Smart Form Builder by TiwaaData Processing
Last updated: April 25, 2026
This page describes how Tiwaa processes data on behalf of merchants who use Smart Form Builder, in accordance with the GDPR (as data processor) and CCPA. It supplements our Privacy Policy.
1. Roles
In the context of GDPR:
- You (the merchant) are the data controller for your customers' personal data, including any data submitted through forms you publish.
- Tiwaa is a data processor acting on your instructions when we receive form submissions, store them, and forward them to the integrations you configure. We are also a data controller for data we hold directly (shop settings, billing records).
2. Data We Process
The table below lists every category of data we hold or process:
| Category | Data | Purpose | Retention |
|---|---|---|---|
| Shop identity | Shop domain (e.g. mystore.myshopify.com) | Identify and namespace per-merchant data | Until uninstall + 30 days |
| Authentication | Shopify offline access token (encrypted) | Webhook processing and Admin API calls | Until uninstall + 48 hours |
| Form configurations | Field definitions, validation rules, theme, integrations | Render forms on storefront and process submissions | Until form deletion or uninstall + 30 days |
| Form submissions | Customer-submitted form data and uploaded files | Surface in merchant dashboard, fan out to integrations the merchant configured (webhook, Klaviyo, Slack, etc.) | Until merchant deletes the submission, the form, or uninstalls + 30 days |
| Submission metadata | IP address, user agent, referrer, country, UTM params | Spam protection, analytics, abuse investigation | Same as the submission |
| Billing state | Active plan name, installation timestamp, monthly submission counters | Trial tracking, plan gating, usage limits | Until uninstall + 30 days |
3. Sub-processors
We engage the following sub-processors. All are bound by data processing agreements consistent with GDPR requirements:
| Sub-processor | Purpose | Location | Privacy policy |
|---|---|---|---|
| Shopify Inc. | Merchant authentication, billing, webhook delivery, customer creation | Canada / USA | View policy |
| Cloudflare, Inc. | App hosting (Workers, Pages), database (D1), file storage (R2), KV cache, Turnstile spam protection | USA (global edge) | View policy |
| Anthropic PBC | AI form generator (Pro plan only) — prompts forwarded via Cloudflare AI Gateway. Form prompts are not used to train models. | USA | View policy |
We will notify you of any new sub-processors by updating this page and revising the "Last updated" date at least 10 days before the new sub-processor begins processing.
4. Merchant-configured integrations
When you turn on an integration on a form (Klaviyo, Mailchimp, Google Sheets, Slack, generic webhook, etc.), submission data is forwarded to that destination at submit time. Those destinations become independent data processors / controllers as governed by their own privacy policies. You are responsible for ensuring your customers consent to data sharing with the integrations you enable.
5. International Transfers
Data may be processed in the United States (Cloudflare, Shopify, Anthropic) and Canada (Shopify). Cloudflare and Anthropic participate in the EU–US Data Privacy Framework. Shopify's international transfers are covered by Standard Contractual Clauses.
6. GDPR Webhook Processing
We implement all mandatory Shopify GDPR webhooks:
customers/data_request— we search submissions for any matching customer identifier and provide an export within 30 days.customers/redact— submissions tied to the customer identifier are scrubbed within 30 days.shop/redact— all shop data (forms, submissions, files, sessions) deleted within 30 days of receipt.
7. Security Measures
- All data in transit encrypted with TLS 1.2+.
- Shopify access tokens encrypted at rest in Cloudflare D1.
- File uploads scoped to the merchant's R2 prefix and validated against per-field MIME and size rules.
- Anti-spam: Cloudflare Turnstile + honeypot field; rate limiting per IP.
- API endpoints require a shared secret header (
X-Platform-Key) in addition to OAuth session verification. - Dependency audits run on every deployment; high/critical CVEs block release.
8. Contact
Data processing enquiries: tiwaaoffical@gmail.com