Summary: FlashManager is a B2B SaaS platform for Shopify merchants. We process data on behalf of our merchant customers to provide order management, delivery automation, and messaging services. We do not sell your data to third parties.
1. Who We Are
FlashManager is a product of WEB Univers LLC(“we,” “our,” or “us”), and operates the platform at platform.flash-manager.com and the marketing website at www.flash-manager.com. FlashManager is a software-as-a-service (SaaS) platform that helps Shopify merchants connect with local delivery companies, automate WhatsApp messaging, and manage their e-commerce operations.
For questions about this Privacy Policy, contact us at privacy@web-univers.com.
2. Data We Collect
2.1 Account Data
When you create a FlashManager account, we collect:
- Full name and email address
- Password (stored as a bcrypt hash — never in plaintext)
- Profile image (stored in Supabase Storage)
- Account role (owner, admin, or agent)
- Account creation date and login timestamps
If you sign up via Google or Facebook OAuth, we receive your name, email, and profile photo from those providers. We do not receive your social media passwords.
2.2 Shopify Store Data
When you connect a Shopify store, FlashManager accesses the following data via the Shopify API with your explicit authorisation:
- Orders: order ID, customer name, shipping address, phone number, line items, total price, payment status, fulfilment status
- Products: product title, variants, SKUs, images, prices
- Customers: name, email, phone number, address
- Shop: shop name, domain, currency, timezone, owner email
This data is stored in our database (Supabase/PostgreSQL) scoped to your account and is used solely to provide the FlashManager service.
2.3 WhatsApp Business Data
When you connect your WhatsApp Business account via Meta Cloud API or Embedded Signup, we store:
- Your WhatsApp Business Account ID (WABA ID) and Phone Number ID
- Your Meta access token (encrypted at rest) for sending messages
- Outgoing message content and delivery status
- Incoming messages from your customers (sender phone, body, timestamp)
- WhatsApp message template names and approval status
2.4 Meta Ads Data
When you connect your Meta Ads account via OAuth, we access and store:
- Ad account name, ID, currency, and timezone
- Campaign, ad set, and ad performance metrics (impressions, clicks, spend, reach)
- Long-lived Meta access token (encrypted at rest)
We use this data to calculate your real ROAS by correlating ad spend with fulfilled Shopify orders. We do not access your Meta personal profile or non-advertising data.
2.5 Delivery Company Data
When you connect delivery companies (e.g. Yalidine, ZR Express), we store the API credentials you provide (API keys, tokens). These are stored encrypted and used only to create and track parcels on your behalf.
2.6 Team & Operational Data
- Team member names, email addresses, and roles
- Order assignments and commission records
- Internal expense records you enter (amounts, categories, dates)
- Support tickets and attached images
2.7 Technical & Usage Data
- IP address and approximate location (country/region)
- Browser type, operating system, and device type
- Pages visited and features used within the platform
- Server access logs (retained for 90 days)
3. How We Use Your Data
| Purpose | Legal Basis (GDPR) |
|---|---|
| Providing and operating the FlashManager service | Contract performance |
| Syncing and displaying your Shopify orders and products | Contract performance |
| Sending WhatsApp messages to your customers on your behalf | Contract performance / Legitimate interest |
| Calculating your ROAS from Meta Ads data | Contract performance |
| Creating parcels with delivery companies | Contract performance |
| Managing your team members and commissions | Contract performance |
| Sending service emails (account setup, billing) | Contract performance |
| Detecting and preventing fraud or abuse | Legitimate interest |
| Improving the platform and fixing bugs | Legitimate interest |
| Complying with legal obligations | Legal obligation |
4. Data Sharing & Third Parties
We do not sell your personal data. We share data only as necessary to provide the service:
- Shopify Inc. — We are an authorised Shopify Partner and use the Shopify API under their API terms. Data processed under Shopify's DPA.
- Meta Platforms, Inc. — WhatsApp Cloud API and Meta Ads Graph API. Data processed under Meta's platform terms and Business Data Processing Terms.
- Supabase Inc. — Database hosting (PostgreSQL) and file storage. Data is stored in EU-region servers. Supabase is SOC 2 Type II certified.
- Delivery companies (Yalidine, ZR Express, Ecom Delivery, etc.) — We transmit only the shipment data needed to create parcels (customer name, phone, address, package details).
- Law enforcement / legal authorities — Only when required by applicable law, court order, or to protect our legal rights.
5. Data Retention
- Account data: Retained while your account is active. Deleted within 30 days of account closure upon request.
- Shopify order data: Retained for the duration of your subscription plus 12 months, or until you request deletion or disconnect the store.
- WhatsApp messages: Retained for 12 months, then automatically purged.
- Meta Ads data: Campaign metrics retained for 24 months. Access tokens deleted immediately upon disconnection.
- Server logs: Retained for 90 days.
6. Your Rights (GDPR & Applicable Laws)
If you are located in the EU, EEA, UK, or other jurisdictions with applicable privacy laws, you have the right to:
- Access — Request a copy of the personal data we hold about you.
- Rectification — Correct inaccurate or incomplete data.
- Erasure — Request deletion of your personal data (“right to be forgotten”).
- Restriction — Request that we limit processing of your data.
- Portability — Receive your data in a structured, machine-readable format.
- Objection — Object to processing based on legitimate interests.
- Withdraw consent — Where processing is based on consent, you may withdraw it at any time.
To exercise any right, email privacy@web-univers.com. We will respond within 30 days. For data deletion instructions, see our Data Deletion page.
7. Cookies
We use essential cookies to keep you logged in (JWT session token) and remember your language preference. We do not use advertising cookies on the FlashManager platform. See our Cookie Policy for details.
8. Data Security
- All data is transmitted over TLS 1.2+ (HTTPS)
- API keys and access tokens are stored encrypted at rest
- Passwords are hashed using bcrypt (cost factor 12)
- Access to production data is restricted to authorised personnel only
- Regular security reviews and dependency updates
9. International Transfers
FlashManager serves merchants across multiple markets. Our infrastructure uses Supabase (EU region) and Contabo (Germany) servers. International data transfers are subject to appropriate safeguards including Standard Contractual Clauses (SCCs) where applicable.
10. Children's Privacy
FlashManager is a business platform intended for merchants aged 18 and over. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with data, please contact us immediately.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify registered users of significant changes by email or in-platform notification. Continued use of FlashManager after the effective date constitutes acceptance of the updated policy.
12. Contact Us
For any privacy-related questions, requests, or complaints:
- Email: privacy@web-univers.com
- Website: www.flash-manager.com