AS   AvanSaber
Solutions Enterprise
EntAgent CraftAgent.AI Pi.TEAM SocialMan.AI UtilitiesLabs
Industries About Contact Get Started
App Privacy

ERPClaw for Shopify Privacy

Effective date: April 24, 2026

How our Shopify app handles merchant data. Designed to process as little as possible.

Plain-language summary

ERPClaw for Shopify is a free, open-source connector. Your orders, customers, products, and financial data are pulled by your self-hosted ERPClaw directly from Shopify and never pass through our servers.

Data controller
AvanSaber Inc., United States
Contact
[email protected]
Parent privacy policy
avansaber.com/privacy
Terms of service
avansaber.com/terms

1 What the App Does

ERPClaw is a self-hosted ERP. It runs on a server or computer that you control — not on our infrastructure. The Shopify App you install from the App Store is a thin pairing surface. Its only jobs are:

  • 1 Complete the OAuth handshake with Shopify.
  • 2 Give you a one-time pairing code so your self-hosted ERPClaw can identify itself.
  • 3 Render a small status card inside your Shopify admin showing whether your ERPClaw instance is online and syncing.

Your Shopify orders, customer records, products, transactions, and financial data never pass through our servers. They are pulled by your self-hosted ERPClaw directly from the Shopify Admin API, using access tokens stored on your own machine, and they stay on your own machine.

2 Personal Data We Process

The App's Cloudflare Worker (hosted at shopify.erpclaw.ai) processes only the following:

Category Specific fields Purpose
Shop identifiers shop_domain (e.g. example.myshopify.com), shop ID, shop name, shop owner email, shop country Required to complete the Shopify OAuth handshake and to route status pushes to the correct admin UI.
OAuth tokens Shopify offline access token (scoped: read_orders, read_customers, read_products) Forwarded once to your self-hosted ERPClaw during pairing; not retained by us after pairing.
Pairing credentials A 6-character pairing code and a transient JWT. Allows your ERPClaw to prove it's the one you're trying to connect.
Operational status blob ERPClaw version string, timestamp of last sync, count of orders synced in last 24h, count of GL entries posted in last 24h, integer error count, ERPClaw's local URL (e.g. http://localhost:8000). Displayed in the status card inside your Shopify admin so you can see at a glance that your ERPClaw is alive.

We do not process, store, or have visibility into: individual customer names, emails, phone numbers, addresses, order contents, line items, payment details, refund amounts, product data, inventory, or financial records. Those stay on your self-hosted ERPClaw instance.

3 How We Use the Data

  • Shop identifiers are used to authenticate you, render your admin UI, and to know where to send the status card.
  • OAuth tokens are forwarded once to your ERPClaw during the pairing handshake and deleted from our Worker within 60 seconds. After that, your ERPClaw holds the token directly and talks to Shopify without going through us.
  • Pairing codes are deleted automatically 10 minutes after creation, or immediately upon successful pairing.
  • Status blobs are displayed in your admin UI and overwritten on every push (typically every 5–15 minutes). Old blobs are rotated out after 24 hours.

We do not sell data. We do not share data with advertisers. We do not run analytics on merchant data. We do not use merchant data to train AI models.

4 Retention

Data Retention
Shop domain and install metadata Until you uninstall the App, then deleted within 48 hours (per Shopify's shop/redact webhook).
OAuth access token Deleted from our Worker within 60 seconds of pairing handoff; on uninstall, the token is revoked by Shopify.
Pairing code 10 minutes, or until pairing completes (whichever is sooner).
Status blob Most recent blob kept for display; rotated out after 24 hours.
Worker request logs (IP, path, status) 7 days, for abuse and debugging only.

5 GDPR Mandatory Webhooks

Shopify requires every app to implement three compliance webhooks. Here is exactly how our Worker handles each.

customers/data_request

Shopify sends this when a customer (a shopper of one of our merchants) exercises their GDPR right of access. We do not hold any customer data — the App never receives customer records. The Worker logs the request, responds HTTP 200, and emails [email protected] a notification so we can confirm in writing to Shopify and to the merchant that no such data exists on our side. If the merchant's self-hosted ERPClaw holds relevant records, the merchant is the data controller for that data and must fulfil the request from their own instance.

customers/redact

Same handling: we hold no customer data, so there is nothing to redact on our side. Worker logs the event and returns HTTP 200. A notification is forwarded to the merchant's support contact so they can run the equivalent redaction on their self-hosted ERPClaw if they have not already.

shop/redact

Fired 48 hours after a merchant uninstalls. On receipt the Worker:

  1. Deletes the shop's row from the Cloudflare KV namespace (shops, pairings, status).
  2. Purges any remaining status blobs.
  3. Logs a redaction audit event with only the shop domain and timestamp (no content), retained for 1 year for compliance evidence.
  4. Returns HTTP 200.

All three webhooks verify the X-Shopify-Hmac-Sha256 signature against our shared secret before any processing. Unsigned or mis-signed requests are rejected with HTTP 401.

6 Sub-processors

Sub-processor Role Location
Cloudflare, Inc. Workers runtime, KV storage, Pages hosting, DNS. Global edge network; primary region: United States.

We use no other sub-processors. We do not use a database, email provider, analytics vendor, or CRM that touches merchant data.

7 Data Location

Data processed by the Worker is stored in Cloudflare KV, which is replicated across Cloudflare's global edge network. Cloudflare is certified under the EU–US Data Privacy Framework and offers Standard Contractual Clauses. Because the data we hold is limited to shop identifiers and operational counters (no customer data, no order content), cross-border transfer risk is low.

The merchant's actual business data — orders, customers, products, financial records — is stored on the merchant's own self-hosted ERPClaw instance, in whichever jurisdiction the merchant chooses to run it. That data never enters Cloudflare.

8 Security

  • All traffic uses TLS 1.2+.
  • OAuth tokens are encrypted at rest using Cloudflare KV's at-rest encryption and are held for no more than 60 seconds after pairing handoff.
  • Status push endpoints require a bearer token issued during pairing; unauthenticated pushes are rejected.
  • GDPR webhook endpoints verify HMAC signatures on every request.
  • We follow responsible-disclosure practices: security reports to [email protected] are acknowledged within 48 hours.

9 Your Rights

If you are a merchant using the App, you can at any time:

  • Uninstall the App from your Shopify admin — this triggers shop/redact and deletes your data within 48 hours.
  • Email [email protected] to request access, deletion, or rectification of the limited data we hold (your shop domain and status blob).
  • Export your ERPClaw data at any time from your self-hosted instance, which we do not control.

10 Changes to this Policy

Material changes will be announced on the App listing and by email to the shop owner address we have on file. The current version is always available at https://www.avansaber.com/privacy-shopify. The parent AvanSaber Inc privacy policy at https://www.avansaber.com/privacy and terms of service at https://www.avansaber.com/terms apply to all AvanSaber products.

11 Contact

AvanSaber Inc.
Email: [email protected]
Security: [email protected]
Support: [email protected]

Ready to Transform Your Enterprise with AI & SAP Solutions?

Schedule a free consultation with our experts to discuss your specific business challenges and how our solutions can address them.

Schedule Consultation Explore Solutions