CRM Sync is a customer relationship management service operated by Story Story AI. CRM Sync synchronizes user identity, consent, segmentation, and campaign data across integrated commerce, CMS, analytics, and customer data platforms.
CRM Sync operates as a registered application on both the Shopify App Store and the Webflow Marketplace, subject to both platforms' privacy and compliance requirements.
| Entity | Details |
|---|---|
| Operator | Story Story AI |
| Contact Email | ysl@story-story.ai |
| Data Protection Contact | ysl@ysl150.com |
| Service URL | hx-crm-sync.yoonsunlee150.workers.dev |
| Category | Data Points | Source |
|---|---|---|
| Identity | Email address, first name, last name, avatar URL | Signup form, OAuth provider, Shopify |
| Authentication | Password hash (bcrypt), OAuth provider ID, session tokens | Auth flow |
| Consent | TOS, cookie, marketing, newsletter, CCPA preferences | Consent forms, UCP Dashboard, form bridge |
| Tags & Segments | CRM tags (status, tier, segment, campaign, consent) | Admin assignment, form bridge, auto-inference |
| Commerce | Shopify customer ID, order count, total spent, country | Shopify Admin API |
| Audit Trail | Consent changes with timestamp, source, session ID, IP address | All consent mutation endpoints |
| Category | Data Points | Source |
|---|---|---|
| Store Info | Shopify store domain, shop ID | OAuth install flow |
| Credentials | API tokens (encrypted), OAuth tokens | OAuth flows, config setup |
| Configuration | Sync settings, auth method preferences, integration toggles | Extension UI, setup wizard |
| Method | Description |
|---|---|
| Direct Input | Signup forms, login forms, profile updates, consent toggles, UCP Dashboard interactions |
| OAuth Flows | Google OAuth, Shopify Customer Account (PKCE), Shopify App OAuth, Webflow OAuth |
| Shopify Admin API | Customer data synced via cron (every 15 minutes) and webhooks (customers/create, customers/update) |
| Webflow CMS API | CMS item changes synced via registered webhooks |
| Form Bridge | Any HTML form with data-crm-form attribute on your Webflow site |
| Automated | IP address (for consent provenance), session identifiers, timestamps |
| Purpose | Legal Basis (GDPR) | Data Used |
|---|---|---|
| Provide the CRM service | Contract performance | Identity, auth, tags, commerce data |
| Authenticate users | Contract performance | Email, password hash, OAuth tokens |
| Manage consent preferences | Legal obligation (GDPR Art. 6, 7) | Consent records, audit trail |
| Sync data across platforms | Legitimate interest / consent | Customer profiles, tags, metafields |
| Send transactional emails | Contract performance | Email, name (via Resend) |
| Server-side analytics | Legitimate interest / consent | Tag categories, consent state (no raw PII to GA4) |
| Adobe AEP integration | Consent (explicit opt-in) | SHA-256 hashed PII only; raw PII never transmitted |
| Compliance (GDPR/CCPA) | Legal obligation | All stored data (for data requests, redaction) |
We share data only with services required to provide CRM Sync functionality. We do not sell personal data.
| Service | Data Shared | Purpose | Location |
|---|---|---|---|
| Shopify | Customer tags, metafields, consent state | Commerce sync | Global (Shopify CDN) |
| Xano | User profiles, consent records, tags, extras | Database (source of truth) | US |
| Webflow | Customer CMS items (name, email, tags, consent) | CMS publishing | US |
| Google Analytics (GA4) | Tag categories, consent state, events (no raw PII) | Analytics | US |
| Google Ads (Customer Match / Smart Bidding) | SHA-256 hashed email, conversion value, consent state | Consent-gated advertising audiences — only with your marketing consent; excluded entirely by a Do-Not-Sell/Share opt-out | US |
| Adobe Experience Platform | SHA-256 hashed PII, consent state, commerce events | CDP (if enabled) | Per tenant AEP region |
| Resend | Email address, name | Transactional email | US |
| Cloudflare | KV config, request metadata | Worker hosting, KV storage | Global (edge) |
We never share data with data brokers or any party not listed above. Advertising audience sharing (Google Ads, above) happens only under your explicit marketing consent, is suppressed the moment that consent is revoked, and is blocked outright — regardless of consent — when you enable Do Not Sell or Share My Personal Information (Privacy & Permissions → Privacy). Every inclusion or exclusion is recorded as an audited consent event.
