Effective Date: April 22, 2026
This Privacy Policy describes how MockupFlowAI ("we", "us", "our") handles information when you use our desktop application and website.
MockupFlowAI is a local desktop application. It runs entirely on your machine. We are committed to minimal data collection. The core application does not require an internet connection to function, except when communicating with third-party APIs that you configure yourself (e.g., Etsy OAuth, cloud storage).
All processing happens on your computer:
To validate your software license, we collect:
This data is sent to our licensing server (Supabase) and is the only data that leaves your machine to our servers.
When you purchase a license, payment is processed by Lemon Squeezy (our merchant of record, powered by Stripe). They collect your name, email, billing address, and payment method. We receive your name, email, and order details (product, amount, date) but never your full credit card number or PayPal credentials. This data is used to provision your license and send purchase receipts.
If you submit your email via our website waitlist form, we collect your email address via Web3Forms. This is used solely to notify you about product availability. You can unsubscribe at any time.
We do not collect, transmit, or store:
How uploads work: When you publish a listing, your design files and listing content are transmitted directly from your device to the destination platform (Etsy, Shopify, Printify, or Gelato) using your own OAuth token or API key. MockupFlowAI servers never receive, proxy, cache, or store your artwork, listing text, or any platform content. All uploads are peer-to-peer between your machine and the platform's API endpoint.
MockupFlowAI integrates with third-party services that have their own privacy policies. When you use these integrations, data flows directly between your machine and the third-party service:
All purchases are processed by Lemon Squeezy (powered by Stripe), which acts as our merchant of record. When you purchase a license, Lemon Squeezy collects your payment information (credit card, PayPal), billing address, email, and name. We do not have access to your full payment details. See Lemon Squeezy Privacy Policy and Stripe Privacy Policy.
The following services are accessed directly from your machine using your own credentials:
When you provide your own API keys for optional AI features (design generation, SEO writing), the Software connects directly from your machine to the AI provider you have configured. MockupFlow does not proxy, store, or log these requests — the design prompt or text payload goes from your device straight to the provider’s endpoint, and the response returns to your device. AI providers supported via “bring your own key”:
You are responsible for reviewing the privacy policies of any third-party AI services you choose to connect, and for ensuring your own use of those services complies with the rights of third parties whose content you may submit as inputs.
All API keys and OAuth tokens are:
You are responsible for the security of your own API keys. We recommend keeping your database backups in a secure location.
When you connect your Etsy shop via OAuth, MockupFlowAI accesses certain Etsy data to provide its services. With respect to this data, MockupFlowAI acts as a service provider (data processor) to you, the Etsy seller (data controller), and processes such data solely to fulfill the services described in our Terms of Service.
MockupFlow connects to Etsy’s Open API v3 using OAuth 2.0 with PKCE. The exact scope string sent during authorization is:
listings_r listings_w listings_d shops_r transactions_r transactions_w
Each scope is the minimum required to support a specific feature. The table below documents what every scope grants and why it is requested.
| Scope | What It Grants | Why MockupFlow Needs It |
|---|---|---|
listings_r |
Read the shop’s listings (titles, descriptions, tags, prices, images, inventory, variations). | Powers the Listing Health Score, SEO Optimizer, Cross-Listing, Repricing Engine, and Listing Snapshots features, which analyse existing listings and propose improvements. |
listings_w |
Create draft listings and update existing listings (titles, descriptions, tags, prices, images, inventory, variations). | Powers the Launch Pad publisher, One-Click Pipeline, Composer bundle publish, and Bulk Editor. Every new listing is created as a draft; nothing goes live until you manually publish it from the Etsy Seller Dashboard. |
listings_d |
Delete listings from the shop. | Powers the Bulk Editor cleanup workflow and the “Undo publish” safety net for removing a draft listing created in error. Deletions are always initiated by you; MockupFlow never deletes listings automatically. |
shops_r |
Read the shop profile (shop name, shop ID, sections, policies, shipping profiles, return policies, production partners, taxonomy). | Required to route listings to the correct shop, to pre-fill shipping profiles and return policies when creating drafts, and to match Etsy taxonomy IDs during SEO optimisation. |
transactions_r |
Read orders and shipping receipts for the shop. | Powers the Unified Orders dashboard, Revenue Analytics, and Packing Slip generation. Order data is used solely to display your own orders back to you. |
transactions_w |
Update order/receipt records — specifically, add tracking numbers and mark receipts as shipped. | Powers the Gelato → Etsy shipment sync and the manual “Mark as shipped” action. Writes are limited to tracking/fulfilment fields; MockupFlow does not modify prices, buyer details, or payment status. |
Scopes we do NOT request: MockupFlow does not request elevated scopes such as email_r, profile_r, profile_w, favorites_r, favorites_w, feedback_r, recommend_r, recommend_w, address_r, address_w, billing_r, or cart_r. No buyer profile information, addresses, or billing data is accessed beyond what is strictly necessary for fulfilment.
