and is not pulled wholesale into our systems.
(d) Data collected directly from your end-customers. None. flizz.ai operates entirely server-side via the Shopify and Klaviyo APIs and does not set cookies on, or collect data directly from, your customers' browsers.
(e) Usage and technical data. Log data, IP address, device and browser information, and analytics about how the Service is used.
(f) Website data. Cookies and any analytics data collected when you browse our marketing site (see Cookies below).
5. How we use data and purpose limitation
We use personal data to provide, secure, and improve the Service; to generate and deploy marketing strategies, templates, flows, and campaigns on your behalf; to provide support; to process billing; to send service communications; and to comply with our legal obligations. Where flizz.ai acts as a processor, we process your customers' personal data only on your documented instructions and as described in our Data Processing Addendum. We do not use personal data for any purpose unrelated to operating the Service, and we do not sell or rent personal data.
6. Legal bases
Where flizz.ai is a controller, we rely on the following legal bases under the GDPR: performance of a contract (to provide the Service to you); our legitimate interests (to secure, maintain, and improve the Service); consent (for non-essential cookies and marketing communications); and compliance with legal obligations (for example, tax and accounting). Where flizz.ai is a processor, the relevant legal basis is established by you as the controller.
7. Automated decision-making, profiling, and AI
The Service uses AI systems, including third-party AI providers (OpenAI, Anthropic, and Google — our "AI Subprocessors"), to generate marketing copy, templates, segments, and recommendations, and to build audiences and targeting suggestions. This may involve profiling for marketing purposes — for example, grouping subscribers into segments based on engagement or purchase behaviour. These features do not produce legal or similarly significant effects on individuals within the meaning of Article 22 GDPR, and a merchant always remains in control of what is deployed.
By design, only brand, store and product information and merchant-authored marketing copy are sent to our AI subprocessors to generate templates and copy; your customers' personal records (names, email addresses, order details) are not part of these flows and are not sent to AI providers. We do not use your data, or your customers' data, to train AI models, and we contractually require our AI subprocessors not to train on it. The AI features are intended as minimal-risk tools under Regulation (EU) 2024/1689 (the EU AI Act). AI Output should be reviewed and validated by the merchant before use. Merchants and individuals may object to profiling or request human review by contacting privacy@flizz.ai or the relevant merchant.
8. Data isolation across our network
flizz.ai operates a network of merchant stores and continuously learns which marketing approaches perform best. We want to be explicit about what this does and does not mean for your data:
- We share winning strategies and templates — anonymized, aggregated insights about which message structures, timing, layouts, and template patterns drive results may be reused to improve recommendations across our network of stores.
- We never share a merchant's customer data between stores — subscriber lists, individual profiles, contact details, segments, and revenue figures are never disclosed, sold, or made available to any other merchant or store.
- Your data stays in your own Klaviyo account — subscriber lists, profiles, and revenue remain isolated within your own Klaviyo account. flizz.ai reads from and writes to your account to operate the Service; it does not pool your contacts with anyone else's.
In short: the knowledge of what works is shared as patterns and templates; the people behind your numbers are not.
flizz.ai does not store your customers' (shoppers') personal data in its own systems. We read it transiently through the Shopify and Klaviyo APIs to operate the Service; it remains in, and is managed through, your Shopify and Klaviyo accounts. The personal data we store in our own systems is limited to merchant account-holder and operator information, encrypted connection credentials, brand and store configuration, and non-identifying performance aggregates.
9. Sharing and subprocessors
We share personal data with vetted subprocessors that help us deliver the Service, as well as the platforms you choose to connect. Our current subprocessors are:
| Subprocessor | Purpose | Data categories | Location |
|---|---|---|---|
| Hetzner Online GmbH | Self-hosted backend, application database, and authentication (Supabase stack on our own server) | Encrypted access tokens, brand profiles, provisioning state, non-identifying performance aggregates, account/auth identities | Nuremberg, Germany (EU) — production host |
| Resend (Resend, Inc.) | Transactional and passwordless sign-in (one-time code / magic link) email via SMTP | Merchant account-holder email address | United States (EU region, eu-west-1, used); SCC / EU–US Data Privacy Framework reliance for transfers |
| Cloudflare, Inc. | DNS, CDN/TLS termination, Pages hosting, bot protection | Web request metadata, IP addresses | Global edge network (US-headquartered) |
| OpenAI, L.L.C. | AI text generation, classification, translation | Brand & product text and email/campaign copy (as prompts) | United States |
| Anthropic, PBC | AI brand-voice generation, copy review, content gating | Brand-voice corpus and email/campaign copy (as prompts) | United States |
| Google LLC (Gemini API) | AI translation and tone adaptation | Email/copy text (as prompts) | United States / global |
| Shopify (merchant-connected) | Source commerce platform | Store/brand config, products, theme/brand assets, locales, metaobjects, discounts (no customer or order data) | Merchant's Shopify region |
| Klaviyo (merchant-connected) | Marketing platform provisioned into | Templates, lists/segments, catalog, coupons, aggregate metrics | Merchant's Klaviyo region |
Our application database and authentication run on a self-hosted Supabase stack on our own EU server (Hetzner, Nuremberg, Germany), so we do not engage a separate managed database or authentication subprocessor.