| Data Type | Storage | Encryption |
|---|---|---|
| User profiles, consent records | Xano (managed database) | Encrypted at rest (Xano managed) |
| Config, tokens, OAuth state | Cloudflare KV | Encrypted at rest (Cloudflare managed) |
| Passwords | Xano (as bcrypt hash) | One-way hashed, not reversible |
| Session tokens | HTTP-only cookies | JWT signed with HS256; Secure, SameSite flags |
ADMIN_KEY) required on all admin and write endpointscrm_t_ tokens) with independent rotation, fail-closed authorization, and a documented key-rotation lifecycle — secrets never appear in logs, transcripts, or read-backs (see Access-Governance Model)GET /config masks all credentials; embed HTML strips all API keys| Data Type | Retention Period | Deletion Method |
|---|---|---|
| User profiles | Until account deletion or merchant request | PII anonymization via redaction endpoint |
| Consent records | Indefinite (audit requirement) | Append-only; preserved after user redaction |
| OAuth tokens | Access: 60 min; Refresh: 90 days | Auto-expired, overwritten on refresh |
| Password reset tokens | 1 hour (reset) / 24 hours (welcome) | KV TTL auto-deletion |
| OAuth state nonces | 5–10 minutes | KV TTL auto-deletion |
| Adobe IMS tokens | Per Adobe TTL (typically 24 hours) | KV TTL auto-deletion |
| Sync timestamps | Indefinite (operational) | Overwritten on each sync cycle |
In-product access: your consent and interaction history is visible at any time in Privacy & Permissions → Me → Activity log (every grant, revocation, preference save, and form interaction, timestamped and attributed to its channel), and Privacy → Export my data downloads the same records with your profile and tags — no support request required.
Under GDPR, CCPA, and other applicable privacy laws, you have the following rights:
| Right | How to Exercise | Implementation |
|---|---|---|
| Access (GDPR Art. 15) | Contact the merchant or email us | POST /gdpr/data-request compiles complete user record |
| Rectification (GDPR Art. 16) | Update via UCP Dashboard or Account page | POST /auth/profile updates name, language |
| Erasure (GDPR Art. 17) | Self-service: Account → Delete Account | POST /auth/delete-account or POST /gdpr/customer-redact |
| Portability (GDPR Art. 20) | Contact the merchant or email us | POST /gdpr/data-request returns structured JSON |
| Withdraw Consent (GDPR Art. 7) | UCP Dashboard consent toggles | Each toggle change logged to audit trail |
| Restrict Processing (GDPR Art. 18) | Contact us | We will suspend processing on request |
| Object (GDPR Art. 21) | Contact us | We will cease processing for the objected purpose |
shop/redact webhook. We acknowledge and delete stored shop data within 48 hours.Consent fires first. Measurement on our sites is denied by default and loads only after your stored consent decision is applied — on every visit, before any analytics script runs. Your choice is changeable at any time via the footer Cookie Preferences control, and fully resettable via Reset Consent. See the Consent, Cookies & Preferences guide for the full behavior.
| Cookie | Purpose | Type | Duration |
|---|---|---|---|
crm_session | JWT session token for authentication | Essential | Configurable (default 7 days) |
We set one cookie for authentication. It is httpOnly, Secure, and SameSite=None. It cannot be read by client-side JavaScript.
CRM Sync provides a configurable cookie consent banner. Users can accept or reject cookies. Cookie consent state is logged to the audit trail with provenance metadata.
We use Google Analytics 4 Measurement Protocol for server-side event tracking. This means:
crm-sync.{userId})Do Not Sell or Share My Personal Information. Signed-in users can enable this opt-out at Privacy & Permissions → Privacy (avatar menu → My Account & Privacy). It is enforced as an independent plane from cookie consent: when on, cross-context behavioral-advertising sharing — advertising audiences (Google Customer Match / Smart Bidding), partner identifier projections, and peer or AI-agent cross-context sharing — is blocked fail-closed even while your marketing consent remains granted. First-party services you consented to continue to work. The opt-out and any later change are kept as audited, timestamped consent events.
If you are a California resident, you have additional rights under the California Consumer Privacy Act:
| Right | Implementation |
|---|---|
| Right to Know | Data request endpoint compiles all stored data |
| Right to Delete | Customer redaction endpoint anonymizes all PII |
| Right to Opt-Out of Sale | CCPA toggle in consent settings (UCP Dashboard and compliance page). We do not sell personal data. |
| Non-Discrimination | No features are gated based on privacy choices |
CRM Sync is not directed at children under 16 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately and we will delete it.
We may update this Privacy Policy from time to time. When we make material changes:
For any questions about this Privacy Policy, to exercise your data rights, or to report a privacy concern:
| Channel | Contact |
|---|---|
| General Support | ysl@story-story.ai |
| Data Protection | ysl@ysl150.com |
| Mailing Address | Story Story AI, United States |
We aim to respond to all inquiries within 5 business days and to all formal data subject requests within 30 days.