All Etsy data accessed through the API is stored exclusively on your local machine in the application's SQLite database. We do not transmit, copy, or store Etsy data on our servers. OAuth tokens are encrypted at rest using Fernet symmetric encryption.
In compliance with the Etsy API Terms of Use:
Cached data is refreshed from the Etsy API on subsequent access after expiration.
You can revoke MockupFlow’s access at any time, either from inside the application (Settings → Integrations → Etsy → Disconnect) or directly from your Etsy account at etsy.com/your/apps. Upon disconnection:
In the unlikely event that any Etsy member data accessed via the API is compromised or suspected to be compromised, we will promptly notify Etsy at dpo@etsy.com and the affected Etsy seller within 24 hours of discovery.
To help you create listings that meet Etsy's Seller Policy and Intellectual Property Policy, MockupFlowAI runs the following checks locally on your machine before you publish:
These checks run entirely on your device — no listing data is transmitted to MockupFlowAI servers during screening. The features are tools to assist compliance; final responsibility for listing content remains with you as the seller.
When you connect your Shopify store via OAuth, MockupFlowAI accesses certain Shopify data to provide its services. With respect to this data, MockupFlowAI acts as a service provider (data processor) to you, the Shopify merchant (data controller), and processes such data solely to fulfill the services described in our Terms of Service.
MockupFlow connects to Shopify’s Admin GraphQL API using OAuth 2.0. The exact scope string sent during authorization is:
write_products, read_orders, write_inventory, write_merchant_managed_fulfillment_orders
Each write_* scope implicitly grants its read_* counterpart. The table below documents what every scope grants and why it is requested.
| Scope | What It Grants | Why MockupFlow Needs It |
|---|---|---|
write_products |
Create, update, and delete products, variants, options, media, collections, and product metafields. | Core publishing flow. Launch Pad, One-Click Pipeline, Composer bundle publish, and Bulk Editor all create draft products in your Shopify store. MockupFlow also writes SEO metafields and size-chart metafields onto the products it creates. |
read_orders |
Read order data and the fulfillment orders attached to each order. | Powers the Unified Orders dashboard (Shopify orders shown alongside Etsy, Printify, Gelato) and Revenue Analytics. Required for routing new orders to print providers. No order mutations are performed — write_orders is intentionally NOT requested. |
write_inventory |
Update on-hand stock levels for variants at the merchant’s locations. | Syncs stock-outs reported by Printify/Gelato back to Shopify so customers see accurate availability. Also used by the Bulk Editor when you manually adjust inventory. |
write_merchant_managed_fulfillment_orders |
Create fulfillments and update tracking information for orders the merchant fulfills themselves. | Modern replacement for legacy write_fulfillments. Marks Shopify orders as shipped and pushes tracking numbers from Printify/Gelato so the customer receives the “your order shipped” email and the order leaves the “unfulfilled” state. The merchant retains fulfillment ownership; MockupFlow is not registered as a Shopify fulfillment service. |
Scopes we do NOT request: MockupFlow does not request payment, transaction, discount, theme, storefront, draft-order, marketing, or customer-list scopes. Customer PII reads are limited to the shipping name and address required to produce a print-on-demand label — never billing data, payment methods, or marketing preferences.
All Shopify data accessed through the API is stored exclusively on your local machine in the application’s SQLite database. We do not transmit, copy, or store Shopify data on our servers. OAuth access tokens are encrypted at rest using Fernet symmetric encryption.
