Privacy Policy
Last updated: May 2026 · Flex Embedded, Inc. d/b/a FlexProtect
1. Who We Are
FlexProtect is operated by Flex Embedded, Inc. ("FlexProtect", "we", "us", or "our"), a company that provides embedded warranty insurance products underwritten by AIG. Our services are available through our Shopify application and the website at flexprotect.ai.
For questions about this policy, contact us at:
2. Information We Collect
From Customers (warranty purchasers)
- Name, email address, and shipping address — provided at checkout via the merchant's Shopify store
- Order details, including the product purchased and its price
- Warranty contract details — policy number, coverage term, effective date
- Customer portal activity — policy lookups, cancellation requests
From Merchants (Shopify store owners)
- Shopify store URL, shop name, and contact email
- Product catalog data — titles, prices, categories (used to classify products for warranty eligibility)
- Order and fulfillment data — required to issue and track warranty contracts
- Bank account information — collected via Stripe/Plaid for ACH settlement of insurance premiums (not stored by FlexProtect directly)
Automatically collected
- Server logs including IP addresses, browser type, and pages visited on flexprotect.ai
- Shopify webhook events related to orders, refunds, and app lifecycle
3. How We Use Your Information
- Issuing warranty contracts — We share your name, email, product details, and purchase information with AIG to create and administer the insurance contract.
- Customer portal access — We use your email address to send magic-link login tokens so you can manage your policies at flexprotect.ai/portal.
- Merchant settlement — We use merchant bank account information, collected via Stripe, solely for ACH settlement of insurance premiums. We do not store full bank account details.
- Product classification — We analyze merchant product catalog data using automated classification to determine warranty eligibility and pricing. No product data is sold or shared with third parties.
- Compliance and legal obligations — We retain insurance records as required by applicable state insurance law and regulatory requirements.
- Service communications — We send transactional emails related to your warranty (confirmation, cancellation notices). We do not send marketing emails without your consent.
4. How We Share Your Information
We share personal information only as necessary to provide our services:
- AIG — As the warranty underwriter, AIG receives policyholder information (name, email, product, purchase details) necessary to issue and administer your contract.
- Stripe — Payment processing and ACH bank debit for merchant settlements. Stripe's privacy policy governs their use of data: stripe.com/privacy.
- Shopify — As a Shopify app, we operate within Shopify's platform and are subject to Shopify's API terms. Shopify's privacy policy: shopify.com/legal/privacy.
- Resend — Transactional email delivery. Only your email address and the content of transactional messages are shared.
We do not sell personal information. We do not share personal information with third parties for advertising purposes.
5. Data Retention
FlexProtect issues insurance contracts regulated under state insurance law. Warranty and insurance records must be retained for regulatory, legal, and contractual compliance — typically 5–7 years depending on jurisdiction. We are required by law to retain this data even if you request deletion.
Non-insurance personal data (such as portal session tokens and server logs) is retained for a shorter period consistent with operational needs, typically 90 days.
6. Your Privacy Rights
Customers (warranty purchasers)
Depending on where you live, you may have rights under applicable privacy law (including GDPR, CCPA/CPRA, and similar state laws) to access, correct, or request deletion of your personal data. To exercise these rights, contact us at .
Important limitation: The right to erasure does not apply where retention is required by law. Because warranty contracts are regulated insurance records, we are obligated to retain contract data for the period required by applicable insurance regulations, even upon a deletion request (GDPR Art. 17(3)(b)/(e); CPRA §1798.105(d)). We will acknowledge your request and flag your record accordingly.
Merchants (Shopify store owners)
Shopify provides mandatory data request and deletion webhooks. When FlexProtect receives a data request from Shopify on your behalf, we log and acknowledge it. Insurance contract records are retained as described above. Non-contract merchant data can be addressed by contacting us directly.
7. Data Security
We use industry-standard security practices including TLS encryption for all data in transit, encrypted secrets management via fly.io, and no storage of full payment credentials. Bank account information is handled exclusively by Stripe and Plaid, who are PCI-compliant.
Despite these measures, no system is completely secure. If you believe your information has been compromised, contact us immediately at .
8. Cookies and Tracking
The FlexProtect customer portal uses a session cookie solely to maintain your authenticated session. We do not use tracking cookies, advertising pixels, or third-party analytics on our portal. The main marketing website (flexprotect.ai) does not set any tracking cookies.
9. Children's Privacy
Our services are not directed to children under 13. We do not knowingly collect personal information from children. If you believe we have inadvertently collected data from a child, contact us at and we will delete it promptly.
10. Changes to This Policy
We may update this policy from time to time. When we do, we will update the "Last updated" date at the top of this page. Material changes will be communicated via email to active merchants.
11. Contact Us
For any privacy-related questions, requests, or concerns:
Flex Embedded, Inc. d/b/a FlexProtect