Processor and controller roles
The merchant is generally the controller of customer data. Valyn acts as a processor when handling customer emails and Shopify order data on behalf of the merchant.
Processing purpose
Processing is limited to detecting order support requests, identifying Shopify orders, sending automated replies, and maintaining operational logs.
Categories of data
- Merchant shop and installation data.
- Customer email address and email content forwarded by the merchant.
- Shopify order metadata and tracking information.
- SMTP settings and encrypted credentials.
Sub-processors
Current infrastructure uses Shopify, Vercel, and Amazon Web Services (including Amazon Bedrock for AI email-intent classification, processed within the AWS region and not used for model training). Material changes to sub-processors will be disclosed to merchants.
Security controls
Valyn uses access control, encrypted SMTP credentials, HTTPS endpoints, webhook validation, limited Shopify permissions, and operational logging.
Data deletion
Data is deleted through Shopify privacy webhooks, uninstall processing, and merchant support requests where applicable.
International transfers
Hosting and infrastructure process data in the regions used by the listed processors, including the United States (Vercel and AWS us-east-1). Where personal data is transferred outside Switzerland or the EEA, the transfer relies on recognized safeguards such as the European Commission's Standard Contractual Clauses, supplemented as required by Swiss data protection law (FADP).
Breach notification
Valyn will notify affected merchants without undue delay after becoming aware of a personal data breach affecting their data.
Audit and contact process
Merchants can contact support for security, privacy, and processing questions. Formal audit arrangements are available on request.