You can revoke MockupFlow’s access at any time from inside the application (Settings → Integrations → Shopify → Disconnect) or directly from your Shopify admin under Settings → Apps and sales channels. Upon disconnection:
shop/redact compliance webhook (see §9.4) confirms removal of any remaining shop-side records 48 hours after uninstall.Per the Shopify App Store requirements, MockupFlowAI is subscribed to three mandatory privacy/GDPR webhook topics. When Shopify or a merchant triggers one of these, our backend receives the request, verifies the HMAC-SHA256 signature against our application client secret, and either returns HTTP 200 within seconds (so Shopify does not retry) or HTTP 401 if the signature is invalid.
| Webhook Topic | Triggered When | What MockupFlowAI Does |
|---|---|---|
customers/data_request |
A customer of one of your stores asks for a copy of the personal data we hold about them. | We acknowledge receipt within 5 seconds and respond with the requested data within the Shopify-mandated 30-day SLA. Because MockupFlow stores customer data only on your local machine (not on our servers), the typical response confirms that no central record exists; if you have synced order data into your local cache, you are expected to retrieve and forward that data to the customer. |
customers/redact |
A customer asks the store owner to delete the personal data we hold about them, or the store owner asks on their behalf. | We acknowledge receipt within 5 seconds and complete the redaction within the Shopify-mandated 30-day SLA. The audit log row tracks the request; the operator then redacts matching rows in their local SQLite cache via the in-app redaction workflow (Settings → Compliance). |
shop/redact |
Sent 48 hours after a merchant uninstalls MockupFlowAI. Triggers permanent cleanup of any shop data we still hold. | We acknowledge receipt within 5 seconds and immediately purge any remaining shop-scoped tokens, cached metadata, and audit-log entries within the Shopify-mandated 30-day SLA. Because the desktop app already wipes everything on disconnect, this webhook typically completes near-instantly. |
Compliance webhook endpoints are publicly resolvable at https://mockupflow.ai/api/webhooks/shopify/{customers/data_request,customers/redact,shop/redact}. Each request is HMAC-verified before any audit row is written; invalid signatures return HTTP 401 and are not logged as compliance events. Audit records are retained for 7 years to demonstrate compliance with regulator audits and Shopify App Store policy.
In the unlikely event that any Shopify merchant data accessed via the API is compromised or suspected to be compromised, we will promptly notify the affected merchant within 24 hours of discovery via the contact email associated with their MockupFlowAI account, and notify Shopify Partner Support within 72 hours per Shopify Partner Program Agreement requirements.
The same on-device safety checks documented for Etsy in §8.6 (trademark screening, design quality gate, draft-first publishing) apply equally to Shopify publishing flows. All new Shopify products are created as drafts — nothing goes live in your store until you explicitly publish from the Shopify admin.
Our website (mockupflow.ai) may use basic analytics cookies to understand traffic patterns. The desktop application does not use cookies, tracking pixels, or any form of telemetry.
The Software includes an optional telemetry module (disabled by default) that, when explicitly enabled by you, sends anonymized usage statistics to help us improve the product. No personal data, designs, or business information is included in telemetry data. You can enable or disable this at any time from the Settings panel.
As a company based in the European Union (Croatia), we comply with the General Data Protection Regulation (GDPR).
Under GDPR, you have the right to:
To exercise any of these rights, contact us at info@mockupflow.ai. We will respond within 30 days as required by GDPR.
License validation data is stored on Supabase servers. When you use third-party APIs, data flows directly from your machine to those providers. We do not control or process this data. Refer to each provider's privacy policy for their data transfer practices.
MockupFlowAI is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us to have it deleted.
MockupFlowAI uses open-source libraries under permissive licenses (MIT, BSD, Apache 2.0). These libraries do not collect personal data independently. All open-source components used in this Software are commercially licensed and permit redistribution. A full list of third-party components is available in the Software's documentation.
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated effective date. For significant changes that affect your data rights, we will provide notice via email (if you are a registered user) or via a notification in the Software. Continued use of the Software after changes constitutes acceptance of the updated policy.
If you have questions about this Privacy Policy, want to exercise your data rights, or wish to file a complaint, contact us at:
Email: info@mockupflow.ai
Location: Croatia, European Union
If you are unsatisfied with our response, you have the right to lodge a complaint with the Croatian Personal Data Protection Agency (AZOP) or your local EU supervisory authority.
Last updated: April 22, 2026