Privacy Policy

CRM Sync — Effective Date: May 17, 2026 · Last Updated: May 17, 2026

Contents

  1. Who We Are
  2. Data We Collect
  3. How We Collect Data
  4. How We Use Your Data
  5. Data Sharing & Third Parties
  6. Data Storage & Security
  7. Data Retention
  8. Your Rights
  9. Cookies & Tracking
  10. California Privacy Rights (CCPA)
  11. Children's Privacy
  12. Changes to This Policy
  13. Contact Us

1. Who We Are

CRM Sync is a customer relationship management service operated by Story Story AI. CRM Sync synchronizes user identity, consent, segmentation, and campaign data across integrated commerce, CMS, analytics, and customer data platforms.

CRM Sync operates as a registered application on both the Shopify App Store and the Webflow Marketplace, subject to both platforms' privacy and compliance requirements.

EntityDetails
OperatorStory Story AI
Contact Emailysl@story-story.ai
Data Protection Contactysl@ysl150.com
Service URLhx-crm-sync.yoonsunlee150.workers.dev

2. Data We Collect

2.1 Data Collected from End Users (Your Customers)

CategoryData PointsSource
IdentityEmail address, first name, last name, avatar URLSignup form, OAuth provider, Shopify
AuthenticationPassword hash (bcrypt), OAuth provider ID, session tokensAuth flow
ConsentTOS, cookie, marketing, newsletter, CCPA preferencesConsent forms, UCP Dashboard, form bridge
Tags & SegmentsCRM tags (status, tier, segment, campaign, consent)Admin assignment, form bridge, auto-inference
CommerceShopify customer ID, order count, total spent, countryShopify Admin API
Audit TrailConsent changes with timestamp, source, session ID, IP addressAll consent mutation endpoints

2.2 Data Collected from Merchants (App Users)

CategoryData PointsSource
Store InfoShopify store domain, shop IDOAuth install flow
CredentialsAPI tokens (encrypted), OAuth tokensOAuth flows, config setup
ConfigurationSync settings, auth method preferences, integration togglesExtension UI, setup wizard

2.3 Data We Do NOT Collect

3. How We Collect Data

MethodDescription
Direct InputSignup forms, login forms, profile updates, consent toggles, UCP Dashboard interactions
OAuth FlowsGoogle OAuth, Shopify Customer Account (PKCE), Shopify App OAuth, Webflow OAuth
Shopify Admin APICustomer data synced via cron (every 15 minutes) and webhooks (customers/create, customers/update)
Webflow CMS APICMS item changes synced via registered webhooks
Form BridgeAny HTML form with data-crm-form attribute on your Webflow site
AutomatedIP address (for consent provenance), session identifiers, timestamps

4. How We Use Your Data

PurposeLegal Basis (GDPR)Data Used
Provide the CRM serviceContract performanceIdentity, auth, tags, commerce data
Authenticate usersContract performanceEmail, password hash, OAuth tokens
Manage consent preferencesLegal obligation (GDPR Art. 6, 7)Consent records, audit trail
Sync data across platformsLegitimate interest / consentCustomer profiles, tags, metafields
Send transactional emailsContract performanceEmail, name (via Resend)
Server-side analyticsLegitimate interest / consentTag categories, consent state (no raw PII to GA4)
Adobe AEP integrationConsent (explicit opt-in)SHA-256 hashed PII only; raw PII never transmitted
Compliance (GDPR/CCPA)Legal obligationAll stored data (for data requests, redaction)
PII Hashing for Adobe AEP: When Adobe Experience Platform integration is enabled, personal data (email, phone, name) is hashed using SHA-256 before transmission. Raw PII never leaves our worker. The hashing occurs server-side using the Web Crypto API.

5. Data Sharing & Third Parties

We share data only with services required to provide CRM Sync functionality. We do not sell personal data.

ServiceData SharedPurposeLocation
ShopifyCustomer tags, metafields, consent stateCommerce syncGlobal (Shopify CDN)
XanoUser profiles, consent records, tags, extrasDatabase (source of truth)US
WebflowCustomer CMS items (name, email, tags, consent)CMS publishingUS
Google Analytics (GA4)Tag categories, consent state, events (no raw PII)AnalyticsUS
Google Ads (Customer Match / Smart Bidding)SHA-256 hashed email, conversion value, consent stateConsent-gated advertising audiences — only with your marketing consent; excluded entirely by a Do-Not-Sell/Share opt-outUS
Adobe Experience PlatformSHA-256 hashed PII, consent state, commerce eventsCDP (if enabled)Per tenant AEP region
ResendEmail address, nameTransactional emailUS
CloudflareKV config, request metadataWorker hosting, KV storageGlobal (edge)

We never share data with data brokers or any party not listed above. Advertising audience sharing (Google Ads, above) happens only under your explicit marketing consent, is suppressed the moment that consent is revoked, and is blocked outright — regardless of consent — when you enable Do Not Sell or Share My Personal Information (Privacy & Permissions → Privacy). Every inclusion or exclusion is recorded as an audited consent event.

