Privacy Policy

Last Updated: May 24, 2026

                    
                    Short version: ClickSync securely handles merchant configurations and sync maps. We process store webhook payloads (orders, customers, refunds, checkouts, fulfillments) strictly to populate tasks in your mapped ClickUp lists. Your ClickUp API tokens are fully encrypted at rest using industry-standard AES-256-GCM. We never share your store or customer data with third parties.
                

Loopstates ("we", "us", "our") built ClickSync as an embedded Shopify application. This policy details what data is processed, how it is secured, and the mechanisms used to connect your Shopify store and ClickUp Workspace.

Data Processing & Storage

ClickSync processes store payloads on demand when event webhooks trigger. To perform synchronization, our app acts as a secure transit bridge between Shopify and ClickUp:

ClickUp API Access Tokens: To create tasks and fetch workspace lists on your behalf, we obtain an OAuth access token from ClickUp. This key is instantly encrypted using AES-256-GCM on our database and decrypted only when initiating active sync requests to ClickUp.
Shopify Data (Orders, Customers, Draft Orders, Refunds, Checkouts, Fulfillments): We receive event payloads from Shopify's webhooks. We read only the fields mapped by your rules (e.g. customer name, email, order total, product names, fulfillment status) to generate corresponding ClickUp tasks. We do not maintain a permanent database of your customers or orders.
Sync Logs: To help you troubleshoot and trace sync events, we store execution logs (sync status, timestamp, ClickUp task URL, and any API error messages) for up to 7 days, after which they are automatically pruned.

Security & Token Protection

We prioritize the protection of your merchant credentials and data:

Cryptographic Encryption: Tokens are encrypted with AES-256-GCM at rest. The master decryption key is managed securely in the app environment and is never logged or exposed.
HMAC Signature Verification: Every request and webhook originating from Shopify is cryptographically verified using HMAC SHA-256 headers before processing to ensure the request is genuine.
Safe Communication: All transfers between Shopify, our servers, and ClickUp's API endpoints are encrypted in transit via Transport Layer Security (TLS 1.3 / HTTPS).

GDPR & Data Subject Rights

ClickSync is fully compliant with Shopify's mandatory GDPR framework. We support the following webhooks:

Customer Data Request (customers/data_request): Allows merchants to request customer record details. We log these for manual verification and support extraction.
Customer Redaction (customers/redact): Triggers deletion of any temporary queue logs matching the customer.
Shop Redaction (shop/redact): Deletes all session mappings, configuration settings, and ClickUp connection tokens within our database if the app is uninstalled.

Shopify Billing

All transactions, subscription billing, and plan upgrades are handled exclusively via the **Shopify Billing API**. ClickSync does not collect, process, or store credit card details or bank credentials.

Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your data, please contact us at [email protected].