All subprocessors are bound by written terms at least as protective as our own obligations and may use the data solely to provide services to flizz.ai. We do not sell or rent personal data and do not use it for any purpose unrelated to operating the Service.
10. International transfers
Our production backend, database, and authentication are self-hosted on our own infrastructure in the European Union (Hetzner, Nuremberg, Germany). The routine cross-border flows are merchant-derived content sent to our US-based AI Subprocessors (OpenAI, Anthropic, Google), transactional and passwordless sign-in email handled by Resend (US), and edge/DNS traffic handled by Cloudflare. Where personal data is transferred outside the European Economic Area, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (and the EU–US Data Privacy Framework where the importer is certified), together with supplementary measures such as encryption in transit.
11. Retention
We retain personal data only for as long as necessary for the purposes for which it was collected. Specific retention periods are:
- Merchant account & connection records (incl. encrypted API tokens): life of the account; deleted within 30 days of account closure.
- Stored Shopify access credentials & connection record after app uninstall: deleted on Shopify shop/redact (sent ~48 hours after uninstall); the encrypted access token is also revoked immediately on uninstall.
- End-customer data subject to a deletion request: we do not store your customers' personal data in our own systems, so there is nothing for us to erase on a Shopify customers/redact; should we ever store such data in future, it would be deleted within 30 days.
- Aggregated, non-identifying performance data: up to 24 months.
- Billing & tax records: as required by Danish law (typically 5 years).
- Server & authentication logs: up to 90 days.
- AI prompts: processed transiently and not retained to train models.
12. Your rights
Subject to applicable law, you have the right to access, rectify, erase, restrict, or object to the processing of your personal data, the right to data portability, and the right to withdraw consent. You also have the right to lodge a complaint with your local supervisory authority — for us, Datatilsynet (the Danish Data Protection Agency). To exercise these rights with respect to data for which we are the controller, contact privacy@flizz.ai. If your request concerns data held on behalf of a merchant, we will direct you to the relevant merchant, who is the controller, or assist that merchant in responding.
13. Shopify data-subject requests and deletion
flizz.ai implements Shopify's mandatory, HMAC-verified privacy webhooks. Because we do not retain your customers' personal data in our own systems, a customers/data_request has no stored shopper data for us to compile and a customers/redact has none for us to erase — that data resides in, and is managed through, your Shopify and Klaviyo accounts; we log and acknowledge each request and will action anything we do hold (and, should we ever store such data in future, delete it within 30 days). On shop/redact (sent ~48 hours after uninstall) we delete the merchant's stored Shopify access credentials and connection record; the encrypted access token is also revoked immediately on uninstall. Remaining non-personal store configuration is removed in line with our retention schedule.
14. Security
We implement appropriate technical and organisational measures to protect personal data: encryption in transit (TLS) for all connections; encryption at rest of access tokens and credentials using AES-256-GCM; least-privilege access controls and segregation of duties; passwordless authentication for the portal (email one-time code / magic link), with multi-factor authentication available for administrative access; EU-resident production hosting (self-hosted on Hetzner infrastructure in Nuremberg, Germany); separation of development and production environments; logging and monitoring of access to personal data; a documented security-incident and breach-response process; and secure software-development practices. flizz.ai has not yet obtained third-party certifications such as SOC 2 or ISO 27001; if and when it does, it will make summaries available on request. These measures are described in more detail in Schedule 2 of our Data Processing Addendum. No method of transmission or storage is completely secure, but we work continuously to safeguard the data entrusted to us.
15. Cookies
Our website uses only the essential cookies required for it to function. We do not currently use advertising or cross-site tracking cookies. If we introduce non-essential analytics cookies in the future, we will ask for your consent first. You can manage or block cookies at any time through your browser settings.
16. US / California privacy (CCPA/CPRA)
California residents: we do not sell your personal information and do not share it for cross-context behavioural advertising (as defined by the CCPA/CPRA). For end-customer data processed on behalf of a merchant, flizz.ai acts as a service provider and uses it only to perform the Service; it will not retain, use, or disclose it for any other purpose or combine it with other data except as permitted. As we do not sell or share personal information, there is no sale or sharing for a Global Privacy Control (GPC) signal to act on; we honour such signals to the extent applicable. Requests: privacy@flizz.ai.
17. Children
The Service is intended for businesses and is not directed to children. We do not knowingly collect personal data from children, and the Service must not be used to process the personal data of individuals known to be under the age of 16. If you believe a child's data has reached us, contact privacy@flizz.ai and we will delete it.
18. Changes to this policy
We may update this Privacy Policy from time to time. We will post the revised version on this page and update the "Last updated" date. Material changes will be communicated through the Service or by email.
19. Contact
For any questions about this Privacy Policy or our handling of personal data, contact us at privacy@flizz.ai.