Smart Form Builder by Tiwaa

Privacy Policy

Last updated: April 25, 2026

This Privacy Policy explains how Tiwaa ("we", "us", "our") collects, uses, and protects data when you install and use Smart Form Builder (the "App") on your Shopify store.

1. Data We Collect

We collect only the minimum data needed to operate the App:

• Shop domain — to identify your store and namespace your forms and submissions.
• Shopify session token — to authenticate API requests. Tokens are short-lived and never persisted beyond the session.
• Offline access token — encrypted at rest, used for background tasks such as webhook processing and theme extension deployment.
• Form configurations — fields, labels, validation rules, theme, and integration settings you configure.
• Form submissions — data submitted by your customers through forms you publish, including any files they upload (stored in Cloudflare R2). Treated as your data; we never use it for our own purposes.
• Installation timestamp (installed_at) — used solely to calculate your free-trial remaining days.
• Active plan — the plan tier you have selected (Free trial, Basic, or Pro).

Customer PII contained in submissions (names, emails, phone numbers, etc.) is collected only because you, the merchant, ask your customers for it via the forms you publish. You are the controller for this data; we are the processor.

2. How We Use Your Data

• Authenticate and authorize your use of the App.
• Render and serve form blocks on your storefront.
• Receive submissions, store them, and surface them in your dashboard.
• Send notifications, autoresponders, and integration payloads (webhook, Klaviyo, Mailchimp, Slack) you configure on a per-form basis.
• Process billing through the Shopify Billing API.
• Respond to GDPR and CCPA data subject requests.
• Send transactional emails (e.g., trial expiry reminders) to the store-owner email address on file in Shopify — never marketing emails without explicit consent.

3. Data Sharing

We do not sell, rent, or trade your data. Data is shared only with:

• Shopify — as required to operate an embedded Shopify app (authentication, billing, webhooks, customer creation when you opt in).
• Cloudflare — our infrastructure provider (Workers, Pages, D1 database, R2 storage, Turnstile). GDPR-compliant data processor.
• Optional integrations you enable — when you turn on a webhook, Klaviyo, Mailchimp, Google Sheets, or Slack integration on a form, submission data is forwarded to that destination at submit time. You control what's enabled per form.

4. Data Retention

• Forms, submissions, and shop settings are retained while your store has the App installed.
• Upon receiving an app/uninstalled webhook, all shop data (forms, submissions, files in R2, sessions, plan info) is deleted within 48 hours.
• Upon receiving a shop/redact webhook (typically 48 hours after uninstall), any remaining shop data is permanently deleted within 30 days.
• Customer data subject requests (customers/data_request, customers/redact) are processed within 30 days.

5. Your Rights

You may request access to, correction of, or deletion of your shop's data at any time by emailing tiwaaoffical@gmail.com. We will respond within 30 days.

If you are located in the European Economic Area, you have additional rights under the GDPR including the right to data portability and the right to lodge a complaint with a supervisory authority.

6. Security

All data is transmitted over TLS 1.2+. Offline access tokens are encrypted at rest. File uploads are scanned for size and MIME-type compliance. We conduct periodic dependency audits and apply security patches promptly.

7. Changes to This Policy

We will update this page and revise the "Last updated" date for any material change to data handling practices. Continued use of the App after a material change constitutes acceptance of the updated policy.

8. Contact

Questions about this policy? Email us at tiwaaoffical@gmail.com.