This policy explains what data FormFence collects, how it uses that data, and your rights over it. It applies to the FormFence app installed on a Shopify store and to the data the app processes on behalf of that store.
Who runs FormFence
FormFence is operated by Harbour Labs Digital Ltd (“Harbour Labs”, “we”, “us”), registered in England & Wales under company number 17200663. Where this policy refers to personal data, Harbour Labs is the data controller for our own business records and the data processor for data submitted to a merchant's contact form (with the merchant as the controller).
If you have any questions about this policy, email formfence@harbourlabs.app.
What data FormFence collects
From merchants who install the app
When you install FormFence on your Shopify store, we receive and store:
- Your shop's
myshopify.comdomain - The OAuth access token that lets the app act on your store's behalf (encrypted at rest)
- Your settings: support email, business name (if you set one), sensitivity level, any custom patterns or allow lists you configure
- A randomised seed used to generate per-shop honeypot field names
From submissions to your contact form
For each submission that hits a contact form FormFence is protecting:
- The submitter's name (as entered)
- The submitter's email address (as entered)
- The submitter's phone number, when the merchant enables the phone field on the form (as entered)
- The subject line (as entered)
- The message body (truncated to 5 KB)
- The verdict (passed or blocked) and which rules matched
- A SHA-256 hash of the submitter's IP address
- The raw IP address, kept for 7 days then automatically scrubbed
- Geo-IP lookup of the submitter IP at submit time (country, region, city). This lookup happens locally against a bundled MaxMind GeoLite2 dataset and involves no third-party request. The resolved location is stored on the submission row so it survives the 7-day raw-IP scrub; merchants see the location (“London, United Kingdom”) in the admin instead of the IP itself.
- The timestamp
The text content of the submission is stored as-is so you can read genuine enquiries and review what was blocked. It is never shared, sold, or used to train any third-party model.
From borderline cases sent to the AI classifier
When the rule-based detection layers can't decide whether a submission is spam, FormFence sends the message (name, email, subject, body) to Anthropic Claude Haiku via Vercel AI Gateway for a second-opinion classification. Only borderline submissions trigger this; clearly-legitimate or clearly-spam messages are decided by the rules alone and never sent to the AI provider. Both providers operate under zero-data-retention terms, meaning the message is processed in memory and not stored on their servers.
Each shop can opt out of the AI classifier in the Settings page; with it off, only rule-based detection is used and no submission text is ever sent to an AI provider.
From your use of the dashboard
We log uncaught application errors via Sentry. These error reports contain no submission content. They may include the shop domain and the request path so we can debug.
How FormFence uses the data
- To detect spam. The honeypot, rate-limit, disposable-email, content-pattern, and weighted- vocabulary checks run on every submission to decide whether it is spam.
- To classify borderline cases. When the rule-based checks can't decide, the submission is sent to Anthropic Claude Haiku via Vercel AI Gateway for a second opinion (zero data retention). Merchants can opt out of this on the Settings page.
- To show you what happened. The dashboard and logs read the same data back so you can see what was blocked and why. The merchant sees a city-and-country location for the sender (derived from the IP at submit time) but never the raw IP.
- To send replies you compose. When you reply to a passed submission from inside FormFence, we send the reply via Resend from your verified sending domain. Customer responses go to your support email, not to FormFence.
- To enforce limits. The 7-day IP scrub, 30-day passed-row retention, and per-shop blocked-row cap run on a daily schedule.
- To improve the product in aggregate. Submission patterns inform how we tune rules over time. We never use the content of individual submissions for any purpose other than serving your store.
Sub-processors
FormFence runs on these third-party services, each of which processes some of the data above on our behalf:
| Provider | Purpose | Location |
|---|---|---|
| Shopify | App platform, OAuth, billing | Global |
| Vercel | App hosting, serverless functions | EU (Stockholm) |
| Supabase | Postgres database | EU (Stockholm) |
| Resend | Outbound email replies | US |
| Sentry | Error monitoring | EU (Stockholm, eu-north-1) |
| Vercel AI Gateway | Routing layer for AI classifier requests; zero data retention | US (routed through nearest edge) |
| Anthropic | AI classifier (Claude Haiku) for borderline-spam classification; zero data retention | US |
Each provider has their own privacy notice and processes data on our written instructions only. The Vercel AI Gateway and Anthropic sub-processors are only used when the AI classifier is enabled for a shop (default on, opt-out from the Settings page) and only receive the contents of submissions the rules couldn't decide on.
Retention
| Data | Retention |
|---|---|
| Merchant OAuth token | Until the app is uninstalled |
| Merchant settings | Until the app is uninstalled |
| Raw IP addresses on submissions | 7 days |
| Hashed IP addresses | Same as the submission row |
| Passed submissions (legitimate enquiries) | 30 days |
| Blocked submissions | 10,000 most-recent per shop, older rows pruned |
| Reply records sent via Resend | Same as the parent submission (cascade delete) |
When you uninstall FormFence, we receive Shopify's app/uninstalled webhook and delete all data for your shop.
Your rights (UK GDPR / EU GDPR)
If you are based in the UK or EU, you have the right to:
- Access the personal data we hold about you
- Have inaccurate data corrected
- Have your data erased
- Restrict or object to processing
- Data portability
To exercise any of these rights, email formfence@harbourlabs.app. We respond within 30 days.
How submitter data requests are handled
FormFence implements Shopify's three mandatory data-protection webhooks:
customers/data_request: when a merchant's customer requests a copy of their data, Shopify forwards the request to us. We respond with any submissions FormFence has from that customer's email address.customers/redact: when a customer requests deletion, Shopify forwards the request to us. We permanently delete all submissions matching that customer's email address or phone number.shop/redact: 48 hours after the app is uninstalled, Shopify forwards a final delete request and we erase any residual data.
International transfers
Data may be transferred outside the UK and EU, primarily for outbound email (Resend, US) and AI classification (Anthropic via Vercel AI Gateway, US). Where this happens, the transfer is covered by the Standard Contractual Clauses or an equivalent safeguard. The AI classifier sub-processors operate under zero-data-retention terms, meaning submission content is processed in memory and not persisted on their servers.
Security
We use standard practices: HTTPS in transit, encryption at rest for the OAuth token, row-level security on the database, and least-privilege access for any human operator.
Changes to this policy
If we make material changes, we will update the “Last updated” date below and notify you via the in-app dashboard. Continued use of FormFence after the update means you accept the revised policy.