Skip to content

Privacy and data

What FormFence collects, what it stores, where, how long for, and how to exercise your rights.

This page is the merchant-facing summary. The full legal document, with the precise wording required for compliance, lives at harbourlabs.app/apps/formfence/privacy. If anything below disagrees with that page, the legal page is the source of truth.

What we collect

From you (the merchant)

  • Your shop's myshopify.com domain
  • The OAuth access token Shopify issues at install (encrypted at rest)
  • Your settings: support email, business name (if you set one), sensitivity level
  • A randomised seed used to generate your shop's honeypot field name

From each contact-form submission

  • The submitter's name, email, phone (when the merchant enables the phone field), subject, and message body (the body is truncated to 5 KB)
  • The verdict (passed or blocked) and which rules matched
  • A SHA-256 hash of the submitter's IP address
  • The raw IP address (kept for 7 days, then automatically scrubbed)
  • A geo-IP lookup of the submitter IP at submit time (country, region, city). This lookup happens locally against a bundled MaxMind GeoLite2 dataset; no third-party request. The resolved location is stored on the row so it survives the 7-day raw-IP scrub. You see "London, United Kingdom" in the admin, not the IP itself.
  • The timestamp

The text content is stored as-is so you can read genuine enquiries in the Passed log and review what was blocked. It's never sold, never shared with anyone outside the sub-processors listed below, and never used to train any machine-learning model.

From borderline cases sent to the AI classifier

When the rule-based detection layers can't decide whether a submission is spam, FormFence sends the message (name, email, subject, body) to Anthropic Claude Haiku via Vercel AI Gateway for a second-opinion classification.

  • Only borderline submissions trigger this. Messages clearly caught or cleared by the rules never reach the AI.
  • Both Anthropic and Vercel AI Gateway operate under zero-data-retention terms. The message is processed in memory and not stored on their servers.
  • The classifier blocks only when at least 70% confident the submission is spam.
  • Each shop can opt out of the AI classifier on the Settings page. With it off, only rule-based detection runs and no submission text is ever sent to the AI provider.
  • Each submission's detail pane shows whether the AI was consulted, what it returned, and at what confidence so you can audit per row.

From your use of the dashboard

We log uncaught application errors via Sentry. Error reports contain no submission content. They may include your shop domain and the request path so we can debug.

Where the data lives

ProviderWhat it doesRegion
ShopifyApp platform, OAuth, billingGlobal
VercelApp hosting, serverless functionsEU (Stockholm)
SupabasePostgres databaseEU (Stockholm)
ResendOutbound email repliesUS
SentryError monitoringEU (Stockholm, eu-north-1)
Vercel AI GatewayRouting layer for AI classifier requests. Zero data retentionUS (nearest edge)
AnthropicAI classifier (Claude Haiku) for borderline-spam classification. Zero data retentionUS

The US-based sub-processors are Resend, Vercel AI Gateway, and Anthropic. Each transfer is covered by the Standard Contractual Clauses. The AI sub-processors are only used when the classifier is enabled for a shop (default on; opt-out from the Settings page) and only receive submissions the rules couldn't decide on.

How long we keep it

DataRetention
Shop OAuth token + settingsUntil you uninstall
Raw submitter IP7 days
Hashed submitter IPSame as the submission row
Passed submissions30 days
Blocked submissions10,000 most-recent per shop. Older rows are pruned.
Reply records (Resend)Same as the parent submission (cascade delete)

When you uninstall, Shopify fires the app/uninstalled webhook and we delete every row for your shop. See Uninstall for the full timeline.

Customer-data requests (Shopify mandatory webhooks)

FormFence handles all three of Shopify's mandatory data-protection webhooks:

  • customers/data_request: when a customer of yours requests a copy of their data, Shopify forwards the request to us. We respond with any submissions FormFence has from that customer's email address.
  • customers/redact: when a customer requests deletion, we permanently delete every submission matching that customer's email address or phone number across your shop's logs.
  • shop/redact: 48 hours after the app is uninstalled, Shopify forwards a final delete request. Any residual data is erased at that point.

You don't have to do anything to trigger these. They happen automatically when Shopify forwards the request.

Your rights (UK GDPR / EU GDPR)

If you're a UK or EU resident, you have the right to:

  • Access the personal data we hold about you
  • Have inaccurate data corrected
  • Have your data erased
  • Restrict or object to processing
  • Data portability

To exercise any of these, email formfence@harbourlabs.app. We respond within 30 days.

Security

Standard practices: HTTPS in transit, encryption at rest for the OAuth token, row-level security on the database, least-privilege access for any human operator.

See also

Was this helpful?

Billing

How FormFence pricing works, how Shopify handles the subscription, and what happens when you cancel.

Uninstall

What happens when you uninstall FormFence, the exact deletion timeline, and what to do beforehand.

On this page

What we collectFrom you (the merchant)From each contact-form submissionFrom borderline cases sent to the AI classifierFrom your use of the dashboardWhere the data livesHow long we keep itCustomer-data requests (Shopify mandatory webhooks)Your rights (UK GDPR / EU GDPR)SecuritySee also