6. Data Storage & Security

6.1 Where Data Is Stored

Data TypeStorageEncryption
User profiles, consent recordsXano (managed database)Encrypted at rest (Xano managed)
Config, tokens, OAuth stateCloudflare KVEncrypted at rest (Cloudflare managed)
PasswordsXano (as bcrypt hash)One-way hashed, not reversible
Session tokensHTTP-only cookiesJWT signed with HS256; Secure, SameSite flags

6.2 Security Measures

7. Data Retention

Data TypeRetention PeriodDeletion Method
User profilesUntil account deletion or merchant requestPII anonymization via redaction endpoint
Consent recordsIndefinite (audit requirement)Append-only; preserved after user redaction
OAuth tokensAccess: 60 min; Refresh: 90 daysAuto-expired, overwritten on refresh
Password reset tokens1 hour (reset) / 24 hours (welcome)KV TTL auto-deletion
OAuth state nonces5–10 minutesKV TTL auto-deletion
Adobe IMS tokensPer Adobe TTL (typically 24 hours)KV TTL auto-deletion
Sync timestampsIndefinite (operational)Overwritten on each sync cycle

8. Your Rights

In-product access: your consent and interaction history is visible at any time in Privacy & Permissions → Me → Activity log (every grant, revocation, preference save, and form interaction, timestamped and attributed to its channel), and Privacy → Export my data downloads the same records with your profile and tags — no support request required.

8.1 For End Users (Customers)

Under GDPR, CCPA, and other applicable privacy laws, you have the following rights:

RightHow to ExerciseImplementation
Access (GDPR Art. 15)Contact the merchant or email usPOST /gdpr/data-request compiles complete user record
Rectification (GDPR Art. 16)Update via UCP Dashboard or Account pagePOST /auth/profile updates name, language
Erasure (GDPR Art. 17)Self-service: Account → Delete AccountPOST /auth/delete-account or POST /gdpr/customer-redact
Portability (GDPR Art. 20)Contact the merchant or email usPOST /gdpr/data-request returns structured JSON
Withdraw Consent (GDPR Art. 7)UCP Dashboard consent togglesEach toggle change logged to audit trail
Restrict Processing (GDPR Art. 18)Contact usWe will suspend processing on request
Object (GDPR Art. 21)Contact usWe will cease processing for the objected purpose

8.2 For Merchants (App Users)

Response Time: We respond to all data subject requests within 30 days, as required by GDPR. For CCPA requests, we respond within 45 days.

9. Cookies & Tracking

Consent fires first. Measurement on our sites is denied by default and loads only after your stored consent decision is applied — on every visit, before any analytics script runs. Your choice is changeable at any time via the footer Cookie Preferences control, and fully resettable via Reset Consent. See the Consent, Cookies & Preferences guide for the full behavior.

9.1 Cookies We Set

CookiePurposeTypeDuration
crm_sessionJWT session token for authenticationEssentialConfigurable (default 7 days)

We set one cookie for authentication. It is httpOnly, Secure, and SameSite=None. It cannot be read by client-side JavaScript.

9.2 Cookie Consent

CRM Sync provides a configurable cookie consent banner. Users can accept or reject cookies. Cookie consent state is logged to the audit trail with provenance metadata.

9.3 Server-Side Analytics

We use Google Analytics 4 Measurement Protocol for server-side event tracking. This means:

10. California Privacy Rights (CCPA)

Do Not Sell or Share My Personal Information. Signed-in users can enable this opt-out at Privacy & Permissions → Privacy (avatar menu → My Account & Privacy). It is enforced as an independent plane from cookie consent: when on, cross-context behavioral-advertising sharing — advertising audiences (Google Customer Match / Smart Bidding), partner identifier projections, and peer or AI-agent cross-context sharing — is blocked fail-closed even while your marketing consent remains granted. First-party services you consented to continue to work. The opt-out and any later change are kept as audited, timestamped consent events.

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

RightImplementation
Right to KnowData request endpoint compiles all stored data
Right to DeleteCustomer redaction endpoint anonymizes all PII
Right to Opt-Out of SaleCCPA toggle in consent settings (UCP Dashboard and compliance page). We do not sell personal data.
Non-DiscriminationNo features are gated based on privacy choices

11. Children's Privacy

CRM Sync is not directed at children under 16 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes:

13. Contact Us

For any questions about this Privacy Policy, to exercise your data rights, or to report a privacy concern:

ChannelContact
General Supportysl@story-story.ai
Data Protectionysl@ysl150.com
Mailing AddressStory Story AI, United States

We aim to respond to all inquiries within 5 business days and to all formal data subject requests within 30 days.